When the Health Insurance Portability and Accountability Act (HIPAA) was first created, it was designed to establish strict standards for “covered entities” in how they store, access, transmit and distribute sensitive client/patient health information they collect and store for the clients/patients they work with.   

Sensitive health information is now referred to as protected health information (PHI).  How it is handled, stored, and distributed is amongst the most important processes a practice can have in place. Whether a practitioner practices independently or has ten, twenty or even fifty or more employees and/or contractors, the process that is implemented to handle PHI can only work if staff are provided with the required education.  If you and your staff do not know the basics of HIPAA, a simple mistake can quickly become a costly one.

Most practitioners are aware that HIPAA does require some sort of training, but are often hazy on the specifics beyond that.  At a recent business event, while speaking with a group of both attorneys and mental health practitioners most knew the basics of HIPAA. When I asked the group if they knew how often HIPAA training is required under HIPAA, the consensus was yearly. The group was taken aback when I educated them that in actuality HIPAA requires “periodic training.” I quickly reassured them that it was a trick question, in some ways.  Though the actual text of HIPAA does say periodic (45 CFR § 164.308 and45 CFR § 164.530), it is largely construed to mean yearly as being sufficient.

Yearly training allows practitioners to remain educated on the requirements of HIPAA and have a basic understanding of what the law requires with how you store, access, transmit and distribute sensitive client/patient health information.  This not only protects your clients/patients but it also protects you, your practice, and your practitioners.     

While HIPAA does stipulate that training must be done, it does not define a strict timeline or specific parameters for what must be included in the training.  And, while HIPAA doesn’t dictate how long a training should be, it doesn’t need to be hours long either. This can be confusing to practitioners who are trying to make sure they comply with the law and create or find a training.  Thus, there are some basics that any training should include:

  • An explanation of what PHI is and how to identify it;
  • When and how to disclose PHI properly and appropriately;
  • HIPAA rules for confidentiality and controlling and securing access to PHI;
  • Patient/Client rights;
  • Why HIPAA rules and compliance matters;
  • Consequences and issues that may arise if HIPAA requirements are not followed.

While there are a variety of online HIPAA trainings for practitioners, the following must be considered.

First, most states, Maryland included, also have their own “version” of HIPAA (in Maryland it is the Maryland Confidentiality of Medical Records Act or “MCMRA”).  Many states’ related laws are stricter than HIPAA on certain topics; it is important for practitioners to know that in situations where state law is more protective than HIPAA, state law is deemed to have priority.  Maryland is one such state.  Thus, while an online course may cover federal HIPAA laws, it may not take into account important local state laws.

Secondly, the source and quality of the trainings is often unknown. It is often easier for a practitioner to organize an in-office training for staff where questions can be asked and the topics can be tailored to the type of practice and their needs and include any pertinent local state laws.

In closing, effective HIPAA compliance for any practitioner and their practice should always include yearly training of some sort.  It ensures that best practices are known and all staff are schooled in applicable state and federal laws with the goal of preventing liability and hopefully saving money down the road. 

Does your practice need a better way to educate staff about HIPAA? Starting in October, Mayer Law’s new HIPAA training for practices can help. We will be providing a course for practitioners and their staff allowing them to satisfy their HIPAA training requirements!

For more information on or for other legal considerations regarding your health-care or mental health practice, or to set up a free consultation, contact Mayer Law, LLC today at (443) 595-M-Law or by email at contact_us@danielmayerlaw.com.


This article is legal information and is not provided as a source for legal advice. It is made available by Mayer Law, LLC firm for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By reading this blog, you understand that there is no attorney-client relationship established between you and Mayer Law, LLC. This blog should not be used as a substitute for competent legal advice and you should consult with an attorney before you rely on this information.