Why HIPAA Business Associates Should Provide HIPAA Training for their Entire Staff

Posted by Ian

In any organization that qualifies as a HIPAA Business Associate, every member of the workforce is part of the environment in which protected health information (PHI) is created, received, maintained, or transmitted. Even when an individual does not believe they “handle PHI,” their actions, access, and decisions can directly or indirectly affect the privacy and security of that information. For that reason, providing HIPAA training to only a narrow group of employees is not sufficient. To fully manage risk, protect patient privacy, and uphold contractual obligations, HIPAA training should extend to all staff in a Business Associate organization.

Business Associates Have an Organization-Wide Set of Obligations

Under HIPAA, a Business Associate is any organization or individual that performs certain services for or on behalf of a HIPAA-Covered Entity when those services involve the use or disclosure of PHI. Once a company meets that definition, it assumes an organization-wide set of obligations. It is not just specific departments or job titles that become regulated; the company as a whole is bound by HIPAA’s requirements and by the terms of its Business Associate Agreements.

Business Associate Agreements typically require the organization to safeguard PHI, restrict uses and disclosures to permitted purposes, report incidents and breaches, and cooperate with the HIPAA-Covered Entity’s obligations to patients.  These commitments cannot be fulfilled solely by a privacy officer, an IT team, or a handful of “PHI-facing” staff. They depend on the behavior of the entire workforce, including employees, contractors, and others under the organization’s direct control.

Under the HIPAA Security Rule, the Administrative Safeguards at 45 C.F.R. § 164.308(a)(5)(i) require Covered Entities and Business Associates to implement a security awareness and training program for all members of the workforce, including management. “Workforce” is defined broadly to include all employees, contractors, volunteers, and any other persons whose conduct is under the organization’s direct control. The HIPAA Security Rule further requires that this program address, at a minimum, periodic security reminders, protection against malicious software, monitoring of log-in attempts and reporting discrepancies, and procedures for creating, changing, and safeguarding passwords. This makes clear that every workforce member who can affect the confidentiality, integrity, or availability of electronic PHI must receive ongoing security awareness and training.

The Shared Custodial Chain of Protected Health Information

Protected health information rarely stays in one place or one system. It moves through a chain of custody: from the Covered Entity to direct Business Associates and often on to downstream subcontractor Business Associates. Each link in that chain has obligations to protect PHI and to support the rights of patients. If a Business Associate hires a vendor that can access PHI, that vendor becomes a subcontractor Business Associate and must be managed accordingly.

In practice, this chain involves a wide variety of people. System administrators configure databases and access controls. Developers and analysts work with test data that may include PHI if not properly de-identified. Customer support staff may see PHI on screens or in tickets. Administrative personnel may be exposed to PHI when handling email, faxes, or printed material. Even staff whose core role is not “healthcare” may be custodians of PHI by virtue of the systems they manage or the spaces they occupy.

If any one of these individuals mishandles PHI, shares it improperly, ignores a security warning, or fails to follow basic safeguards, the entire custodial chain is compromised. The Covered Entity is affected, other Business Associates may be implicated, and, most importantly, the patient may be harmed. Training only those who obviously “touch PHI” on a daily basis overlooks many points where risk can enter the system. Comprehensive HIPAA training for all staff ensures that everyone who might encounter PHI or influence its protection understands their responsibilities.

The Human Factor as the Primary Source of Risk

Most privacy and security failures in healthcare and related industries stem from human behavior, not technology. Technical safeguards such as encryption, access controls, and logging are critical, but a sophisticated security program can be undone by a single untrained or careless staff member.

Real-world incidents repeatedly show the same patterns. A workforce member interacts with a phishing email and discloses login credentials, enabling an attacker to access systems containing PHI. An employee props open a secure door or shares a password for convenience. A staff member uses an unapproved cloud storage service or messaging app to work more quickly, not realizing it fails to meet HIPAA standards. Another employee talks about a recognizable patient on social media or in a public setting, unintentionally disclosing PHI.

These are not always malicious acts. Often they stem from a lack of awareness or a failure to understand why policies are in place. Universal HIPAA training addresses this by explaining what PHI is, what the rules require, and why specific behaviors are risky. It connects daily decisions to real consequences for patients and for the organization. Without this education, the organization relies on luck rather than a structured risk control.

