News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
Beginnerfront deskpractice managerprovidervendor

What HIPAA training does our staff actually need?

Everyone who touches patient information needs training, but the law leaves room for how you deliver it.

TL;DR

Train everyone who accesses PHI when they start, and again when policies or systems change. Document attendance. You choose the format: videos, live sessions, or hybrid, as long as it fits your real policies.

Updated 2026-04-21

HIPAA expects a trained workforce. That includes front desk, billing, nurses, providers, and often remote staff who log into your systems.

When to train

  • Onboarding. Before new hires access live patient data.
  • After changes. New EHR modules, telehealth workflows, or policy updates.
  • Refreshers. Many practices use annual training plus micro-updates when risks spike (for example, after a phishing scare).

What should training cover?

Focus on your actual workflows:

  • Minimum necessary and role-based access.
  • Verbal privacy and clean desk habits.
  • Phishing, password hygiene, and device locks.
  • How to report mistakes without fear of retaliation.

Proof matters

Keep sign-in sheets, LMS completions, or email acknowledgments. When regulators or insurers ask, "We told them verbally" is a weak answer without records.

Free vs. paid options

Free resources can work if they are accurate and updated. Paid vendors help when you want tracking, role-specific modules, and policy attestation in one place. Match spend to your size and risk.

Training on medcomply.ai

We are building more guided training paths, start with this Basics section and the Intelligence library for deeper articles your team can read together.

Keep reading

Next in your reading path → What should I do if I think something went wrong?

Not legal advice. Educational overview only; consult qualified counsel for your situation.