NewsTypes of Sanctions in Anti-Money Laundering (AML)
Understanding the types of sanctions in AML is essential for anyone working in compliance or finance.
HIPAA training is federally mandated education for anyone who handles protected health information (PHI). Covered entities — hospitals, clinics, dental offices, health plans, and healthcare clearinghouses — along with their business associates must train every workforce member on the policies and procedures that govern PHI. This is not optional guidance. It is a legal obligation under two separate federal regulations, enforced by the HHS Office for Civil Rights through audits, investigations, and civil monetary penalties.
Absent or undocumented workforce training is one of the most frequently cited findings in OCR enforcement actions. In 2026, that scrutiny has only increased.
Why HIPAA Violations Keep Happening — and What They Actually Cost
Most HIPAA violations don't start with a hacker. They start with a staff member who didn't know what they were — or weren't — allowed to do.
Since the Privacy Rule took effect, the HHS Office for Civil Rights has received more than 371,000 HIPAA complaints and opened over 1,100 compliance reviews. More than 31,000 of those investigations resulted in required changes to privacy and security practices. Total civil penalties and settlements have reached nearly $144 million, per the OCR Enforcement Highlights published on hhs.gov. In case after case, OCR found that missing or undocumented training contributed directly to the breach — and used that gap to establish willful neglect, which triggers the highest penalty tier.
The numbers got larger in 2026. Effective January 28, 2026, HHS raised civil monetary penalties under the annual inflation adjustment required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, as published in Federal Register FR Doc. 2026-01688. The minimum now starts at $145 per violation for unknowing violations. The statutory calendar-year cap reaches $2,190,294 — a ceiling OCR applies in full to willful neglect violations that go uncorrected. Lower-tier violations carry reduced annual caps under OCR's 2019 Notice of Enforcement Discretion. Criminal penalties under 42 U.S.C. § 1320d-6 are separate and tiered: a knowing, unauthorized disclosure carries up to 1 year imprisonment and a $50,000 fine; false pretenses push that to 5 years and $100,000; and offenses committed with intent to sell, transfer, or use PHI for personal gain, commercial advantage, or malicious harm reach $250,000 in fines and 10 years' imprisonment.
The paper trail from real cases tells the same story. In February 2024, OCR announced a $4,750,000 settlement with Montefiore Medical Center after an employee stole and sold patients' PHI over six months — multiple Security Rule violations, and a corrective action plan that made workforce training a required remediation step. In July 2024, Heritage Valley Health System paid $950,000 following a ransomware attack; OCR's corrective action plan required annual workforce training, written certification of completion, and retained training materials.
Every published settlement and civil monetary penalty is listed on the OCR Resolution Agreements page at hhs.gov. These outcomes weren't the result of complex cyberattacks on well-run programs. They came from programs that were incomplete, out of date, or never documented properly.
What HIPAA Rules Actually Require from Covered Entities
Two separate federal regulations create training obligations, and both apply independently.
The Privacy Rule — 45 CFR §164.530(b)(1) requires covered entities to train all workforce members on privacy policies and procedures related to PHI, as necessary and appropriate for each person to carry out their job. "Workforce" is defined broadly: employees, volunteers, trainees, contractors, and anyone whose conduct is under the direct control of the covered entity — paid or unpaid, on-site or remote.
The Security Rule — 45 CFR §164.308(a)(5) requires covered entities and business associates to implement a security awareness and training program for all workforce members, including management. It applies specifically to electronic PHI (ePHI) and covers password management, phishing recognition, device security, and incident reporting.
Both rules require documentation. Under 45 CFR §164.530(j) and §164.316(b)(2)(i), training records must be kept for at least six years from the date of creation or the date last in effect — whichever comes later. Records must show who was trained, when, what was covered, and how completion was verified.
On timing: the regulations require training within "a reasonable period of time" after hire. OCR enforces this strictly, and most compliance professionals treat 30 days as the outer limit. Staff should complete training before getting any access to PHI. Annual refresher training is the standard OCR applies in Corrective Action Plans, even though the statute itself only requires training "as necessary and appropriate" and when policies materially change.
Retraining is required when policies or procedures change materially, when a risk analysis identifies a gap, when an employee is sanctioned for a violation, or when OCR issues a corrective action plan.
What Reading the Policy Alone Cannot Do
Knowing the rules isn't the same as being ready to apply them. A billing coordinator who's read the HIPAA Privacy Rule still may not know what to say when a patient's husband calls asking for her lab results. A front desk employee who knows there's a policy against unauthorized access may not recognize when a coworker is doing exactly that. Our Executive Certificate In HIPAA: Privacy, Security & Breach Response course gives healthcare staff and compliance managers the practical tools to handle real PHI situations — the ones that come up at check-in, in the records room, and in the IT department — not just the ones described in policy language.
Who Needs HIPAA Training — and What It Must Cover
Every person in a covered entity's workforce who has any contact with PHI is required to receive HIPAA training for employees. The scope is wider than most organizations expect.