Incident Detection and Reporting Depend on Everyone

Business Associates are typically required, through HIPAA and their Business Associate Agreements, to identify, respond to, and report security incidents and privacy violations. Detection cannot rest solely with IT staff, technology, or a privacy office. In many cases, the first person to see something suspicious is a line employee: a receptionist who notices unusual access to records, a call center agent who spots odd account activity, or a developer who sees error messages that suggest unauthorized access.

If that employee has never been trained on what constitutes a security incident, why it matters, or how to report it, an opportunity for early intervention is lost. By the time a centralized team identifies the problem, more damage may have occurred, more PHI may be exposed, and more patients may be affected.

Universal HIPAA training gives every staff member a clear understanding of what an incident looks like, how to respond, and whom to contact. It also reinforces the message that reporting is a duty, not an optional courtesy, and that honest reporting is expected even when the reporter might have contributed to the problem. This broad, distributed awareness is essential for an effective incident response program.

Organizational and Financial Risk Management

From an organizational perspective, failing to train all staff is a significant and unnecessary risk. Regulatory investigations following a breach or major incident often examine whether the organization had appropriate policies, safeguards, and training in place. If training is incomplete or poorly documented, regulators may conclude that the organization did not exercise reasonable care.

The consequences can include corrective action plans, civil monetary penalties, reputational damage, and the loss of business relationships. Covered Entities may terminate contracts or be reluctant to renew them if they perceive the Business Associate as a weak link in their compliance posture. Plaintiffs’ attorneys may rely on HIPAA standards as evidence of the applicable duty of care in negligence cases, even though HIPAA itself does not provide a private cause of action.

In contrast, a robust and well-documented training program for all staff strengthens the organization’s position. It demonstrates commitment to compliance, supports a consistent enforcement of policies, and helps prevent incidents in the first place. Compared to the costs of responding to a breach, training is a relatively low-cost, high-impact investment.

Fair Enforcement, Culture, and Accountability

HIPAA requires organizations to apply sanctions for violations of their policies and procedures related to PHI. For sanctions to be fair, defensible, and effective, the organization must be able to show that staff were informed of expectations and trained on relevant requirements.

If only some employees receive HIPAA training, it becomes difficult to enforce standards consistently. Workforce members may argue that they did not know their behavior was prohibited or that the organization failed to provide adequate guidance. This undermines the culture of accountability that HIPAA compliance requires.

Training all staff sends a clearer message. It establishes that everyone, regardless of position, shares responsibility for safeguarding PHI. It also supports a culture in which people feel both empowered and obligated to follow policies, protect patient information, and report concerns. Over time, this shared understanding and shared responsibility become part of the organization’s identity, rather than an external requirement imposed from the outside.

HIPAA Training as a Core Business Practice

For a HIPAA Business Associate, training only a subset of employees is not sufficient to satisfy legal requirements, protect patients, or manage organizational risk. The obligations under HIPAA and Business Associate Agreements apply to the organization as a whole, and so must the training that supports those obligations.

Every staff member influences the confidentiality, integrity, and availability of protected health information, whether directly or indirectly. Human behavior is a primary driver of both breaches and prevention. Incident detection and reporting depend on eyes and ears across the organization. Patient safety and medical identity theft concerns make data protection an ethical imperative, not merely a regulatory one. The financial and reputational stakes for the organization are significant, and fair enforcement of policies requires that “I did not know” is never a reasonable excuse.

HIPAA training for all staff is not an optional task or a best practice reserved for particularly cautious organizations. It is a foundational element of doing business as a HIPAA Business Associate. Training all staff is part of what it means to accept the responsibility of working with protected health information.

 

The post Why HIPAA Business Associates Should Provide HIPAA Training for their Entire Staff appeared first on The HIPAA Journal.

Patient Data Compromised in Cyberattacks on Sleep Specialists

Posted by Steve Alder

Two sleep specialists, Persante Health Care in New Jersey and SomnoSleep Consultants in Virginia, have recently disclosed security incidents that exposed patient information.

Persante Health Care Patients Informed About January 2025 Cyberattack

Persante Health Care, a Mount Laurel Township, NJ-based national provider of sleep and balance center management services to hospitals and physician practices, has announced a security incident that was detected on or around January 28, 2025.

