Is Saying Someone Died a HIPAA Violation?

Posted by Steve Alder

In answer to the question is saying someone died a HIPAA violation, it depends on who is making the statement, who the statement is made to, and what other information is disclosed with the statement. Saying someone died can be a HIPAA violation, but – as this blog discusses – in most cases it is not.

Among other purposes, the HIPAA Privacy Rule protects the privacy of individually identifiable health information relating to the past, present, or future health condition of an individual. Organizations subject to the HIPAA Privacy Rule – and their workforces – must comply with this requirement with respect to a deceased individual “for a period of 50 years following the death of the individual”.

However, not all organizations are subject to the HIPAA Privacy Rule. If, for example, an employee of a private nursing home which does not qualify as a HIPAA “covered entity” revealed somebody had died, it is not a HIPAA violation because the nursing home is not required to protect the privacy of individually identifiable health information (Note: although this might not be a violation of HIPAA, disclosing private information of this nature may violate state privacy laws in some circumstances).

Even when an organization is subject to the HIPAA Privacy Rule, it is not automatically the case that saying someone died is a HIPAA violation. “Covered entities” are permitted to disclose individually identifiable health information to specific people, subject to the disclosure being limited to the minimum necessary to achieve the purpose of the disclosure, and subject to any prior expressed wish of the deceased relating to what information can be disclosed. Healthcare providers should receive HIPAA training on permitted disclosures of this nature.

Who Can Be Told Someone Has Died Under HIPAA?

The HIPAA Privacy Rule stipulates who can be told when someone has died in sections §164.510(b) and §164.512(g). The first section allows covered entities to disclose information about deceased individuals to family members, other relatives, close personal friends, or any other individual identified by the deceased individual while they were alive. All disclosures to people in this group are subject to the verification requirements of §164.514(h).

Persons or entities that were involved in the deceased person´s care or payment for health care can also be told the patient has died under §164.510(b), while §164.512(g) permits covered entities to disclose individually identifiable health information to a coroner or medical examiner to identify the deceased person, determine the cause of death, or other duty as authorized by law. Under this section, covered entities can also tell funeral directors somebody has died.

In all permitted circumstances, the information disclosed must be the minimum necessary to achieve the purpose of the disclosure, and must respect any wishes known by the covered entity prior to the patient’s death. If a patient died (say) due to injuries sustained in a road accident, but also suffered from a lung condition, covered entities are not permitted to disclose the lung condition or any other related treatment or payment for the treatment.

When is Saying Someone Died a HIPAA Violation?

There are not many circumstances when saying someone died is a HIPAA violation and usually violations of this nature only occur when a member of a covered entity’s workforce:

  • Discloses information to somebody not permitted by the HIPAA Privacy Rule,
  • Discloses more than the minimum necessary information about the deceased, or
  • Discloses information it is known the deceased did not want disclosed.

However, it is important to note the HIPAA Privacy Rule generally applies to a deceased person’s health information in the same way as a living person’s health information. In the same way as an individual’s “personal representative” can authorize disclosures of health information not permitted by the HIPAA Privacy Rule on the individual’s behalf when they are alive, a personal representative can do the same when the individual is deceased.

In most states, a deceased individual’s “personal representative” is the next of kin. If the next of kin authorizes a disclosure to somebody not permitted by the HIPAA Privacy Rule, a disclosure of more than the minimum necessary information, or a disclosure of information the deceased did not want disclosed, these events are no longer HIPAA compliance violations. If you are still uncertain about when is saying someone died a HIPAA violation, you should seek professional compliance advice.

The post Is Saying Someone Died a HIPAA Violation? appeared first on The HIPAA Journal.

Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack

Posted by Steve Alder

Monroe University, a for-profit university with campuses in the Bronx and La Rochelle in New York, and Saint Lucia in the Caribbean, has recently confirmed that a cyberattack has resulted in unauthorized access to the personal and health information of approximately 320,973 individuals.

The cyberattack was detected more than a year ago on December 23, 2024. When the intrusion was detected, immediate action was taken to secure its systems to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that an unauthorized third party had access to its network from December 9, 2024, to December 23, 2024, and exfiltrated files containing sensitive data.

It has taken nine months to review the affected files to determine the individuals affected and the types of data involved. On September 30, 2025, Monroe University confirmed that the data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, government identification numbers, medical information, health insurance information, electronic account or email usernames and passwords, financial account information, and/or student data.

