HIPAA Security Rule Training for Business Associates

Posted by Steve Alder

HIPAA Business Associates that create, receive, maintain, or transmit electronic Protected Health Information on behalf of HIPAA-covered entities are directly subject to the HIPAA Security Rule and must provide security awareness training to their entire workforce, not only to staff who work on healthcare-specific accounts or handle patient data as part of their primary function. The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management).” The direct applicability of the HIPAA Security Rule to business associates was established by the HITECH Act and confirmed in the 2013 Omnibus Rule, which means the training obligation runs to the business associate as an independently regulated entity rather than solely as a contractual requirement imposed through a HIPAA Business Associate Agreement. A business associate that relies on its covered entity client’s training program to satisfy its own workforce training requirement has misread the regulation.

The Training Scope Goes Beyond Healthcare-Facing Roles

Many business associates operate with workforces that include personnel who are not assigned to healthcare client accounts, do not access patient records, and may not consider themselves to be working in a healthcare context. The HIPAA Security Rule’s training requirement applies to those employees when their roles place them within the organization’s IT security environment. A software developer working on a platform that processes electronic Protected Health Information, an HR coordinator whose email account sits on the same network as systems containing patient data, a legal team member who reviews Business Associate Agreements, and an operations manager who approves the technology stack all fall within the training obligation’s scope. This broader reach distinguishes the Security Rule from the HIPAA Privacy Rule, which directs its training requirement at workforce members whose job functions involve Protected Health Information. The HIPAA Security Rule covers any workforce member whose conduct can affect the security of electronic Protected Health Information through system access, credential use, device handling, or network activity, regardless of whether they handle patient data directly.

Why Business Associate Environments Present Distinct Security Risks

Business associate workforces interact with electronic Protected Health Information in operational contexts that differ from the clinical and administrative settings most HIPAA training content addresses. A billing company processes claims data across hundreds of covered entity clients. A cloud service provider stores electronic Protected Health Information for multiple healthcare organizations on shared infrastructure. A health IT vendor’s support staff access production systems containing patient records to resolve technical issues. In each context, a single compromised credential, a successful phishing attack, or an employee’s unauthorized use of a personal device can expose electronic Protected Health Information belonging to multiple covered entity clients simultaneously. Security awareness training for business associate workforces must reflect those operational realities and address the specific threat patterns that target vendor and service provider environments, including supply chain phishing, business email compromise exploiting covered entity relationships, and credential attacks targeting third-party administrative access.

Building a Training Program Around the Annual Cycle

Annual HIPAA Security Rule training is industry best practice for business associates because the threat environment, the regulatory framework, and the organization’s own service scope all evolve throughout the year. A business associate that expands its services to include a new category of electronic Protected Health Information processing, adopts a new platform used to access covered entity systems, or onboards a new covered entity client may face security risks its current workforce training did not address. Annual training gives the organization a structured opportunity to update content, address changes to internal security policies, reinforce reporting obligations, and produce a new completion record for each workforce member. That annual record supports the six-year documentation retention requirement under 45 CFR 164.316(b) and demonstrates to covered entity clients, OCR auditors, and internal compliance reviewers that the organization maintains a functioning and current security awareness program rather than a one-time onboarding exercise.

Online Security Training Designed for Business Associate Staff

The HIPAA Journal’s Cybersecurity Training for Business Associate Employees is built for organizations that handle electronic Protected Health Information on behalf of covered entities and need a structured online course that reflects the Security Rule obligations, threat patterns, and operational contexts specific to business associate environments. The course covers the regulatory framework governing business associates, electronic Protected Health Information safeguards, healthcare cyber threats including phishing and ransomware, password and credential security, device and media controls, email and messaging risks, incident recognition, and the reporting obligations that run from the business associate to the covered entity. It supports onboarding training before system access is granted, annual refresher delivery across the full workforce, and targeted retraining when policy changes or security events require it, and produces completion records that satisfy the individual-level documentation requirements of the Security Rule’s training mandate.

The post HIPAA Security Rule Training for Business Associates appeared first on The HIPAA Journal.

Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit

Posted by Steve Alder

Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals.

The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data were exfiltrated from the defendants’ systems.

Multiple class action lawsuits were filed in response to the cyberattack and data breach, which were consolidated – In Re Bradford Health Services, LLC Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama, Birmingham Division, where the lawsuit is still pending. The plaintiffs allege that the data breach was due to the negligence of the defendants, who are alleged to have failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence/wantonness, negligence per se, breach of express or implied contract, and unjust enrichment.

Shortly after the consolidated class action lawsuit was filed, the parties began exploring the possibility of an early resolution to limit costs and avoid the uncertainty of a trial and related appeals.  Following mediation in October 2025, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and has received preliminary approval from the court.

The defendant has agreed to pay attorneys’ fees, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. All class members are entitled to enroll in three years of medical data monitoring services and may also submit a claim for reimbursement of documented losses up to $5,000 per class member, or an alternative cash payment, which is estimated to be $150, but may be higher or lower depending on the number of claims received.

The deadline for objection and exclusion is August 3, 2026, and claims must be submitted by August 17, 2026. The final fairness hearing has been scheduled for September 1, 2026.

