10 Step Guide to Choosing HIPAA Training for Employees

Posted by PJ Murray

Choosing HIPAA training for employees should be about compliance outcomes, not simply optics of checking the box for mandatory training. This 10-step guide helps you select HIPAA training courses that build real HIPAA compliance knowledge, reduce common errors, and prepare employees to apply HIPAA correctly from day one. This guide helps you avoid checkbox training and invest in learning that improves employee compliance performance, ultimately reducing HIPAA violations and HIPAA breaches.

Step 1: Review the course curriculum and verify that it is specifically designed for employees.

Verify that the training was designed for the staff receiving the training. There is little point in providing HIPAA training designed for compliance officers or training designed for managers that is focused on the compliance programs for HIPAA-covered entities.

Step 2: If the training provider does not state who produced the training, then ask for this information.

When selecting HIPAA training, evaluate substance and outcomes, not slide count. Effective courses go beyond reciting regulations and show how the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule translate into concrete tasks and decisions for employees. Begin with the source of the training content. Prefer curricula developed and maintained by recognized HIPAA subject-matter experts that have been designed with input from and then reviewed by HIPAA Privacy Officers and HIPAA Compliance Officers. The officers understand how violations occur and can teach recurring patterns, such as misdirected messages, wrong-patient access, and casual disclosures, and the precise steps that prevent them.

Step 3: If the training does not have a release date, then ask when it was produced.

Verify that the content is up-to-date because HHS and OCR guidance evolves, enforcement priorities shift, and new technologies introduce fresh risks. High-quality training is actively updated to reflect new laws, guidance, and enforcement trends, rather than remaining static.

Step 4: Prioritize practical advice over theory

Ensure the HIPAA training prioritizes practical scenarios over abstraction or simply repeating regulations. The training must use realistic examples such as unattended workstations, unapproved applications, and over-sharing on phone calls.

Step 5: Verify that training has modules covering evolving threats like social media and AI tools.

The training must also address modern risk areas, including generative AI tools, social media, messaging platforms, remote work, and personal devices.

Step 6: Choose training focused on risk reduction

Training cannot eliminate HIPAA violations and HIPAA breaches, but well-designed modules reduce both likelihood and impact by targeting behaviors behind common incidents. Make sure that the content is focused on prevention and response. The training must identify typical errors, such as lost devices, unencrypted email, and improper disclosures, and specify who to notify, what to document, and when to escalate.

Step 7: Review the trainee learning experience

An effective learning experience is practical, accessible, and respectful of time. Online, self-paced modules with pause and resume controls suit shift work and clinical interruptions. Mobile-friendly delivery across desktop, tablet, and phone improves the completion rate of training. When staff can access training easily, learn at a sensible pace, verify understanding, and obtain help as needed, they make better decisions, and the compliance program becomes measurably stronger. Make sure that the training is available for the full year until the next annual session so that employees can review as many times as they require to refresh their knowledge. The learning experience is also improved if there are quizzes after each topic covered. The fact that trainees know that they will be tested at the end of each topic in the training course immediately improves their attention levels.

Step 8: Training management features

Online HIPAA training provides managers with the opportunity to monitor the progress of employees during their HIPAA training and confirm that the training has been completed. It is also necessary to retain training records for a minimum of six years.

Step 9: Include state privacy laws where necessary

HIPAA training also means training in the related medical record privacy and security laws. Certain states such as Texas and California have state medical privacy laws that are mandatory and stricter than HIPAA. There are also additional state data privacy laws that apply to medical records.

Step 10: Don’t forget cybersecurity training

Integrate HIPAA with cybersecurity awareness for any staff who have access to medical records on computers. Many large scale HIPAA beaches begin with general cyber risks, including phishing, weak credentials, unsafe USB use, and credential sharing. Pair HIPAA content with focused cybersecurity modules on human error, phishing recognition, secure messaging, credential management, and removable media.

Choose HIPAA Training That Changes Behavior

This guide recommends selecting HIPAA training that is designed for employees, identifies who produced the content, and includes a clear release date. It emphasizes practical scenarios over theory, with up-to-date modules that address social media, AI tools, messaging, remote work, and personal devices. It calls for risk-focused instruction that identifies common errors such as lost devices, unencrypted email, and improper disclosures, and that specifies who to notify, what to document, and when to escalate. It also highlights a learning experience that is self-paced, mobile-friendly, and available for the full year so employees can review as needed. The guide advises pairing HIPAA training with cybersecurity modules for staff who access medical records on computers.

The post 10 Step Guide to Choosing HIPAA Training for Employees appeared first on The HIPAA Journal.

OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is working on a video presentation to explain the requirements of the risk management process of the HIPAA Security Rule and has requested risk management questions from HIPAA-regulated entities.