The university started issuing notification letters to the affected individuals on January 2, 2026, and had advised all individuals to remain vigilant against potential fraud and identity theft by monitoring their credit reports, accounts, and explanation of benefits statements for suspicious activity. At the time of issuing notification letters, the university had not identified any misuse of the stolen data. Based on the notification letter seen by The HIPAA Journal, credit monitoring services do not appear to have been offered.

Universities, like healthcare organizations, are an attractive target for hackers, who can gain access to vast amounts of sensitive data, which in this case included student data and health information. Other universities that have recently experienced cyberattacks include Harvard and Columbia.

The post Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack appeared first on The HIPAA Journal.

Tens of Thousands of Patients Affected by Two Business Associate Data Breaches

Posted by Steve Alder

Mid Michigan Medical Billing Service, a Flint, MI-based revenue cycle management company that provides billing support services to HIPAA-covered entities, has fallen victim to a cyberattack that exposed the sensitive data of patients of its healthcare clients.

Suspicious network activity was identified on March 27, 2025, and the forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The affected data was reviewed to determine the types of information involved and the affected individuals. Mid Michigan Medical Billing Service then notified the affected covered entity clients and worked with them to provide notice to the affected individuals.

The file review confirmed that the protected health information of 28,185 individuals had been exposed in the cyberattack. The compromised data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, driver’s license/ government issued identification number, Medicare/Medicaid identification number, diagnosis/treatment information, medical record number/patient account number, health insurance information, payment card number, employer identification number, passport number, treating/referring provider name, and biometric data. For a limited number of individuals, Social Security numbers were involved.

VillageCareMAX, New York

VillageCareMAX, a New York, NY-based provider of health plans and community healthcare services to seniors and individuals with chronic diseases, has announced a data breach involving one of its business associates, TMG Health.

VillageCareMAX uses the Cognizant-owned TMG Health to assist with the administration of its members’ health plans. TMG Health identified unauthorized activity within its information system on September 19, 2025. The unauthorized access was immediately terminated, and an investigation was launched to determine the nature and scope of the unauthorized activity. TMG Health determined that an unauthorized third party had access to its network for 10 months from November 20, 2024, to September 19, 2025. During that time, VillageCareMAX members’ protected health information may have been accessed and acquired.

The affected data included names, member identification numbers, health information, and Social Security numbers. While no misuse of that data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft recovery services. VillageCareMAX has received assurances that TMG Health has implemented technological and procedural enhancements to prevent similar incidents in the future.

VillageCareMAX provides services to more than 35,000 individuals each year. It is currently unclear how many of those individuals have been affected.

The post Tens of Thousands of Patients Affected by Two Business Associate Data Breaches appeared first on The HIPAA Journal.

Is your Cybersecurity Training Good Enough to Give You HIPAA Safe Harbor Law Protection?

Posted by Steve Alder

Your HIPAA Safe Harbor protection is only as strong as your ability to prove through documentation and consistent practice that your organization has implemented recognized security practices for at least 12 months, and cybersecurity training is one of the most visible ways regulators can see those practices operating in real life.

Healthcare organizations often ask a deceptively simple question after a breach, a complaint, or an OCR investigation begins: “Will our training help us?” Under the HIPAA Safe Harbor Law, the more precise question is: “Can we demonstrate that our security program, including workforce training, reflects recognized security practices, and that we’ve run it consistently for at least a year?”

That distinction matters because HIPAA Safe Harbor is not a “get out of jail free” card. It’s a legal instruction to the U.S. Department of Health and Human Services (HHS) to consider what you were already doing before an incident when deciding how hard to come down on you, especially when it comes to penalties, corrective action plans, and audits.

In other words: Safe Harbor doesn’t require perfection. It rewards proof of discipline and best practices.

What the HIPAA Safe Harbor Law Actually Does (and Doesn’t Do)

The HIPAA Safe Harbor Law is commonly referenced as HR 7898, an amendment to the HITECH Act passed by Congress in 2021. In plain terms, it gives HHS room to be more reasonable with organizations that can show they implemented and maintained recognized security practices before a security-related HIPAA incident.

