Your company handles patient data for healthcare clients. That makes you a Business Associate - and your whole team needs HIPAA training
You host healthcare client data, your support team sees patient info in tickets, or your app touches PHI in the pipeline. Under HIPAA, that's enough. Getting your team trained keeps contracts moving and clients confident.
Train my teamHIPAA is the federal law that protects patient health information. Annual training is the industry standard.
Breaches affecting 500+ individuals are published on the HHS Breach Portal (the "Wall of Shame"), a permanent, public record. Training your team is the most effective way to avoid it.
And it gets stricter. States like California (CMIA) and Texas (HB 300) impose penalties beyond federal HIPAA. Your team needs to meet the highest standard.
25+ courses your business associate team actually needs
Business associates handle PHI for covered entities. Beyond HIPAA, your team needs cybersecurity awareness, phishing prevention, and compliance training. EZBunny covers it all in one subscription.
Browse All Courses →Where business associates run into trouble
$1.5M after a phished personal email
An employee forwarded unencrypted patient billing records to their personal Gmail. That account got phished. The BA, not the healthcare client, paid $1.5 million.
Your whole team finishes in one sitting
Audio-narrated lessons with knowledge checks, built for people who've never thought about HIPAA before. No scheduling headaches, no day-long workshops.
"Our team doesn't touch patient data"
If your staff has access to production systems, sees customer data in support tickets, or works with healthcare client data in any way - they're handling PHI. Under HIPAA, they need training.
Show healthcare prospects you're ready
Your compliance dashboard shows who's trained and who's not. When a prospect asks for proof before signing, you export a report and send it over. Done.
Your subcontractors need BAAs too
AWS for hosting, Datadog for monitoring, an offshore QA team. Every subcontractor that touches PHI needs their own Business Associate Agreement. Miss one and the liability falls on you.
New hire? They'll get reminded automatically
When you add someone to your team, EZBunny sends them a training invite. When their certificate's about to expire, they get a nudge. You don't chase anyone.
No training certificates = no healthcare deal
Healthcare prospects want proof that your team is HIPAA-trained before they'll sign a contract. If you can't show certificates, the deal stalls or dies.
Certificates clients can verify themselves
Each certificate has a unique ID and public verification link. Your healthcare clients can check every team member's status without asking you.
One price for your whole team. Everyone who touches client data, covered
No per-seat charges. No hidden fees. Cancel anytime.
Beyond HIPAA: All the Training Business Associates Need
Business associates handle PHI for covered entities. HIPAA is required - but it's not all you need.
Business Associate Awareness (Required)
Every employee at a BA organization who can access PHI must understand their direct HIPAA obligations. Under HITECH, BAs face the same penalties as covered entities. BA Awareness training covers BAA requirements, subcontractor rules, breach notification timelines, and permitted uses of PHI.
HIPAA Security Rule (Required)
Business associates must implement the same technical, administrative, and physical safeguards as covered entities. Security Rule training covers encryption requirements, access controls, workstation security, and risk analysis - core competencies for any team managing PHI systems.
Cybersecurity Awareness
Health tech BAs are high-value targets for ransomware and data theft. A breach at a BA organization can expose patient records for dozens of covered entity clients simultaneously. Cybersecurity awareness training helps developers, operations, and support staff recognize and prevent attacks.
Phishing & Risk Analysis
Phishing is the most common initial access vector for healthcare data breaches. Your engineers and account managers receive targeted phishing emails designed to compromise healthcare client systems. Phishing awareness and risk analysis training is a critical layer of defense.
Sexual Harassment Prevention (Required)
Required under Title VII for all employers. Many states (CA, NY, IL, NJ) add their own annual requirements. With remote teams spanning multiple states, BA organizations often need to meet the strictest standard across their workforce locations.
Compliance, Ethics & Fraud
Business associates can be implicated in healthcare fraud through improper billing arrangements, kickbacks, or enabling fraudulent claims processing. Compliance and Ethics training helps your team understand OIG guidance and avoid practices that create liability.
