Your front office handles more PHI than anyone. Are they trained?
Patient intake at 8 AM, insurance verifications by 9, referral faxes before lunch. Your clinical staff, front office, and billing team move protected health information all day: through the EHR, on paper, and over the phone. EZBunny covers the HIPAA scenarios they'll actually run into.
Train my care teamHIPAA is the federal law that protects patient health information. Annual training is the industry standard.
Breaches affecting 500+ individuals are published on the HHS Breach Portal (the "Wall of Shame"), a permanent, public record. Training your team is the most effective way to avoid it.
And it gets stricter. States like California (CMIA) and Texas (HB 300) impose penalties beyond federal HIPAA. Your team needs to meet the highest standard.
25+ courses your primary care team actually needs
Beyond HIPAA, your team needs OSHA safety training, fraud prevention, cybersecurity awareness, and state-specific compliance. EZBunny covers it all in one subscription.
Browse All Courses →Real risks that primary care offices face
$750,000 for faxing lab results to the wrong number
Staff at a primary care practice faxed patient lab results, including HIV tests, to the wrong number. It happened repeatedly over four months before anyone caught it.
Everyone finishes, even the busy ones
Audio-narrated lessons with knowledge checks. Physicians, MAs, and front office staff can finish in one sitting between patients. No blocked-out training day required.
Referrals and prescriptions leaving your office
E-prescriptions to pharmacies, faxed referrals to specialists, pre-auth requests to insurers. PHI leaves your four walls dozens of times a day.
One dashboard for your whole staff
See which team members finished training, who's overdue, and when certificates expire. Export a compliance report for credentialing in two clicks.
Patient intake: every method collects PHI
Paper clipboards in the waiting room. Tablets with auto-fill. Intake forms emailed ahead. Each path collects medical history, SSNs, and insurance details.
Reminders go out on their own
New MA starts Monday? They get an invite. A nurse's certificate expires next month? They get a nudge. You don't have to track any of it.
No compliance officer on staff
You're running a practice, not a compliance department. But HIPAA doesn't have a small-office exception. A 5-person clinic faces the same rules as a hospital system.
Proof that holds up
Every certificate has a unique ID and public verification link. Credentialing bodies, auditors, or payer networks can confirm it in seconds.
One price for physicians, MAs, nurses, and front desk. Everyone
No per-seat charges. No hidden fees. Cancel anytime.
Beyond HIPAA: All the Training Primary Care Practices Need
HIPAA is just the start. Here's what primary care teams also need.
OSHA Safety (Required)
Clinical staff have occupational exposure to bloodborne pathogens. Required: Bloodborne Pathogens, OSHA General Safety, and Hazard Communication. Infection Control is also required for clinical roles. OSHA enforces these separately from HIPAA.
Fraud, Waste & Abuse (Required if billing Medicare/Medicaid)
CMS requires FWA training for any provider billing Medicare or Medicaid. Compliance, Ethics & Fraud training covers OIG guidelines and helps protect your practice from billing-related audits and penalties.
Mandatory Reporting (Required)
Physicians, NPs, and PAs are mandatory reporters in all 50 states. Your clinical team must know how to identify and report suspected child abuse, elder abuse, and domestic violence. Failure to report is a criminal offense.
Cybersecurity & Phishing
Primary care EHR systems are high-value phishing targets. Cybersecurity awareness and phishing risk training help staff recognize attacks before they compromise patient records. The HIPAA Security Rule increasingly emphasizes these controls.
Documentation & Medical Records
Proper documentation affects Medicare billing, malpractice defense, and licensing audits. Medical Records Compliance training covers chart integrity, retention, and correction procedures that protect your practice.
AI Safety in Healthcare
If your practice uses AI-assisted diagnostics, clinical decision support, or AI documentation tools, AI Safety training helps staff use these tools within HIPAA boundaries and clinical governance standards.