What HIPAA Safe Harbor may influence includes:

  • Civil monetary penalties (the size and severity of fines)

  • Corrective action plans (how disruptive and extensive remediation requirements become)

  • Audit burden (length and extent, including how invasive the process is)

What Safe Harbor does not do:

  • It does not eliminate HIPAA obligations.

  • It does not guarantee you won’t be fined.

  • It does not excuse weak safeguards or missing documentation.

  • It does not retroactively “fix” a program you can’t prove existed and functioned.

The entire premise is straightforward: if you’ve been taking recognized security seriously, and can demonstrate that, HHS can factor it into how they respond when something still goes wrong.

HR 7898 and the “Recognized Security Practices” Language you must Understand

HIPAA Safe Harbor is anchored in the concept of recognized security practices, and HR 7898 points directly to well-known cybersecurity references. The law includes the following text (emphasis added here only for readability):

“Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act, the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act, and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations […] consistent with the HIPAA Security Rule.”

What that means in practice

This language is doing two things at once:

  1. It recognizes established cybersecurity “programs” and frameworks (for example, NIST-related guidance and the 405(d) Health Industry Cybersecurity Practices approach).

  2. It draws a boundary: whatever you adopt must be consistent with the HIPAA Security Rule and not a generic IT checklist that ignores how ePHI is created, accessed, transmitted, and stored in healthcare environments.

So if you want HIPAA Safe Harbor to matter, your story has to be coherent:

  • Your security framework (the “recognized practices”)

  • Your policies and controls (how those practices are implemented)

  • Your training program (how your workforce is taught to execute those practices)

  • Your records (how you prove it happened consistently over time)

Why Cybersecurity Training is a Safe Harbor Pressure Point

Training is not the whole Safe Harbor equation but it’s one of the easiest places for regulators to test whether your security program is real.

Policies can be beautifully written and still meaningless. Controls can exist and still be bypassed. But training forces you to answer uncomfortable questions, such as:

  • Did staff understand how to recognize common attacks (like phishing and social engineering)?

  • Were they taught how to handle passwords, devices, email, and messaging safely?

  • Did they know how to report a suspected security incident—immediately?

  • Did you reinforce and update training as threats and workflows changed?

  • Can you produce documentation that shows training was delivered, completed, tested, and refreshed?

If your organization can produce training materials, completion records, quiz results, and updated modules that align with your program, it becomes concrete evidence that recognized practices were not just “adopted on paper,” but implemented across your workforce.

The real question: is Your Training “good enough” for HIPAA Safe Harbor?

To be “good enough” in a Safe Harbor sense, training must do more than satisfy a checkbox. It needs to be:

1) Healthcare-specific, not generic

Safe Harbor is about practices consistent with the HIPAA Security Rule. Generic corporate security training often misses the realities of healthcare workflows—shared workstations, high-urgency communication, patient-facing operations, and the constant movement of sensitive data across systems and people.

2) Outcome-driven and behavior-focused

The goal isn’t to make employees recite definitions. It’s to reduce risk by changing day-to-day behavior: how people click, reply, forward, store, share, verify, escalate, and report.

3) Mapped to your recognized security practices

If you claim alignment with recognized practices, your training should visibly reinforce them. A regulator should be able to see the connection between what your program says and what your workforce is taught to do.

4) Consistent for at least 12 months (and provable)

Safe Harbor looks backward. If you can’t show continuity—onboarding, refreshers, updates, and participation evidence—you lose the main benefit the law offers.

5) Documented like you expect to be investigated

A “good” training program can still fail the Safe Harbor test if you can’t produce records quickly and cleanly. In enforcement, absence of documentation is often treated as absence of action.

What Healthcare Cybersecurity should Encompass to Provide HIPAA Safe Harbor

This section is based exclusively on the training content referenced and describes what a healthcare-focused cybersecurity program for employees should include if you want training to meaningfully support HIPAA Safe Harbor. Healthcare cybersecurity training should be designed to teach staff to recognize threats and handle health records securely, and it should be grounded in HIPAA and real healthcare workflows. The objective is to reduce the likelihood of data breaches caused by employees by building practical habits, personal responsibility, and repeatable behaviors.

Practical, risk-reducing behaviors employees must learn

Training should cover practical behaviors that directly reduce cyber risk, including:

  • Passwords

  • Email and messaging security

  • Resisting social engineering

  • Careful use of USB devices and removable media

It should also teach employees how attackers actually get in and how to stop them, focusing on the real causes of breaches such as phishing, weak credentials, unsafe device use, and slow reporting.

