Article Updated: July 11, 2026

Who Needs HIPAA Training in an Functional Medicine Practice?

Every member of a functional medicine practice workforce whose role involves any contact with patient information, clinical systems, scheduling platforms, laboratory ordering systems, or administrative processes connected to protected health information requires HIPAA training under the HIPAA Privacy Rule and the HIPAA Security Rule, with no exemption based on employment type, hours worked, or the indirect nature of their contact with patient data. The HIPAA definition of a workforce covers all persons whose conduct in the performance of work for a covered entity is under its direct control, which means paid staff, unpaid volunteers, students completing clinical placements, and temporary workers all fall within the training requirement on the same regulatory terms. Functional medicine practices that restrict HIPAA training to the practitioner alone, or that train only licensed clinical staff while leaving health coaches, nutritionists, care coordinators, and administrative personnel untrained, carry a documented compliance gap that cannot be closed retroactively after an incident has occurred.

The Functional Medicine Practitioner

The practitioner at the center of a functional medicine practice bears both the covered entity’s compliance obligations and the individual workforce member’s training obligations simultaneously. As the responsible party for the covered entity, the practitioner must ensure that a training program covering the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule exists, is delivered to all workforce members, and is documented in a form that can be produced for OCR review. As a workforce member who conducts patient encounters, reviews extensive intake histories, orders laboratory panels, interprets diagnostic results, and communicates clinical recommendations to patients and other providers, the practitioner also makes protected health information handling decisions throughout every clinical day that require direct HIPAA knowledge to execute correctly. A practitioner who has delegated training administration to staff without personally completing structured training cannot credibly oversee the compliance behaviors their workforce is required to maintain.

Health Coaches and Care Coordinators

Functional medicine practices frequently employ health coaches and care coordinators whose roles sit at the intersection of clinical support and patient education, and both positions generate protected health information handling obligations that many practices do not adequately recognize when designing their training programs. A health coach who reviews a patient’s dietary log, discusses their lifestyle history, supports implementation of a practitioner’s protocol, or documents session notes in the practice management system is accessing and creating protected health information under the HIPAA Privacy Rule. A care coordinator who schedules follow-up appointments, communicates laboratory results to patients, manages referral documentation, or liaises with external providers is transmitting and disclosing protected health information in ways governed by the HIPAA Privacy Rule’s permitted disclosure framework and minimum necessary standard. Neither role is exempt from the HIPAA Security Rule’s security awareness training requirement when those functions are performed through electronic systems.

Nutritionists and Functional Medicine Support Practitioners

Functional medicine practices that employ or contract with nutritionists, registered dietitians, acupuncturists, or other integrative health practitioners as part of a collaborative care model must ensure that each of those individuals receives HIPAA training if their work is conducted under the covered entity’s operational control and involves access to patient records or practice systems. A nutritionist who accesses a shared electronic health record to document dietary assessment findings, reviews a patient’s laboratory panel to inform a nutritional protocol, or uses the practice’s patient portal to communicate with patients is a workforce member subject to the same HIPAA Privacy Rule and HIPAA Security Rule training obligations as the primary practitioner. The covered entity’s training obligation does not diminish because a supporting practitioner holds an independent professional license or works on a part-time or contracted basis.

Administrative and Billing Staff

Front office personnel, scheduling staff, patient intake coordinators, and billing employees in functional medicine practices handle protected health information in operationally concentrated forms throughout every working day. They process appointment requests linked to clinical diagnoses and insurance information, manage patient intake questionnaires containing detailed personal and health history data, verify insurance eligibility using patient identifying and diagnostic information, and submit claims that transmit protected health information to health plans. Billing staff who process laboratory invoices, manage prior authorization requests for specialty testing, or handle collections communications involving patient account balances are applying the HIPAA Privacy Rule’s minimum necessary standard in every one of those transactions, whether or not they have received training that tells them so.

Training That Addresses Every Role in a Functional Medicine Practice

The HIPAA Training for Functional Medicine Practices course from The HIPAA Journal satisfies the mandatory HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule training requirements for every workforce member in a functional medicine practice, from the practitioner to the front desk. The course is structured for the small medical practice environment in which most functional medicine practices operate, with scenarios drawn from more than ten years of HIPAA breach and enforcement analysis that reflect the compliance situations functional medicine staff actually encounter. Mandatory modules cover PHI handling, patient rights, disclosure standards, security threat recognition, small practice compliance challenges, and the individual and organizational consequences of violations, with each module followed by a randomized assessment that confirms genuine understanding. Certificates are issued automatically to each learner on successful completion of all mandatory modules and assessments, and a real-time admin dashboard available for practices with five or more training seats allows practice owners to track completion across every role in the workforce and produce exportable records for OCR audit purposes.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.