Training by Role
Different roles need different courses. Here's a breakdown for primary care teams.
| Role | Core Courses | Additional |
|---|---|---|
| Physician / NP / PA | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Mandatory Reporting, Medical Records, Sexual Harassment Prevention | Telehealth Privacy if offering telehealth; AI Safety if using AI tools |
| Medical Assistant | HIPAA Privacy & Security, Bloodborne Pathogens, OSHA General Safety, HazCom, Infection Control, Sexual Harassment Prevention | |
| Front Desk / Scheduler | HIPAA Privacy & Security, Sexual Harassment Prevention, Business Associate Awareness | Phishing & Risk Analysis |
| Billing / Coding Specialist | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Medical Records, Phishing, Sexual Harassment Prevention | |
| Practice Manager | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Mandatory Reporting, Medical Records, Sexual Harassment Prevention | Cybersecurity, Workplace Violence Prevention |
| Lab Technician | Bloodborne Pathogens, HIPAA Privacy & Security, Infection Control, OSHA General Safety, HazCom, Sexual Harassment Prevention | |
| IT / EHR Administrator | HIPAA Security, Cybersecurity, Phishing, Sexual Harassment Prevention | Business Associate Awareness |
| Medical Records / HIM | HIPAA Privacy & Security, Medical Records, Phishing, Sexual Harassment Prevention |
State-Specific Requirements
State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here.
- If you operate in California: CMIA privacy training; cultural competency CE for licensed clinical staff; workplace violence prevention (SB 553)
- If you operate in Texas: HB 300 privacy training within 90 days of hire - Texas penalties up to $1.5M per incident
- If you operate in Florida: HIV/AIDS training for applicable licensed practitioners per FL Statute 381.0034
- If you operate in New York: Infection control every 4 years for licensed clinical staff (PHL Section 239); sexual harassment prevention annually
Proposed changes to the HIPAA Security Rule (expected 2026) may expand cybersecurity requirements for physician practices. Browse all 25+ courses →
HIPAA questions we hear from primary care practices
What are the HIPAA requirements for EHR access controls in primary care?
Every staff member must have role-based EHR access limited to the minimum necessary PHI for their job. Primary care practices must implement role-based access controls in their EHR systems so that each staff member (physicians, nurses, medical assistants, front office, and billing) can only access the minimum necessary PHI for their job. Unique login credentials are required for every user (no shared logins), and automatic session timeouts must be configured. Audit logs must track who accessed which patient record and when. Annual review of access privileges is a recognized best practice.
How does the minimum necessary rule apply to front office staff?
Front office staff should only access scheduling, check-in, insurance, and billing data, never clinical notes or lab results. They generally do not need access to treatment plans. Practices should configure their EHR to limit front office views to demographic and scheduling information. The minimum necessary rule also applies to information shared verbally. Front office staff should not discuss clinical details within earshot of other patients.
What are the HIPAA rules for prescription and referral management?
Prescriptions and referrals are permitted under HIPAA's treatment exception but must follow the minimum necessary standard. These disclosures for treatment, payment, and healthcare operations do not require patient authorization. Share only the information needed for the purpose. E-prescribing systems must use encrypted transmission, and faxed referrals should include a confidentiality notice. Staff must verify recipient information before sending.
How should primary care offices handle patient intake forms securely?
Intake forms must be collected privately, stored securely, and shredded after EHR entry. Patient intake forms collect sensitive PHI including medical history, insurance information, and Social Security numbers. Paper forms should be handed directly to staff (not left on clipboards visible to others) and stored in locked areas. Electronic intake on tablets should use auto-locking screens and encrypted connections. Completed forms must be entered into the EHR promptly and paper copies shredded. Patients should receive a Notice of Privacy Practices before or during intake.
How often do medical offices need to provide HIPAA training?
Annual HIPAA refresher training is the widely accepted standard expected by auditors and insurers. HIPAA requires training for all workforce members at hire and whenever material changes are made to privacy or security policies. While the law does not specify an exact frequency, annual training is the benchmark. Training should cover your practice's specific policies, not just general HIPAA concepts. Document all training with dates, attendees, and topics covered for audit readiness.
Cover your entire practice in one afternoon
Set up takes about 5 minutes. Try it free for 14 days.
Get started freeRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.