The post Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness

Posted by Steve Alder

Cybersecurity risk is growing, and healthcare organizations are struggling to defend a rapidly increasing attack surface. AI tools are being implemented without the secure infrastructure to support them. Most healthcare practices have meaningful gaps in cyberattack recovery readiness, face ongoing and regular third-party vendor disruptions, and there is growing concern that a cyberattack will result in a patient fatality. The current state of cybersecurity in healthcare is far from rosy.

These were some of the findings from the 2026 Healthcare IT Landscape Report from Omega Systems, a leading provider of managed IT and security services to the healthcare and financial services industries. The report is based on a survey of 200 healthcare business leaders in the United States, including CEOs, CISOs, CIOs, CFOs, and COOs, at healthcare organizations with between 50 and 600 employees. The healthcare organizations represented in the report include medical practices, clinics, ambulatory care centers, specialty services, and long-term care facilities.

In 2025, when the study was last conducted, 52% of healthcare organizations said it is inevitable that a cyberattack on a healthcare facility will result in a patient fatality in the next five years. There has been a relative 17% increase in just 12 months, with 61% now expressing that concern. The increase is unsurprising given the lack of cyberattack recovery readiness. In the event of a cyberattack that prevents access to the electronic medical record (EMR) system, 47% said loss of access to patient records would create an immediate patient safety issue and malpractice liabilities, 53% say billing, claims, and scheduling would instantly stop, freezing cash flow at the moment when clinical operations are most compromised, and 25% said they would be unable to maintain baseline care standards, resulting in temporary or even permanent closure.

Omega Systems said 82% of providers acknowledged meaningful gaps in their recovery readiness. Almost one-third (31%) of respondents lack the ability to contain and resolve data breaches quickly; almost one-quarter (24%) do not regularly train teams on incident response; one-fifth (21%) have no independent EMR recovery path or access to a 24/7 SOC team, and 13% have no documented recovery plan at all. AI adoption is almost universal, with 93% of healthcare practices already having adopted AI tools, yet they lack the secure infrastructure to support it safely.

The risk of cyberattacks has never been greater. According to OCR data, 2025 saw more large data breaches reported than any year since records of data breaches have been published, fueled in part by an increase in cyberattacks on vendors, which usually impact multiple healthcare clients and cause considerable disruption.

Omega Systems found that 85% of healthcare practices experienced at least one operational disruption in the past 12 months due to a third-party vendor or vendor of a vendor, and 24% experienced a third-party or vendor breach that directly affected their data or operations.

While vendor incidents are increasing, a concerningly high percentage of respondents – 70% – said they were confident or very confident in their vendors’ cybersecurity posture. Vendors have been engaged and are trusted, and are no longer being questioned about their cybersecurity posture.

OCR is due to issue a final rule implementing proposed changes to the HIPAA Security Rule, one of the requirements of which is annual reverification of cybersecurity measures of their business associates, which will force practices to continually verify vendor cybersecurity. According to Omega Systems reports, currently, 63% of practices are not continuously monitoring their networks and digital supply chains, while 70% say they are confident in the vendors connected to them. “A practice can’t be confident in what they aren’t watching,” warns Omega Systems. “Trust is a natural byproduct of long-term vendor relationships. And that’s precisely what attackers count on. They target vendors because their healthcare clients trust them – and rarely verify the controls behind that trust.”

Omega Systems identified a single root cause of the cybersecurity problem in healthcare – Cybersecurity is a patient safety issue, yet healthcare organizations are still treating cybersecurity as a technical expense. “Sixty-two percent (62%) of healthcare leaders still treat cybersecurity as a technical expense rather than a clinical or fiduciary risk,” explained Omega Systems in the report. “That posture determines what gets funded, what gets deferred, and what gets ignored. It is why the gaps documented in this report persist despite years of escalating threat data.”

OCR investigates all reported data breaches affecting 500 or more individuals, and data breaches are being reported in record numbers. OCR currently has an initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule, which has been expanded to also cover risk management. The survey revealed that six in ten leaders have self-attested to HIPAA-compliance, when they know that their risk analyses identified unresolved vulnerabilities. According to the report, 23% of practices have already filed a breach report with OCR.

“For many, that filing was not the result of negligence. It was the result of a gap that grew faster than their resources could close it,” explained Omega Systems. “Small practice leaders are not ignoring compliance. They are managing it with teams that are stretched thin, budgets that do not go far enough, and requirements that keep changing. The breach notification is often the moment they find out how serious that gap had become.”

When the HIPAA Security Rule update is released, practices will have a lot of ground to cover in a short space of time. Only 24% of practices report that they are fully prepared for the proposed changes; many lack the required in-house staff and have cybersecurity and compliance programs that have been built for a simpler threat landscape.

More than one-third (35%) say their cybersecurity/IT team is understaffed, one-third (33%) underestimate the severity and frequency of cyberattacks, one-quarter (26%) say their cybersecurity/IT team is underfunded and has antiquated cybersecurity technology (23%), and one-fifth (21%) deliberately downplays cyberattack risk to avoid reputational damage.

With the HIPAA Security Rule final rule expected this year (the proposed release date was May 2026), healthcare cybersecurity and compliance programs will have to be overhauled. Omega Systems explains that the leaders will not be the healthcare organizations with the most advanced technology. They will be the ones who have made a governance-level commitment to treating security, compliance, vendor risk, and AI not as separate problems requiring separate solutions, but as one, with a partner accountable for the whole picture.

The post Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness appeared first on The HIPAA Journal.