Healthcare Third-Party Vendors – HIPAA Security Rule Applies To YOU Too!


Did You Know?

The HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to “implement a security awareness and training program for ALL members of its workforce (including management)” 45 C.F.R. § 164.308(a)(5)(i).

Note: the emphasis on ALL members of the workforce, because ALL workforce members can either be guardians of the entity’s Protected Health Information (PHI) or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.

In order to implement this standard, the Security Rule requires CEs and BAs to implement periodic security updates, or reasonable equivalents. 45 C.F.R. § 164.308(a)(5)(ii)(A).



An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.



As such, CEs and BAs should consider:

• How often to train ALL their workforce members on security issues, given the risks and threats to their organization, and how often to send security updates to their workforce members. Many entities have determined that bi-annual training, and monthly security updates are necessary, given their risks analyses.

• Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants.

• What type of training to provide to workforce members on security issues, given the risks and threats to their enterprises. Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions are all tools that different organizations use to fulfill their training requirements.

• How to document that training to workforce members was provided, including dates and types of training, training materials, and evidence of workforce participation. Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules. See 45 C.F.R. §§ 164.316(b) and 164.530(j).

Covered Entities and Business Associates your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure!

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?



Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat – schedule a call with HIPAA alli today!