Early incident recognition and first-response actions

A healthcare cybersecurity program must help staff recognize when “something looks wrong” and understand what to do immediately. This includes:

  • Early attack incident recognition

  • How to respond to suspected attacks

  • Clear guidance on recognizing and reporting security incidents

Case-based learning that motivates real behavior change

Effective training should include real-world, relatable healthcare examples and case-based consequences that explain:

  • Why security best practices matter for healthcare records

  • The difference between a HIPAA violation and a data breach

  • The negative consequences of healthcare cybersecurity failures for patients, healthcare organizations, and employees

Clear emphasis on employee responsibility

The training should emphasize that security responsibilities are personal and that every employee plays a direct role in protecting medical data by:

  • Following proper procedures

  • Securing physical devices

  • Remaining alert to suspicious activity

It should also explain the consequences of HIPAA violations and data breaches.

Physical safeguards that protect medical records

Healthcare cybersecurity should explicitly include physical safeguards, teaching how medical records can be exposed through physical technology and how to prevent that, including:

  • Securing workstations

  • Properly managing personal devices

  • Safely handling removable media

The objective is to protect patient information when using physical technology and maintain the confidentiality and integrity of medical records.

The core healthcare cyberthreats your workforce must be trained on

Training should teach the most common ways medical records can be hacked and how to prevent breaches, including:

  • Phishing

  • Password security

  • Social engineering

  • Email and messaging security

  • Social media security

A HIPAA Safe Harbor Readiness Checklist for your Healthcare Cybersecurity Training

If you want an honest answer to “Is our cybersecurity training good enough for HIPAA Safe Harbor protection?”, pressure-test it with questions like these:

  • Can we show 12+ months of consistent cybersecurity training activity?

  • Do we have clean documentation: materials, completion records, quiz/test evidence, certificates, and updates?

  • Is training healthcare-specific and clearly connected to protecting medical records and ePHI?

  • Does it teach practical behaviors (not just rules) across cyber and physical safeguards?

  • Does it teach recognition + response for suspected attacks and reporting expectations?

  • Can we demonstrate that training reflects our policies and technical controls, not generic advice?

  • If OCR asked for evidence tomorrow, could we produce it quickly, completely, and confidently?

If any of those answers are shaky, the issue isn’t just training quality, it’s Safe Harbor credibility.

HIPAA Safe Harbor Protection

HIPAA Safe Harbor protection is less about claiming you followed a framework and more about proving your organization operationalized recognized security practices over time and workforce cybersecurity training is one of the clearest ways to demonstrate that operational reality. If your training is generic, sporadic, poorly tracked, or disconnected from how your organization actually protects ePHI, it’s unlikely to carry meaningful Safe Harbor weight when it matters most.

The post Is your Cybersecurity Training Good Enough to Give You HIPAA Safe Harbor Law Protection? appeared first on The HIPAA Journal.

HIPAA Awareness Training

Posted by Steve Alder

HIPAA awareness training is a practical, organization wide program that helps every workforce member recognize Protected Health Information, avoid common privacy and security mistakes, and report concerns early, while supporting the deeper role based HIPAA training required for both HIPAA Covered Entities and HIPAA Business Associates.

What is HIPAA Awareness Training?

HIPAA awareness training is the baseline layer of HIPAA education that builds shared expectations across the workforce. It focuses on everyday behaviors and decision points rather than turning every employee into a HIPAA specialist. Awareness training works best as the common foundation that is supplemented with additional modules for higher risk roles, departments, and systems.

Awareness training should be written in clear, employee friendly language and designed to be easy to apply during real work. It should also include short knowledge checks that confirm understanding, rather than relying only on acknowledgement statements.

Who Should Receive HIPAA Awareness Training?

HIPAA awareness training should be delivered to all workforce members, including management, employees, temporary staff, and contractors. Organizations often make mistakes by limiting training to clinical teams or staff who regularly handle medical records, but privacy and security risk also comes from support roles, shared systems, and basic workplace behavior.

Even staff who rarely interact with PHI should still understand the basics of confidentiality, security awareness, and incident reporting, because they may encounter PHI unexpectedly through emails, phone calls, misdirected documents, or shared work areas.

