HIPAA TIP: The Dos and Don’ts of HIPAA Training

The HIPAA Privacy Rule and the HIPAA Security Rule require training for Covered Entities, Business Associates, Business Associate Subcontractors, and their workforce members. The specific regulations can be found in 45 CFR § 164.530(b)(1) and 45 CFR § 164.308(a)(5). Any healthcare personnel who handle Protected Health Information (PHI) must be trained.

• DO conduct HIPAA and security awareness training upon hire. Document all training.

• DON’T consider HIPAA training to be a “once and done” situation.  Regular HIPAA training needs to be conducted – whether this is bi-annually, quarterly or during monthly staff meetings. 

• DO include security reminders, patients’ rights, minimum necessary rules, and disclosures of PHI. HIPAA training needs to go further than the basics of what HIPAA stands for. 

• DON’T ever assume just because someone has been in the healthcare industry for many years that they know everything they need to know about HIPAA and security awareness.

• DO explain why HIPAA matters. All individuals want to know that their privacy as a patient is important. We all want this security with our PHI.   

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.


Dawn Meglino

HIPAA Compliance Specialist, CHPSE, CCSA, CCAP