5 Reasons for Healthcare Organizations to Take HIPAA Training Seriously

The healthcare sector in the United States has faced many challenges due to the increased activity of cybercriminals, particularly since the beginning of the COVID-19 pandemic in 2020. This means that there should be even greater resources committed to ensuring that staff are provided with the right level of training in relation to their obligations under the Healthcare Insurance Portability and Accountability Act (HIPAA).

If your organization is not currently implementing a robust HIPAA training process for new and full-time members of your team then you are running the risk of a cybersecurity attack infiltrating your systems and a potential massive HIPAA fine being sanctioned against your organization. If this is not enough to convince you to take HIPAA training seriously, we have compiled five more reasons for you to consider.

1. 2020 was the Worst Year on Record for Data Privacy Breaches

Sadly, this is reflective of the trends that have been recorded over the last few years. In 2020, 616 data breaches of 500 or more files were made known to the HHS Office for Civil Rights (OCR). These breaches impacted 28,756,445 individuals.

This increase is clearly depicted in the chart below. The steep increase in the last two years is very noticeable. Hackers have doubled-down on their efforts during 2020 as the majority of the world’s office workforce moved to work remotely following the start of the COVID-19 pandemic. This resulted in serious weaknesses in the cybersecurity measures of all companies and groups, many of which are still to be addressed. Simple measures like providing HIPAA training sessions online can go a large way towards keeping your company safe from the best tactics of cybercriminals, phishers and hackers.

2. Small-to-Medium Sized Practices are Popular Targets for Cybercriminals

2020 also witnessed a sharp increase in the amount of attacks that targets small-to-medium sized healthcare groups. Ransomware response firm Coveware captured data during the third quarter of the year which indicated that more than two thirds of attacks were focusing on groups with less than 1,000 employees and 65.9% of ransomware attacks launched during Q4 were focused on infiltrating the databases of small (30.2%) and medium (35.7%) sized companies. See the graph below for more detail.

Q4, 2020 Ransomware Attacks. Source: Coveware

The ransomware strains that are targeting small-to-medium sized groups include Dharma, Snitch, and Netwalker ransomware operations. The attraction of infiltrating smaller organizations is that they tend not to have a strong cybersecurity defenses in place, despite holding large amounts of sensitive data in their databases. Due to this the potential for ransomware gangs to make an easy and quick profit is much higher.

3. HIPAA Compliance Efforts are Taken into Account Following HIPAA Breaches

When a HIPAA breach does occur the subsequent HIPAA investigation conducted by the HHS will take every aspect of the breach into account, including all efforts made to try and prevent a HIPAA violation from occurring. HIPAA breaches committed by staff members are much less likely to result in a large financial penalty if it is discovered that employees were provided with the appropriate HIPAA training during onboarding and also given annual refresher training sessions.
This is true no matter how big or small your organization may be. During a HIPAA audit, the absence of an adequate training programme will be viewed just as seriously as the absence of appropriate cybersecurity software or the sharing of passwords between multiple employees. Providing training is one of the easiest and most straightforward ways to try and prevent a HIPAA breach from occurring. There is little or no technical knowledge required and by using an external vendor you can supply the training direct to your staff no matter where you are based.

4. Undoing Brand Damage Caused by a HIPAA Breach is Difficult

In the unfortunate event of a breach taking place the public reputation of the organization impacted may suffer greatly. Online coverage of the breach will be one of the first things seen when an Internet search for the company is conducted. This can take years of subsequent positive news and website content to replace. In addition to this, negative comments on online review portals, social media and video content will be extremely tricky to address. For this reason, it is in your organization’s best interest to do everything possible to prevent a HIPAA breach from occurring.
Ensuring that you have the best possible trained staff at your disposal is a crucial part of this; conducting ongoing HIPAA refresher courses is another. This is important as the HIPAA investigation into the breach will see that you have done everything possible to prevent an occurrence such as this from happening. This is something that can then be publicized to turn a potential bad news story into a good news story and selling point for your services.

5. Data Privacy Legislation Requirements Around the World are Increasing

It is predicted that data privacy legislation is only going in one direction. A report produced by Gartner in 2020 estimated that approximately 65% of the world is currently governed by some level of data privacy legislation. This creates a challenge that extends beyond operating in the US healthcare sector.
By ensuring that your group is HIPAA compliant you will already be taking a large step towards ensuring it is compliant with pending privacy and security legislation at the state level, as well as many other data privacy laws around the globe. This is particularly important if you may be in a position where you are consulting with medical experts in a different jurisdiction or just sharing private data with a patient who is based overseas or on holidays. This problem is not going to be addressed by taking some proactive steps.


In order for your organization to remain safe from HIPAA breaches, and the resulting massive HIPAA penalties, then it is vital for your organization to implement an appropriate regime of HIPAA training for your new and existing staff. If you would like to preview the HIPAA training offered by ComplianceJunction please complete the form below.