25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Survey Reveals Potential Issue In How HIPAA Knowledge is Tested

Posted By on Apr 8, 2025

One of the key takeaways from the 2024/25 HIPAA Journal Annual Survey was that, although the majority of respondents provide annual HIPAA refresher training and regular security awareness training – and test workforce members during or after training – the way(s) in which workforce HIPAA knowledge is tested may be inadequate to prevent avoidable data breaches.

The 2024/25 HIPAA Journal Annual Survey revealed an interesting mix of compliance best practices and compliance challenges. One of the least surprising statistics – considering that participants in the survey subscribe to the HIPAA Journal newsletter and are more likely to be “HIPAA aware” – is that 94.3% of participating organizations provide annual HIPAA refresher training to members of the workforce.

However, only 79.3% of participating organizations said they test workforce members on HIPAA knowledge and awareness, and only 58.7% of participating organizations said the tests were certified. These statistics imply that some organizations are “going through the motions” of complying with the HIPAA training requirements and not ensuring that the training is absorbed by workforce members or applied in day-to-day activities.

Security Awareness is Less Frequently Tested

More surprising was the low percentage of organizations that test workforce knowledge following cybersecurity and phishing awareness training by conducting phishing simulations. 95.6% of respondents said their organizations provide cybersecurity and phishing awareness training (some more frequently than others), but only 70.1% of respondents said their organizations conduct phishing simulations.

The lack of testing is surprising because more than half of all the data breaches published in the Archive section of HHS’ Breach Portal for 2024 have a phishing element. The failure of some organizations to test workforce susceptibility to phishing emails implies that too much trust is being placed on technical safeguards to ensure the security of PHI, and too little consideration is being given to the “human element” in data breaches.

More Testing Does Not Guarantee Fewer Breaches

A contradiction in the training/testing analysis is that organizations that test workforce security awareness and conduct phishing simulations appear no less likely to experience a notifiable data breach or ransomware attack than organizations that do not test. 76.9% of respondents who reported a notifiable data breach in 2024 test workforce knowledge of HIPAA awareness, and 69.2% conduct phishing simulations.

There are two factors that can help explain this apparent contradiction. The first is that 86% of organizations that train/test and that experienced a notifiable data breach have a larger attack surface than the remainder (more than 500 workforce members). The second factor is that it is not possible to tell from the raw data how workforce HIPAA knowledge is tested – some testing methods being more effective than others.

Best Practices for HIPAA Training and Testing

The best practice for HIPAA training is to adopt a three-tiered approach to training. The first tier should consist of general HIPAA awareness training, the second tier should consist of policy and procedure training relevant to workforce members’ roles (as required by §164.530(b) of the HIPAA Privacy Rule), and the third tier should consist of a security awareness and training program developed in accordance with the HIPAA Security Rule’s General Requirements (§164.306(a)).

Source: Verizon Data Breach Investigations Report 2024

All three tiers should focus on the objectives of HIPAA compliance (i.e., ensuring the privacy and security of PHI) and the real consequences of HIPAA violations (i.e., medical identity theft, operational disruptions, treatment delays, etc.). As there has been a significant increase in data breaches attributable to privilege misuse in recent years, it is also advisable to include the potential personal consequences of HIPAA violations in all three tiers of HIPAA training.

Organizations with concerns they may be “going through the motions”, who feel they are too heavily reliant on technical safeguards to ensure the security of PHI, or who have experienced a data breach despite testing workforce HIPAA knowledge, are advised to speak with an independent HIPAA compliance professional in order to identify potential issues and the best ways to resolve them.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist