Does HIPAA require phishing simulation?

The HIPAA Security Rule (45 CFR 164.308(a)(5)) requires a security awareness and training program for all workforce members. While the rule does not name 'phishing simulation' specifically, OCR investigations and HHS guidance consistently treat simulated phishing as the standard control evidence for the addressable specifications around security reminders and protection from malicious software. In practical terms, covered entities and business associates without a phishing simulation program have an uphill argument during OCR review.

Is phishing simulation data PHI?

The simulation telemetry itself - who clicked, when, on which template - is workforce training data, not PHI, provided the lure does not embed real patient information. Where it gets sensitive is when a vendor processes the workforce roster on your behalf; that processing typically falls under a Business Associate Agreement (BAA) if the vendor could foreseeably encounter ePHI. Confirm with your privacy officer whether your simulation vendor needs a BAA based on the data flow.

What are the highest-risk phishing scenarios for healthcare?

Patient portal credential theft, EHR vendor impersonation (Epic, Cerner, Meditech password-reset lures), payer/clearinghouse messages (claim denial bait), DEA and licensure renewal lures aimed at clinicians and HR/payroll BEC during open enrollment. Ransomware operators specifically target hospitals during nights and weekends when staffing is thin.

How often should hospitals run phishing simulations?

Monthly campaigns covering rotating role groups (clinical, revenue cycle, IT, executives, contractors) is the cadence most large health systems and OCR-aware compliance officers settle on. The Security Rule's 'periodic' language is intentionally flexible, but annual training alone is no longer defensible after a breach.

Do business associates need their own phishing program?

Yes. Since the HITECH Act, business associates are directly liable under the Security Rule. Your covered-entity customers will increasingly request evidence of your phishing simulation program as part of vendor risk reviews and BAA addendums.

Healthcare Phishing Simulation (HIPAA)

Healthcare Phishing Simulation: A HIPAA-Compliant Approach

By The Bait & Phish Team
Healthcare, HIPAA, Industry

Healthcare runs on trust and trust runs on email. A clinician opens 80 messages a shift, a revenue cycle clerk processes hundreds of payer notices a week and an HR coordinator handles benefits files that contain every workforce member's PII. Attackers know this surface intimately, and ransomware crews have spent the last five years optimizing their lures for hospital workflow rhythms - the late-night DEA renewal email, the early-morning Epic password-reset prompt, the quiet weekend wire request to the CFO's office.

This post is for the privacy officer, the CISO and the compliance director at a covered entity (CE) or business associate (BA) who has been told to "do something about phishing." It walks through what's distinct about healthcare phishing risk, where the HIPAA Security Rule actually lands on simulation and what a credible program looks like in practice - including the templates that work and the documentation OCR will ask for if you ever land on the breach portal.

What makes healthcare phishing risk different

Three structural realities shape the threat model:

The workforce is heterogeneous and high-turnover. A 600-bed hospital might employ 4,000 people across attending physicians, residents, travel nurses, environmental services, billing and a dozen affiliated practice groups. Privilege levels and tenure vary wildly; one campaign template will land very differently across cohorts.
The data is uniquely valuable. A complete medical record sells for many times the price of a stolen credit card on dark markets, because PHI cannot be canceled and reissued. That price tag funds a level of attacker effort you don't see against generic targets.
Operational disruption is leverage. Ransomware crews target hospitals because downtime is intolerable. The willingness to pay shows up in the payload design - phishing lures aimed at admins and identity systems get more polish than the average enterprise sees.

The Verizon Data Breach Investigations Report has flagged healthcare year after year as one of the heaviest-breached verticals, with the human element (phishing, pretexting, credential theft) involved in the majority of incidents.

What the HIPAA Security Rule actually requires

The HHS Office for Civil Rights enforces the HIPAA Security Rule at 45 CFR Part 164, Subpart C. Two specifications matter most for phishing programs:

164.308(a)(5) Security awareness and training - a required standard. The implementation specifications below it (security reminders, protection from malicious software, log-in monitoring, password management) are addressable, meaning you must implement them or document a reasonable equivalent.
164.308(a)(1)(ii)(A) Risk analysis - a required, ongoing risk assessment. OCR's resolution agreements consistently cite inadequate risk analysis as a contributing finding.

The Security Rule does not name "phishing simulation" by string. But OCR's published guidance, the HHS 405(d) HICP (Health Industry Cybersecurity Practices) publication and the resolution agreements following major breaches all treat simulated phishing as the de facto evidence for awareness training effectiveness. In a post-incident OCR investigation, "we did annual computer-based training" is no longer a credible answer.

BAA, vendors and the data flow question

Before procurement, the privacy officer needs to answer one question: does the simulation vendor process anything that could be PHI? The simulation telemetry - clicks, opens, training completions - is workforce training data, not PHI. The workforce roster is also generally not PHI. But two edge cases trip teams up:

Lure content that uses real patient context. A template that references a specific patient name to test a clinical user crosses into PHI handling. Don't do that - generic personas work better and remove the BAA question entirely.
Email integration that imports user mailboxes for content analysis. Some platforms scan production mailboxes to inform lure generation. That data flow may include PHI and almost certainly requires a BAA.

