HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for HIPAA Staff Training

Editor’s note: This is the fifth in a series of tips to help keep your staff HIPAA compliant.

The smartest route to compliance is for staff to know where to get the information they need, says Brandon Ho, CIPP, HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Medical Center in Honolulu. Ho makes sure staff members know he is available to answer their questions about everything, from possible breaches to best practices to prevent HIPAA violations.

As compliance officer, Ho provides in-service training, classroom sessions, and continuing education. He says simple methods, such as sending weekly HIPAA tips via e-mail or walking through work areas to look for problems, can also increase the effectiveness of training.

Comments (0)

Tips to get your team HIPAA-ready

Posted by: | Comments (0)
Email This Post Print This Post

Editor’s note: This is the first in a series of tips on training your staff to be HIPAA compliant.

Develop policies that address training requirements. Organizations must develop policies and procedures that address security awareness training as required by the HIPAA Security Rule. In its 2009 audits, CMS recommended covered entities develop and formally document policies for the development, administration, and monitoring of initial and annual refresher training courses. CMS stated that these policies should do the following:

  • Require that all newly hired employees complete initial training prior to having access to ePHI. The requirement should apply to employees and temporary workers, as well as contractors and vendors.
  • Require any individual with access to ePHI to complete refresher training at least annually
  • Require that management review and revise both the initial and refresher training courses at least annually to ensure that the courses are current
  • Incorporate into training potential threats that the organization identifies as new risks through its assessment process
Comments (0)

OCR issued a series of guidance documents Friday that it says “will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.”

These particular documents have to do with risk analysis.

OCR says it will update the guidance annually.

Comments (0)

New hire requirements

Posted by: | Comments (1)
Email This Post Print This Post

What is the timeline for a new hire to receive her OSHA and HIPAA training for a medical practice?

Should it be completed on the first date of hire?

Shelley Macaluso

Comments (1)

HIPAA Q&A: Remote HIPAA training

Posted by: | Comments (1)
Email This Post Print This Post

Q. Is HIPAA training via WebEx or a similar Internet format adequate for workforce members who work remotely, such as sales and account representatives? What type of documentation is necessary for training completed entirely in this manner? How should we document that a workforce member attended a training session? Is in-person HIPAA training preferable? If so, why?

A. Remote HIPAA training using Internet-based, computer-based, or Internet meeting services (e.g., WebEx or GoToMeeting) is an acceptable form of workforce training. Reasonably ensure that any Internet-based learning tools include an audit log to document the beginning and end of training sessions and whether a workforce member completed the training.

Internet-based meeting services will generally provide a log that documents when a participant logs into and out of the training session. Each can be used to document that the workforce member attended and completed the training.

Requiring workforce members to complete a test related to the material covered during training is advisable. Some online HIPAA training tools include this feature. Develop a test and require completion by participants who undergo training via the Internet to document knowledge retention and attendance.

In-person training works well for centrally located workforce members, but it is not necessarily the preferred form of training. It does offer workforce members an opportunity to interact with the instructor and ask questions pertaining to their job. However, neither the HIPAA privacy nor security rule indicates a preferred training method.

Important considerations include:

  • Did the workforce member attend a training session?
  • Did the workforce member understand the information presented?
  • Does the covered entity or business associate repeat training sessions for all workforce members at least once annually, using the method(s) it deems most effective?

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Comments (1)