Doctors, nurses, and medical assistants are the obvious starting point. But the obligation extends to front desk and scheduling staff who pull up patient records, billing and coding specialists who handle insurance and payment data, IT staff with system-level access to ePHI, medical records technicians, mental health professionals, dental office staff, and third-party vendors processing PHI on the organization's behalf. Business associates train their own workforces independently under their Business Associate Agreements — that responsibility doesn't pass through to the covered entity.
What the training itself must cover:
The Privacy Rule and PHI handling. Staff need to know what counts as protected health information, who is permitted to access it, and what the minimum necessary standard means in practice. A nurse discussing a patient's condition at the nurses' station is subject to the same rules as a written record. The hallway conversation isn't exempt.
The Security Rule and ePHI protection. Anyone with access to electronic health records needs training on device locking, secure messaging, password protocols, and phishing recognition. NIST, working with OCR, publishes NIST SP 800-66r2: Implementing the HIPAA Security Rule — a practical cybersecurity guide that organizations of any size can use to structure this part of their program. A proposed Security Rule update — published as a Notice of Proposed Rulemaking in January 2025, expected to be finalized in 2026 but not final as of this writing — would make multi-factor authentication mandatory by removing the "addressable" safeguard designation. Organizations should build this into training now rather than wait for a final rule.
The Breach Notification Rule. Every staff member needs to know what a HIPAA violation looks like, how to report it, and to whom. OCR's most common complaint category in recent years has been organizations failing to respond to patient access requests on time. That failure starts with staff not knowing the obligation exists.
Role-specific obligations. A billing specialist's daily PHI exposure looks nothing like a nursing assistants. One generic training module doesn't work for both. Front desk staff need to understand verbal disclosure rules and record request procedures. IT staff need training on access controls and breach detection. Managers need to know what sanctions they're required to apply when a policy violation occurs — not just that violations have consequences.
Scenarios, not just rules. A family member calls the floor and asks for a patient's diagnosis. A coworker asks to borrow login credentials to pull a file quickly. A workstation gets left unlocked at the end of a shift. Staff who've only been through a policy overview often don't know the right move at the moment. Training that doesn't get this specific leaves people guessing.
Where Most HIPAA Training Programs Actually Break Down
Most organizations clear the initial training hurdle. The failure usually comes in the two years after onboarding.
OCR doesn't just ask whether training happened. It asks how comprehensive it was, whether it was role-specific, and whether the program addressed actual risk. Those questions are hard to answer when the record shows a single general module from the hire date and nothing since.
The pattern across enforcement actions is consistent: staff complete onboarding training and aren't retrained until a breach forces the issue. One module gets applied across every role regardless of PHI exposure. Policy changes and system upgrades happen with no corresponding training update. Documentation technically exists, but when an investigator asks for it, no one can produce a clean, complete set of records. OCR has explicitly required annual training, written workforce certification, and retained training materials in published corrective action plans — including those tied to the Heritage Valley ($950,000, 2024) and Montefiore ($4,750,000, 2024) settlements.
OCR confirmed in March 2025 that the third phase of its compliance audit program is underway, covering 50 covered entities and business associates, focused on HIPAA Security Rule provisions most relevant to hacking and ransomware. The scope and structure are published on the OCR HIPAA Audit Program page. In 2026, the OCR Director confirmed the initiative will expand to include risk management alongside risk analysis. When investigators arrive, training documentation is one of the first things requested — and incomplete records carry consequences whether or not the organization thought it was doing things right.
A compliant program doesn't have to be expensive. Free HIPAA training and free online HIPAA training options can satisfy the requirement if they're role-appropriate, documented, and refreshed on schedule. Some providers offer free HIPAA certification on completion, which serves as valid employer documentation. Format matters far less than content, specificity, and a clean paper trail.
How Long Does HIPAA Certification Last — and What Qualifies as Valid Training
HIPAA doesn't specify a delivery format. No regulation requires classroom sessions, HIPAA training videos, or any particular method. What the law requires is that content fits each person's role, addresses the organization's actual PHI policies, and that completion is documented and retrievable.
HIPAA certification, as most people use the term, means a certificate of completion from a third-party provider. HHS issues and endorses nothing. The certificate documents that training happened at a specific point in time — it doesn't confirm the holder is currently compliant.
The 12-month renewal cycle is the standard consistently applied in HHS Corrective Action Plans. OCR treats lapsed training as a compliance gap when reviewing a breach. Even after a newer certificate replaces an old one, the original must be kept for at least six years under 45 CFR §164.530(j). Annual renewal is the most practical way to keep records audit-ready.
The Training Gap Is Where Enforcement Finds You
OCR's enforcement record is consistent on one point: organizations with documented, role-specific, annually refreshed training programs face significantly lower penalty exposure when incidents happen. Our Executive Certificate In HIPAA: Privacy, Security & Breach Response course takes staff through real workplace situations and the correct responses — built for healthcare professionals who can't step away from operations for a full day.