Most CEs default to executing a BAA with the simulation vendor anyway, even where strictly unnecessary, because it removes ambiguity if the relationship later expands. Confirm with your privacy officer based on the actual data flow.

Templates that land in healthcare

Generic "your password will expire" templates underperform in a clinical setting because the audience has been trained on those. Healthcare-realistic categories that consistently produce useful click data:

EHR vendor impersonation - Epic MyChart access, Cerner credential refresh, Meditech downtime notice. Clinical users react fast to anything that threatens chart access.
Patient portal credential prompts - "A patient has requested access to records, click to verify." Targets front-desk and patient access staff.
Payer and clearinghouse lures - Availity, Change Healthcare, payer claim-denial notices. Targets revenue cycle and billing.
Licensure and DEA renewal - clinician-targeted, often arriving close to real renewal cycles. Difficulty: hard.
HR/payroll BEC during open enrollment - "Update your direct deposit before October 15." Targets the entire workforce.
Pharmacy and supply chain - vendor invoice fraud, controlled-substance shipment notices, GPO contract attachments.

A balanced campaign rotation across these categories, mixed across our easy/regular/hard difficulty tiers, gives you the cohort-level data OCR and your insurance carrier both expect to see.

Cadence, cohorts and exclusions

A defensible cadence for a CE looks like:

Monthly campaigns, rotating role groups (clinical, revenue cycle, IT, exec, contractor) so every workforce member receives 4-6 simulations per year.
No executive carve-outs. Executives are the highest-loss target for whaling and BEC; exempting them is the single biggest red flag in a breach forensic review.
Contractor and affiliated-practice inclusion. If a person has a workforce email and access to ePHI systems, they belong in the program regardless of W-2 status.
Auto-assigned remediation training the moment a user clicks. Manual follow-up does not survive OCR review.

Documentation OCR (and your cyber carrier) will ask for

Keep these artifacts current and exportable:

Campaign log: dates, target population, template category, difficulty
Click-through rate trend over the past 24 months with cohort breakdown
Training completion rate per campaign, with median time-to-completion after click
Coverage report: % of workforce included, with rationale for any exclusions
Written security awareness policy (signed, version-controlled)
Annual risk analysis update reflecting phishing as a documented threat vector
Board, governance or risk-committee report cadence

The same packet supports OCR audit, Joint Commission information management standards, HITRUST CSF (if you're certified) and your cyber insurer's 2026 renewal questionnaire.

Common mistakes specific to healthcare

Carving out clinicians "because they're too busy." They are exactly the population attackers target. Run shorter, role-specific simulations rather than exempting them.
Annual computer-based training in place of simulation. Knowledge tests measure comprehension; simulations measure behavior. OCR cares about behavior change.
Punitive remediation. Discipline-based responses suppress reporting. The goal is a workforce that reports faster, not one that hides clicks.
Treating BAs as out-of-scope. Your medical billing vendor, transcription service and revenue-cycle outsourcer are all BAs. Their workforce phishing posture is your liability.
Letting the EHR vendor decide your awareness program. EHR vendor "training modules" rarely include real phishing simulation; they are knowledge content. Layer simulation on top.
Excluding telehealth-only providers. Telehealth platforms expanded the workforce surface during the pandemic and many of those providers retained their email accounts. Confirm they are in the program.

Mapping the program to HHS 405(d) HICP

The HHS 405(d) program publishes Health Industry Cybersecurity Practices (HICP), a voluntary set of practices aligned to the NIST Cybersecurity Framework and tailored for the healthcare sector. HICP names email protection, phishing simulation and security awareness training among the top recommended practices for organizations of every size - small, medium and large. The same evidence packet that satisfies OCR and your cyber-insurance carrier maps cleanly to HICP self-assessment, which has become a frequent ask in vendor and BAA reviews.

For organizations pursuing HITRUST CSF certification, the awareness training control family (07.07 in legacy mapping; aligned controls in the current framework) requires evidence of a continuous program rather than a single annual training event. Phishing simulation telemetry, training assignment records and remediation completion data provide that evidence directly.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs for healthcare organizations - large IDNs, community hospitals, FQHCs, dental groups, billing companies and other BAs - for more than 15 years. Our platform supports the cadence and documentation healthcare compliance offices need: monthly multi-channel campaigns (email, SMS, voice), auto-assigned just-in-time training the moment a user clicks, template categories that mirror clinical and revenue-cycle workflow and one-click exports formatted for OCR audit and cyber-insurance renewal.

If you're standing up a program from scratch or replacing one that doesn't survive an OCR review, start a free trial covering up to 25 users - no credit card - or talk to us about pricing for your full workforce. For more on how the program documentation flows into your insurance renewal, see what cyber insurers ask about phishing training.

This post is informational and does not constitute legal, compliance or HIPAA advice. Consult your privacy officer and counsel for guidance on your organization's specific obligations.

Related industry guides

12aug