The risk analysis is a foundational element of the HIPAA Security Rule that requires risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) to be identified. OCR frequently identifies risk analysis failures in its investigations of data breaches, complaints, and through its HIPAA compliance audit program, including incomplete and nonexistent risk analyses. It is the most commonly identified HIPAA Security Rule violation, and a frequent reason for imposing a financial penalty.

OCR has released guidance to help HIPAA-regulated entities conduct a risk analysis, and a downloadable risk assessment tool for small- and medium-sized regulated entities to guide them through the process. After conducting a risk analysis, all identified risks and vulnerabilities to ePHI must be subjected to a risk management process, detailed in § 164.308(a)(1)(ii)(B) of the administrative safeguards of the HIPAA Security Rule. Risk management is defined as “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [Security Standards: General Rules].”

Two of OCR’s enforcement actions this year included penalties for risk management failures – the $3,000,000 penalty for Solara Medical Supplies and the $1,500,000 Warby Parker, Inc. HIPAA violation penalty. To clear up any potential confusion about the risk management process, OCR is producing a video presentation – HHS’ OCR Presents: The HIPAA Security Rule: Risk Management.

Nick Heesters, OCR’s Senior Advisor for Cybersecurity, will be covering various aspects of the risk management provision of the HIPAA Security Rule in the presentation. Heesters will flesh out what is required in terms of risk management, the use of cybersecurity resources, and he will provide insights into OCR’s investigations into potential risk management HIPAA violations.

Since this will be a pre-recorded video presentation rather than a live webinar, OCR has requested questions from HIPAA-regulated entities about the risk management requirement of the HIPAA Security Rule, a selection of which will be answered during the presentation. If you have any questions related to risk management, this is an ideal opportunity to get the answers you seek. Questions should be submitted to OCR no later than  December 8, 2025, via email at OCRPresents@hhs.gov

The post OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation appeared first on The HIPAA Journal.

Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas

Posted by PJ Murray

In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.

Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.

The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.

The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.

The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures. 

SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.

The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios. Because all of these laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act. For workforce members, the safest course is to follow organizational policies, complete required training, and ask their privacy or compliance teams when they are unsure.



The post Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas appeared first on The HIPAA Journal.

Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit

Posted by Steve Alder

The risk of sending unwanted marketing communications to consumers has been highlighted by a $10.5 million settlement with Kaiser Foundation Health Plan, which is alleged to have continued sending marketing text messages to individuals who opted out of receiving marketing communications.

Legal action was taken against Kaiser Foundation Health Plan, doing business as Kaiser Permanente, by Jonathan Fried, who alleged that the defendant violated federal and Florida state law by continuing to send marketing text messages after he had submitted an opt-out request to stop receiving the communications.

The lawsuit, Jonathan Fried v. Kaiser Foundation Health Plan, Inc., d/b/a Kaiser Permanente, was filed individually and on behalf of similarly situated individuals over the alleged sending of unwanted text messages marketing Kaiser Permanente’s products and services. According to the lawsuit, the defendant sent or failed to stop further messages from being sent after consumers replied with the word STOP or performed a similar opt-out instruction. According to the lawsuit, the failure to honor the opt-out requests violated the federal Telephone Consumer Protection Act (TCPA) and the Florida Telephone Solicitation Act (FTSA). The violations are alleged to have occurred between January 21, 2021, and August 20, 2025.

Kaiser maintains there was no wrongdoing and denies and continues to deny the allegations in the lawsuit; however, a settlement was agreed to bring the litigation to an end to avoid the cost of a trial and related appeals, and the risks and uncertainties for both sides from continuing with the litigation. Kaiser has agreed to pay up to $10,500,000 to settle the litigation. The settlement fund will cover attorneys’ fees and expenses, a service award for the class representative, settlement administration costs, and cash payments for the class members.

There are two settlement classes, one applying to all individuals in the United States who were sent more than one text message regarding the defendant’s goods or services in any 12-month period between January 21, 2021, and August 20, 2025, after replying to a message with STOP or performing a similar opt-out instruction. The Florida FTSA class includes all persons who resided in Florida and received more than one text message between the same dates about the defendant’s goods or services at least 15 days after opting not to receive the communications.

Class members who submit a valid claim will receive a payment of up to $75 per qualifying text message they received. If the number of claims exceeds the funds in the settlement, then claims will be paid pro rata. Should any funds remain in the settlement fund after all claims have been paid, then they will be refunded to Kaiser.

The settlement has received preliminary approval from the court, and claims must be submitted by February 12, 2026. The deadline for opting out and exclusion from the settlement is December 29, 2025. The final approval hearing has been scheduled for January 28, 2026.

The post Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit appeared first on The HIPAA Journal.