What HIPAA Awareness Training Should Cover

A strong awareness program explains core terms and responsibilities in practical language. Staff should understand what PHI and ePHI are, why the minimum necessary mindset matters, and how to follow internal policies for handling information. Training should explain common permitted and non permitted behaviors in a way that fits everyday work, such as what to do when someone asks for information, how to verify identity, and how to avoid sharing details in public spaces.

Awareness training should also introduce patient rights concepts at a high level so staff know when to escalate requests rather than guessing. It should reinforce that HIPAA compliance is part of the job, not a one time event or a once a year exercise.

HIPAA Security Awareness Training and Cybersecurity

Security awareness should be included for all workforce members because human error is a leading contributor to security incidents. HIPAA awareness training should cover phishing and social engineering, safe password practices, account security, device protection, and secure remote work. It should also address safe use of email, messaging, and texting, since these channels are common sources of accidental disclosures.

Modern awareness training should also address emerging risks such as the unsafe use of generic AI tools with PHI. Staff need clear rules about what information can and cannot be entered into general purpose AI systems and what approved tools exist inside the organization.

HIPAA Privacy Awareness in Everyday Work

Privacy awareness training should focus on practical mistakes that occur in normal workflows. This includes conversations in hallways, waiting rooms, and public areas, screen visibility in shared spaces, printed documents left on printers, and casual sharing of patient information in internal chats. It should also cover social media risks, including the fact that “no name” stories can still identify a patient when enough context is shared.

Awareness training should connect these risks to simple habits, such as checking recipient addresses before sending, using approved communication tools, limiting what is displayed on screens, and avoiding unnecessary details in notes and messages.

Incident Reporting and Escalation

A core goal of HIPAA awareness training is to help staff recognize issues early and report them quickly. Training should define what counts as a potential incident, what to do if something seems wrong, and who to contact. It should reinforce that reporting is encouraged and expected, and that raising concerns early is safer than trying to fix issues quietly.

This reporting section should also introduce the organization’s HIPAA officers and escalation channels, so staff know exactly where to go when they suspect a privacy or security problem.

How often should HIPAA Awareness Training be Delivered?

HIPAA training should be provided to new workforce members within a reasonable period after they join, and additional training should be delivered when policies, procedures, or technology change in a relevant way. Risk assessments and incident patterns should also drive additional training when gaps are identified.

Best practice in the healthcare sector is annual HIPAA training, and awareness training should be part of that annual cycle. Annual refreshers reinforce expectations, incorporate new risks, and help prevent slow drift in daily habits.

HIPAA Awareness Training Documentation and Audit Readiness

HIPAA awareness training should generate strong documentation. Organizations should maintain records of training content, dates, attendees, completion status, and frequency so they can demonstrate ongoing education. A training platform that supports completion tracking, certificates, and easy reporting makes it far simpler to respond to audits and client due diligence requests.

Documentation should show that training is not one time, that content is updated, and that the organization tests understanding rather than relying only on attestations.

HIPAA Awareness Training for a HIPAA-Covered Entity

For a HIPAA Covered Entity, awareness training should provide a clear baseline for all workforce members and connect HIPAA requirements to patient trust and the organization’s mission. It should explain the Privacy, Security, and Breach Notification Rules in plain language and show how they apply to common workflows in clinical and administrative settings.

Covered Entities should ensure awareness training is consistent across departments while adding role specific overlays for higher risk groups. Training should be practical and scenario based, include knowledge checks, and be supported by clear documentation.

HIPAA Awareness Training for a HIPAA Business Associate

For a HIPAA Business Associate, awareness training must include the same practical privacy and security foundations, plus additional emphasis on Business Associate obligations. Staff need to understand that Business Associate Agreement terms govern permitted uses and disclosures, that PHI can only be used for contracted purposes, and that incident escalation must be fast so Covered Entity clients can meet notification timelines.

Business Associate awareness training should also use examples that match the services provided, such as billing, IT support, analytics, document handling, or call center workflows. It should reinforce secure handling of client data, careful use of communication tools, and the need to follow client specific procedures where required.

How to Make HIPAA Awareness Training Effective

Awareness training works best when it is written and maintained by HIPAA experts, updated regularly, and delivered in employee friendly language. It should use realistic scenarios, focus on the decisions employees actually make, and test understanding rather than relying on acknowledgement alone. It should also explain consequences of noncompliance with realistic examples so staff understand why details matter.

