HIPAA Training Requirements for Employees
Quick Answer
HIPAA requires all workforce members who handle PHI to receive training on privacy and security policies. Training must be provided at onboarding, when policies change, and refreshed periodically (annual training is the industry standard).
HIPAA Training Requirements Overview
HIPAA requires covered entities and business associates to train all workforce members who have access to PHI. "Workforce" includes employees, volunteers, trainees, and anyone under the organization's direct control — not just full-time staff.
Key Takeaways
- All workforce members with PHI access must be trained — not just clinical staff
- Training must cover both Privacy Rule and Security Rule requirements
- Required at onboarding, when policies change, and periodically (annual is standard practice)
- Completion must be documented and records retained for 6 years
- Online training platforms cost $15-$50 per user per year
Who Needs HIPAA Training?
- All employees who access, use, or disclose PHI in any capacity
- Temporary staff, contractors, and volunteers with PHI access
- Management and executives (including C-suite)
- IT staff who maintain systems containing PHI
- Administrative staff who handle billing, scheduling, or patient communication
- Business associate employees who access covered entity PHI
What Training Must Cover
| Topic Area | Key Content | Rule Source |
|---|---|---|
| What is PHI? | Definition, 18 identifiers, ePHI vs physical PHI | Privacy Rule |
| Permitted uses/disclosures | Treatment, payment, operations, authorizations, minimum necessary | Privacy Rule |
| Patient rights | Access, amendment, restriction, confidential communication | Privacy Rule |
| Security safeguards | Passwords, MFA, device security, encryption, reporting | Security Rule |
| Breach recognition/reporting | What constitutes a breach, internal reporting procedures | Breach Notification Rule |
| Sanctions | Consequences of HIPAA violations, organization's sanctions policy | Both Rules |
| Role-specific responsibilities | Specific procedures for the employee's job function | Both Rules |
| Social engineering awareness | Phishing, pretexting, vishing, and how to respond | Security Rule |
Training Frequency
HIPAA Training Schedule
New Hire Onboarding
HIPAA training must be provided within a reasonable time after an employee starts. Best practice: complete training within the first week, before any PHI access.
Policy Changes
Training must be provided whenever policies or procedures change in a way that affects the employee's role or PHI handling.
Annual Refresher
While HIPAA doesn't specify "annual," industry standard and OCR expectations are annual refresher training for all workforce members.
After Incidents
Additional targeted training should be provided when security incidents reveal training gaps or new threats emerge.
Documentation Requirements
Training Documentation Checklist
- Employee name and role
- Date training was completed
- Training content/topics covered
- Training method (online, in-person, video)
- Employee acknowledgment (signature or electronic confirmation)
- Assessment/quiz results (if applicable)
- Records retained for minimum 6 years
⚠️ No Documentation = No Training
In an OCR investigation, you must prove training occurred. Verbal training with no documentation is treated the same as no training. Always maintain written or electronic records of training completion — including the content covered, dates, and employee acknowledgments.
Training Options and Costs
$15-$50
Per User/Year
Online training platforms
1-2 hours
Typical Duration
For comprehensive annual training
$0
HHS Resources
Free training materials from HHS/OCR
6 years
Record Retention
Minimum retention for training records
Does HIPAA require annual training?
HIPAA requires training upon hiring and when policies change, but doesn't explicitly say "annual." However, annual refresher training is the widely accepted industry standard, and OCR expects it. Most enforcement actions cite lack of regular training as a deficiency.
Can training be online?
Yes. Online training is widely accepted and often preferred because it provides automatic documentation, consistent content, and completion tracking. Most HIPAA compliance tools include training modules.
Do IT staff need HIPAA training even if they don't access PHI directly?
Yes, if they administer systems that contain PHI. IT staff often have elevated access and are critical for maintaining security safeguards. Their training should include both general HIPAA awareness and role-specific technical security requirements.
What if an employee refuses to complete training?
HIPAA training is not optional. Failure to complete required training should trigger your organization's sanctions policy. Document the refusal and any corrective actions taken. Continued refusal may warrant restriction of PHI access or disciplinary action.
Find HIPAA Training Solutions
Compare HIPAA training platforms with automated tracking, quizzes, and compliance documentation.
Browse HIPAA Training Tools