Making compliance visible: Trainings and refreshers that pay off for your practice 

Any time you put a spotlight on compliance for your medical practice’s team members, it pays off. Reminders and refreshers reduce risk, improve staff confidence, and signal to patients and payers that your practice takes ethical care, privacy, safety, and billing integrity seriously.  

A Sept. 2, 2025, MGMA Stat poll found 43% of medical groups have some type of annual compliance week or month to bring these issues front and center for clinicians and staff; most (55%) do not do this beyond at-hire or hire-date trainings/refreshers, and 2% were unsure. The poll had 307 applicable responses. 

• Most medical group leaders say their organizations spotlight compliance on a set cadence each year, most often dedicating a week or month in late summer or early fall (with August–October the most common), though some align training with the calendar year in January or December.  
• Others forgo a single block of time and instead assign refreshers on each employee’s anniversary date, distribute modules or assign work throughout the year via staff meetings or online systems, or combine seasonal pushes with ongoing reminders.  

While the format varies, your peers are making sure compliance stays on the calendar, whether through concentrated campaigns or steady year-round touchpoints. 

Not sure where to start? This article will detail the must-have trainings and reminders, as well as high-value add-ons for physician offices. Also, the OIG’s General Compliance Program Guidance underscores training, communication, auditing, and response as core elements of an effective program. 

Learn more in Orlando 

Join us for the 2025 MGMA Leaders Conference, Sept. 28-Oct. 1 in Orlando, and have your top compliance questions answered live in a fishbowl session featuring HelpUCompli co-founders Laura Weeks, MBA, CHC, and Christopher Parrella, Esq., CPC, CPCO, CHC. 

• Want to submit a question for the session? Email us. 

The must-have annual trainings and reminders 

Note: Some items are required by regulation; others are required “at hire/when policies change” but are commonly delivered annually as a best practice. 

• HIPAA Privacy & Breach Basics (all workforce) — HIPAA requires training on your organization’s privacy policies “as necessary and appropriate,” including for new staff and when policies change. Annual refreshers are best practice even if not explicitly mandated. (If you’re into reading federal regulations, here they are.) 
  • HIPAA Essentials for Medical Practices (Online Course) 
  • HIPAA Medical Practice Compliance: Fillable Form Book 
• HIPAA Security Awareness & Cyber Hygiene (all workforce) 
  The Security Rule requires a security awareness and training program and periodic security reminders (e.g., phishing, device security, passwords). Build content from HHS’s 405(d) Health Industry Cybersecurity Practices. 
  • MGMA members have access to our Cybersecurity in Medical Practices Playbook, which offers step-by-step guidance on meeting regulatory requirements. 
• Section 1557 Civil Rights and Language Access (for relevant staff) 
  The 2024 final rule requires covered entities to train relevant employees on their 1557 policies (nondiscrimination, language assistance, accessibility). Train within 30 days of implementing policies; train new staff and upon material policy changes. Document completion. 
• OSHA Bloodborne Pathogens (for exposed staff) 
  Annual BBP training is required for workers with occupational exposure; keep your exposure control plan updated. (Here’s the letter of the law from OSHA.) 
  • MGMA Ed Plus Compliance Training contains an OSHA Bloodborne Pathogens Standard course.  
• OSHA Hazard Communication (chemical hazards) 
  Train at initial assignment and when new hazards are introduced; refreshers are common during compliance week. Ensure labels/SDS and written program are current. 
  • MGMA members can download our OSHA Hazard Communication Compliance Checklist. 
  • Access the OSHA fact sheet on effective hazard communication programs. 
• Emergency Action Plan (EAP) and Fire Safety (all workforce) 
  Train staff on roles in your EAP; drills are strongly recommended. A written plan is required for most workplaces; oral is allowed only for offices with 10 employees or less. 
  • MGMA members can download our Emergency Preparedness Checklist. 
• Medicare Parts C/D Fraud, Waste & Abuse (as applicable) 
  If you contract with MA/Part D plans (First-Tier, Downstream, and Related Entity [FDR] relationships), complete FWA and general compliance training within 90 days of hire and at least annually (often via CMS MLN or sponsor modules). 
• No Surprises Act (front office and revenue cycle) 
  Review staff workflows for required notices and Good Faith Estimates (GFEs) for uninsured/self-pay patients; refresh scripts and signage. (Find MGMA’s resource on Implementing the No Surprises Act and CMS’ GFE template.) 

High-value “non-mandatory” add-ons for physician offices 

• Workplace violence prevention and de-escalation (policies, reporting, drills, scenario practice). OSHA provides healthcare-specific guidance; some states require formal programs. [MGMA Ed Plus includes “Controlling Healthcare Workplace Violence” and “Dealing With Disruptive Patients.”] 
• Privacy in the real world: texting PHI, photography in clinic, social media, minimum necessary, and “need-to-know” scenarios. 
• Billing and documentation risk: Tie specific trainings/refreshers to your internal audit findings (e.g., incident-to, split/shared, modifier use, medical necessity, ABNs/GFEs). 
• Third-party relationships: gifts and marketing, vendor access, referral risks (basic Stark/Anti-Kickback Statute awareness), and conflict-of-interest disclosure. 
• Cyber tabletop microdrills: lost laptop, ransomware, misdirected fax — who does what in the first 60 minutes. 

Questions your team will ask 

Prepare clear answers for some of the most likely questions you will get when running a Compliance Week or Month event: 

• “Do I get paid for training time?” Yes — when annual compliance training occurs during normal working hours, is required by the employer (or by law/regulation), and is directly related to the employee’s job, it is compensable work time. 
• “Who exactly must complete 1557 training?” All relevant employees (those interacting with patients/public; making decisions affecting care or finances; executive leadership; legal; billing/collections). [If anyone wants to read more, the Federal Register spells it out with CMS’ final rule from May 2024.] 
• “Is HIPAA training really annual?” HIPAA requires training at onboarding and when policies change; annual refreshers are a best practice and often policy-required. 
• “When is BBP training due?” At hire and at least annually for exposure-risk roles. 
• “Where do I find an interpreter fast?” Provide the number/app, who authorizes use, and documentation steps. [MGMA members enjoy exclusive savings using MGMA Translate, powered by Boostlingo.] 
• “How do I give a Good Faith Estimate?” Front-desk/billing should follow your No Surprises Act workflow and templates for uninsured/self-pay patients. [CMS resources can be found here.] 
• “How do I report a privacy incident or safety hazard?” Prepare and distribute a one-page flow (who to tell first, forms, timelines). 
• “What about aggressive behavior?” Share your workplace violence policy, de-escalation steps, incident reporting, and support resources. [More on this from OSHA.] 

Log in or become an MGMA member to get a ready-to-use “Compliance Week” template along with this article. 

Join MGMA Stat 

Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. To be part of this effort, sign up for MGMA Stat and make your voice heard in our weekly polls. Sign up by texting “STAT” to 33550 or visit mgma.com/mgma-stat. Polls will be sent to your phone via text message.