Workforce Member: HIPAA Definition for Small Clinics

Under HIPAA, a workforce member is any person whose conduct in performing work for a covered entity is under the direct control of that covered entity - whether or not they are paid. 45 CFR § 160.103 defines the term. Every clinic staff member who accesses patient records, answers patient questions, or handles administrative functions involving PHI operates within a HIPAA framework that your clinic is responsible for establishing and maintaining.

Small-clinic example: A 3-provider pediatric practice brings in a temporary front desk worker through a staffing agency during a busy enrollment period. That temp worker is your clinic’s workforce member for HIPAA purposes. Your clinic must provide clinic-specific training, manage their PHI access, and sanction violations - regardless of what training the staffing agency provided.

The Regulatory Definition

Under 45 CFR § 160.103, workforce means:

“Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity, whether or not they are paid by the covered entity or business associate.”

Three elements distinguish a workforce member from other persons:

1. They perform work for the covered entity
2. Their conduct in performing that work is under the direct control of the covered entity
3. Whether or not they receive compensation from the covered entity

The payment element is explicitly irrelevant. A volunteer who works two days per week at the front desk is as much a workforce member as a full-time salaried employee.

Who Is a Workforce Member

Paid Employees

All paid employees - clinical, administrative, and support staff - are workforce members. This includes:

• Physicians, physician assistants, and nurse practitioners
• Nurses, medical assistants, and allied health clinicians
• Front desk staff and receptionists
• Billing and coding staff
• Practice administrators and office managers
• Information technology staff
• Facilities and maintenance staff who may access patient areas

All paid employees who have any access to PHI - or whose work could incidentally expose them to PHI - are subject to your clinic’s Privacy Rule training requirements.

Volunteers

Volunteers who perform work under your clinic’s direction and control are workforce members. This commonly includes:

• Community health workers who volunteer in clinic programs
• Retired healthcare professionals assisting at community clinics
• Service organization volunteers who assist with patient transport or waiting room functions

The volunteer’s lack of payment does not affect their workforce status. Your clinic is responsible for their HIPAA training and for ensuring they have appropriate, limited access to PHI.

Trainees

Students and trainees working at your clinic are workforce members:

• Medical students completing clinical rotations
• Nursing students completing clinical placements
• Health information management students working with records
• Medical assisting and billing students completing externships
• Residency and fellowship physicians (in clinics that train residents)

Your clinic controls the trainee’s activities and access while they are on site. The trainee’s school or training program may provide baseline HIPAA training, but your clinic must ensure the trainee understands and follows your specific privacy policies.

Other Persons Under Direct Control

The definition includes anyone whose work for your clinic is under your direct control, beyond the categories listed above. This can include:

• Temporary and agency staff (see below)
• Loan employees from another covered entity
• Contracted individuals who work on-site under your clinic’s direction

The test is direct control: does your clinic direct how, when, and where the person performs their work? If yes, they are a workforce member.

Who Is NOT a Workforce Member

Independent Contractors Operating Independently

An independent contractor who performs services for your clinic using their own judgment, methods, and resources - and who is not under your clinic’s direct operational control - is not a workforce member. If that contractor handles PHI in the course of their services, they are a business associate.

The distinction matters operationally:

Characteristic	Workforce Member	Business Associate
Who controls their work methods?	The clinic	The contractor themselves
Where do they typically work?	At the clinic	Often at their own location
Who do they work for?	The clinic exclusively (in the HIPAA sense)	Multiple clients typically
What does the clinic need?	Training, access controls, sanctions	Business Associate Agreement
HIPAA liability	Through the covered entity	Direct (post-HITECH)

A billing company that processes your claims remotely from their own office using their own systems is a business associate, not a workforce member. An independent contract biller who comes to your clinic, uses your systems, and works under your direct supervision may be a workforce member.

The line is not always obvious. When uncertain, treating a person as a workforce member (with training and access controls) and also obtaining a BAA if they will handle PHI independently is the more conservative and protective approach.

Security Guards and Maintenance Companies

A third-party security company’s personnel or a building maintenance contractor’s staff are not workforce members. They perform services pursuant to their own employer’s direction, not under your clinic’s direct control in the HIPAA sense. However, if these individuals have access to areas containing PHI or to systems containing ePHI, physical safeguards should limit their exposure.

Training Obligations for Workforce Members

Under 45 CFR § 164.530(b) (Privacy Rule) and 45 CFR § 164.308(a)(5) (Security Rule), your clinic must train workforce members on privacy and security policies:

Privacy training must be provided to each workforce member “as necessary and appropriate for the member of the workforce to carry out their function.” New workforce members must be trained within a reasonable period of their joining. Training must be documented.

Security training (addressable specification) should address security awareness, protection from malicious software, log-in monitoring, and password management - at minimum. Training must also be documented.

Practical requirements for small clinics:

• Train all new hires before they access PHI
• Train volunteers and trainees before they access PHI
• Provide periodic refresher training (annually at minimum)
• Document training with dates, attendees, and topics covered
• Update training when policies change materially

Generic HIPAA training modules are a starting point, but workforce training must also cover your clinic’s specific policies: how to handle fax misdirections, what to do if a family member calls asking about a patient, how to lock workstations, and how to report a suspected breach.

Access Controls for Workforce Members

The Security Rule requires your clinic to implement policies that ensure workforce members have access to ePHI appropriate to their role and that unauthorized access is prevented (45 CFR § 164.308(a)(4)). This translates to:

• Role-based access: a front desk scheduler should not have access to clinical notes
• Minimum necessary access: access should be limited to the PHI the workforce member needs to perform their job
• Termination procedures: access must be revoked immediately when a workforce member leaves
• Access audit: system logs should be reviewed regularly to confirm access patterns are consistent with job roles

Sanctions for Workforce Violations

Your clinic must apply appropriate sanctions against workforce members who violate privacy or security policies (45 CFR § 164.530(e) for Privacy Rule; 45 CFR § 164.308(a)(1)(ii)(C) for Security Rule). Sanctions must be documented.

Examples of workforce violations requiring sanctions:

• Accessing records of a patient who is not in the workforce member’s care
• Disclosing PHI to a patient’s family member without authorization
• Sharing login credentials with another workforce member
• Removing PHI from the clinic on an unencrypted device
• Leaving a workstation unlocked and unattended in a patient area

The severity of the sanction should be proportional to the violation and consistent with your clinic’s written sanction policy. Inconsistent application of sanctions - treating similar violations differently based on who commits them - is itself a compliance problem.

Temp and Agency Staff: A Practical Note

Clinics that use temporary or agency staff face a specific compliance consideration. Temp workers are your clinic’s workforce for HIPAA purposes, but they come with varying levels of HIPAA training from their agencies. Your clinic cannot assume the agency’s training satisfies your training obligations.

Before a temp worker accesses PHI:

1. Confirm they have received basic HIPAA awareness training (from the agency or clinic)
2. Provide clinic-specific training on your policies and procedures
3. Set up access credentials with role-appropriate permissions
4. Document the training completion

For temporary engagements, a streamlined training acknowledgment form that the temp signs on their first day - covering your clinic’s privacy and security policies, their access level, and their sanction obligations - is a practical minimum.

PHIGuard helps covered entities manage workforce training records, track access credential reviews, and document sanction events as part of a complete HIPAA compliance program. Learn more at PHIGuard’s HIPAA page.