Programs should include role based options for special groups, support clear reporting and audit ready documentation, and integrate cybersecurity awareness that reflects real threats to ePHI. When HIPAA awareness training is delivered to all staff and refreshed annually, it becomes a practical, defensible way to reduce risk and build a consistent culture of privacy and security across both HIPAA Covered Entities and HIPAA Business Associates.

The post HIPAA Awareness Training appeared first on The HIPAA Journal.

HIPAA Training for Medical Billing Employees

Posted by Steve Alder

HIPAA training for medical billing employees is essential because billing teams routinely handle Protected Health Information across claims, denials, authorizations, patient communications, and payment workflows, and the safest approach is to train every workforce member so PHI is protected consistently across people, processes, and systems.

Why Medical Billing Employees Need HIPAA Training

Medical billing work touches PHI in many forms, including patient demographics, diagnosis and procedure codes, payer correspondence, clinical documentation used to support coding, and account notes from phone calls or portals. Even small mistakes can create reportable incidents, such as sending information to the wrong payer, discussing an account with an unauthorized caller, attaching the wrong document, or exposing PHI through shared drives and email threads. HIPAA training gives billing staff a practical framework for making the right decisions in daily work, not just learning definitions.

What HIPAA Training Should Cover for Billing Teams

A strong course should explain the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in everyday language, using billing focused examples. Training should define key terms such as PHI, ePHI, Minimum Necessary, HIPAA Covered Entity, and HIPAA Business Associate, then show how those concepts apply to tasks like claim submission, follow up calls, appeals, refund processing, and record requests. Staff should learn how to verify identity, limit disclosures, handle patient rights requests appropriately, and recognize when a situation must be escalated to compliance leadership.

Because billing relies heavily on electronic systems, training should also include security awareness content for all staff, such as phishing recognition, safe password practices, secure device use, and reporting suspicious activity. This is especially important where billing teams use multiple portals, remote access, clearinghouse tools, call recording platforms, and shared ticketing systems.

Additional HIPAA Training Needed for Business Associate Billing Staff

Many medical billing companies operate as HIPAA Business Associates, which creates extra training needs beyond basic HIPAA concepts. Business Associate staff must understand how Business Associate Agreement terms affect day to day work, including permitted uses and disclosures, restrictions on using PHI for non billing purposes, and expectations for incident escalation so the HIPAA Covered Entity can meet notification timelines. Training should reinforce that Business Associate obligations apply across the whole workforce, including management and support roles, because anyone with access to the same systems can create risk.

Business Associate training should also address vendor and subcontractor handling. Billing teams often interact with third party services, such as printing, mailing, analytics, IT support, or software integrations. Staff need clear rules for when PHI can be shared, what approvals are required, and how to use approved secure channels.

Best Practices for Effective HIPAA Training Programs

HIPAA training works best when it is designed for employees rather than written only for compliance professionals. It should use employee friendly language, practical scenarios, and role specific examples for billing tasks. Training should test understanding with quizzes or assessments rather than relying only on attestations. It should also explain the consequences of noncompliance using realistic examples so staff understand the real world impact on patients, operations, and trust.

Documentation is not optional. A strong program maintains audit ready records of who was trained, when they were trained, what content was covered, and how understanding was assessed. Training platforms should support completion tracking, certificates, and clear reporting for audits and client due diligence.

How Often Medical Billing Employees Should Be Trained

HIPAA requires training to be ongoing and provided when staff join and when policies, procedures, or technology change in a relevant way. Industry best practice in the healthcare sector is annual HIPAA training, and billing teams should follow an annual refresher cycle supported by change driven training when workflows, systems, or risks shift. Annual training reinforces expectations, reduces avoidable errors, and creates a clear record that training is continuous rather than one time.

Building a Training Program that Reduces Billing Risk

Medical billing organizations reduce HIPAA risk by training all staff, tailoring content to billing workflows, integrating security awareness, and keeping strong training documentation. When training is practical, regularly refreshed, and aligned to Business Associate obligations, billing teams can work efficiently while protecting PHI and supporting clients with a defensible compliance posture.

The post HIPAA Training for Medical Billing Employees appeared first on The HIPAA Journal.