Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

Question: Why do I have to train all my IT Staff on HIPAA?

Summary:

I hope everyone had a happy and healthy 4th of July! Last week, I received this question from one of our clients. Let’s get to it… Question: Still not convinced that it is absolutely necessary for my group to be HIPPA certified. We still have no access to social security information or date of birth. […]

I hope everyone had a happy and healthy 4th of July! Last week, I received this question from one of our clients. Let’s get to it…

Question:
Still not convinced that it is absolutely necessary for my group to be HIPPA certified. We still have no access to social security information or date of birth. I would be open to getting a couple of folks certified that might need to work on computers of HR folks, but I cannot see putting everyone in the group through this when this information should not be resident on any other computers except for HR professionals.

I would also like to see what documentation is driving this requirement. I am not trying to be difficult, but this will be a major undertaking to get everyone certified and to maintain that certification. If we have turnover, I do not want to go down this path, unless it is absolutely a government requirement.

Total HIPAA Response:
I realize this is a difficult position for you to be in, but the reality is that everyone on the IT staff needs to be trained. IT people see everything. I’ve worked in large and small corporations, and if you have an issue, you call the IT department or consultant. They either take over your computer remotely, or send someone up to work on your system. IT staff has access to everyone’s system, and can inadvertently come in contact with PHI at any moment. With the new penalties that have gone into affect with HIPPA, the ramifications if there is an issue are severe!

HIPAA requires that anyone who comes in contact with Protected Health Information is required to be trained. You can find the training requirement here- 45 CFR §164.530(b), (e) and here is the URL for the federal register- http://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/xml/CFR-2011-title45-vol1-sec164-530.xml

PHI is defined by two things:
1. Personal identifier- Address, Social Security Numbers, Name, IP address, Email address, etc.

-AND-

2. Combined with any Health Information.

In the last few years, Business Associates have been responsible for some of the most serious HIPAA violations. The reason I bring this up is having proper policies and procedures and training could have averted many of these problems for those BAs. All you need is one untrained person to make a mistake and you could have a serious problem on your hands.

In short, HIPAA Training is required by Federal Law, and you have to follow the law.

By Jason Karn

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Is Gmail HIPAA Compliant Email? – Well, It Can Be!

Is Gmail HIPAA Compliant Email? – Well, It Can Be!

To use Google Workspace with Protected Health Information (PHI), you must enter into a Business Associate Agreement (BAA) with Google. However, a signed BAA is only the first step. To satisfy the Office for Civil Rights (OCR) modernized Security Rule standards, Covered Entities must properly configure their email settings, utilize end-to-end encryption, and account for new tech, like integrated AI. This guide covers how to secure your Gmail account and the critical configuration steps required to maintain compliance.

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Yes, HIPAA protections continue long after a patient has passed away. Under the HIPAA Privacy Rule, Protected Health Information (PHI) remains safeguarded for 50 years following the date of death. During this time, the same privacy standards apply, though specific exceptions allow for disclosures to executors, funeral directors, and family members involved in the patient’s prior care.

HIPAA Compliance: A Constant Pulse, Not an Annual Event

HIPAA Compliance: A Constant Pulse, Not an Annual Event

Even though people talk about an “annual HIPAA audit,” compliance isn’t just a once-a-year task. To stay compliant, organizations can’t just “set it and forget it”; they need to constantly manage risks. Staying on top of things is the only way to be ready for an audit at any time.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)