Training by Role
Different roles need different courses. Here's a breakdown for BA organizations.
| Role | Core Courses | Additional |
|---|---|---|
| IT Staff / Developer | HIPAA Privacy & Security, Business Associate Awareness, Cybersecurity, Phishing, Sexual Harassment Prevention | |
| Project Manager | HIPAA Privacy & Security, Business Associate Awareness, Sexual Harassment Prevention | Cybersecurity |
| Account Manager / Sales | HIPAA Privacy & Security, Business Associate Awareness, Sexual Harassment Prevention | Phishing |
| Compliance Officer | HIPAA Privacy & Security, Business Associate Awareness, Cybersecurity, Phishing, Compliance & Ethics, Sexual Harassment Prevention | |
| Support Staff | HIPAA Privacy & Security, Business Associate Awareness, Phishing, Sexual Harassment Prevention | |
| Executive / Leadership | HIPAA Privacy & Security, Business Associate Awareness, Compliance & Ethics, Sexual Harassment Prevention | Cybersecurity |
State-Specific Requirements
State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here.
- If you operate in California: CMIA privacy training applies to BAs serving California healthcare clients; workplace violence prevention (SB 553)
- If you operate in Texas: HB 300 privacy training applies if your BA activities involve Texas patient data - Texas has broader CE definition than federal HIPAA
- If you operate in Florida: Review FL-specific requirements if providing clinical or healthcare services in Florida
- If you operate in New York: Sexual harassment prevention training required annually for all NY employers regardless of size
Proposed changes to the HIPAA Security Rule (expected 2026) are expected to impose more specific cybersecurity requirements that will directly affect business associates. Browse all 25+ courses →
HIPAA questions tech companies and vendors ask us
What is a Business Associate under HIPAA?
A Business Associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a healthcare provider or health plan. This includes IT companies that host or manage EHR systems, billing and coding firms, cloud service providers storing PHI, SaaS platforms used for patient communication, managed service providers with network access, and shredding companies handling PHI documents. If your company touches PHI in any form, even if you never look at it, you are likely a Business Associate.
Do IT companies and SaaS vendors need HIPAA training?
Yes. Under HITECH, business associates are directly liable for HIPAA compliance, not just their healthcare clients. Your developers, support engineers, DevOps team, and anyone with potential access to systems containing PHI must receive HIPAA training. Many IT companies do not realize this applies to them until a healthcare client asks for proof during the sales process.
What is a Business Associate Agreement and when is it required?
A BAA is a legally required contract that must be signed before any PHI is shared between a covered entity and a business associate. It establishes permitted uses and disclosures of PHI, requires safeguards, mandates breach notification, and ensures the BA complies with HIPAA. Without a signed BAA, both parties are in violation, even if no breach occurs. BAAs must also cover subcontractors who will access PHI.
What are the HIPAA obligations for subcontractors of business associates?
Subcontractors that handle PHI are themselves considered business associates and must sign their own BAAs. The BA must sign a BAA with each subcontractor. Each subcontractor must implement HIPAA safeguards, train their workforce, and report breaches up the chain. Cloud hosting providers, third-party analytics tools, and outsourced development teams commonly fall into this category.
How can business associates prove HIPAA compliance to healthcare clients?
Individual training certificates with verifiable IDs are one of the most straightforward and commonly requested pieces of compliance evidence. Other proof includes signed BAA templates, documented HIPAA training certificates for all workforce members, written security policies and procedures, results of a recent risk assessment, and SOC 2 Type II or HITRUST certification if available.
What are the breach notification rules for business associates?
Business associates must report any breach of unsecured PHI to the covered entity within 60 days of discovery. The notification must include the nature of the breach, the types of PHI involved, steps individuals should take, what the BA is doing to mitigate harm, and contact information. BAs that fail to report face direct enforcement action and penalties from HHS.
Get your team trained before the next client asks
Set up takes about 5 minutes. Try it free for 14 days.
Get started freeRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.