Unusual activity was identified within its computer network and, assisted by third-party cybersecurity experts, it was determined that an unauthorized third party accessed its network between January 23 and January 28, 2025. During that time, files containing patient information may have been accessed or acquired. It took more than 8 months to review the affected files to determine whether patient data had been exposed. On October 3, 2025, the data review confirmed that personal and protected health information was involved.

The exposed data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, state identification number, passport number, government identification number, taxpayer identification number, date(s) of service, physician or facility name, patient account number, medical record number, financial account information, payment card number, medical device identifier(s), and/or biometric identifier(s).

The Federal Bureau of Investigation was informed about the cyberattack, and Persante Health Care is assisting with the investigation. Additional measures have been implemented to reduce the risk of similar incidents in the future, and the affected individuals were notified by mail on November 26, 2025. The number of affected individuals has yet to be publicly disclosed.

SomnoSleep Consultants’ Patients Affected by Business Associate Data Breach

Patients of Annadale, VA-based SomnoSleep Consultants have been notified about a security incident at a third-party billing vendor, Avosina Healthcare Solutions. The vendor detected unauthorized access to its network on July 29, 2025, in what appears to have been a ransomware attack. Avosina said it was able to restore its services from backups; therefore, no ransom was paid. The FBI was notified, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident and implement additional security measures to protect against further attacks.

The investigation confirmed that some documents were exfiltrated from its network. The analysis of those files confirmed that they contained patients’ names, addresses, medical information, and health insurance information. SomnoSleep said there was no unauthorized access to any files part of its electronic medical record system.

Avosina notified SomnoSleep about the attack on September 29, 2025, and on November 17, 2025, SomnoSleep provided additional information on the affected patients and delegated the responsibility for sending notification letters to its business associate. SomnoSleep said that no evidence has been found to indicate that any of the impacted patient data has been misused.

Avosina confirmed to SomnoSleep that steps have been taken to correct the vulnerability that was exploited by the threat actor, and other security measures have been implemented to protect against any further unauthorized network access. Internal data management protocols have also been reviewed.

The post Patient Data Compromised in Cyberattacks on Sleep Specialists appeared first on The HIPAA Journal.

Liberty Resources Announces July 2024 Data Breach

Posted by Steve Alder

Liberty Resources, a Syracuse, NY-based human services agency, has announced a security incident that was first identified 16 months ago, on July 22, 2024. Liberty Resources said an immediate and thorough investigation was conducted, and that the investigation into the incident is still ongoing. It is unclear why the investigation has taken so long.

According to its website data breach notice, the specific information compromised in the incident has yet to be confirmed. Employees and patients have been warned that the impacted data likely includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. Since the investigation has not yet concluded, it is unclear how many individuals have been affected.

While no evidence has been found to indicate any misuse of the affected information, employees and clients have been advised to remain vigilant against identity theft and fraud. While not stated by Liberty Resources, this appears to have been a cyberattack by the Rhysida threat group, which added Liberty Resources to its data leak site and threatened to sell the 665 GB of data allegedly stolen in the attack. Rhysida claims on its data leak site that the data that has not been sold has been published. The group claims the leaked data includes 885,433 files, and if the claim is true, that may go some way to explaining why the investigation and data review have taken so long.

Gold Coast Health Plan Members Affected by Conduent Data Breach

Gold Coast Health Plan in Camarillo, CA, confirmed on December 2, 2025, that members’ protected health information was potentially compromised in a cyberattack on its business associate, Conduent Business Solutions. Conduent, a long-term provider of administrative services to Gold Coast Health Plan, determined on January 13, 2025, that the email account of one of its employees was accessed by an unauthorized individual between October 21, 2024, and January 13, 2025. The forensic investigation has taken several months to complete, and recently, Gold Coast Health Plan learned that the protected health information of 540 members was compromised in the incident, including their names, health plan identification numbers, dates of service, costs of service, and claim numbers. Social Security numbers and financial information were not involved.

“We deeply regret that the private information of some [of] our members was possibly exposed during this cyberattack,” said Robert Franco, GCHP’s chief compliance officer. “We are working closely with Conduent to ensure the necessary safeguards are in place to prevent a future breach.”

The post Liberty Resources Announces July 2024 Data Breach appeared first on The HIPAA Journal.

High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose

Posted by Steve Alder

Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.

Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.

CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.

CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.

CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.

CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.

CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.

The post High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose appeared first on The HIPAA Journal.