What are the HIPAA training record retention rules?

HIPAA requires you to keep training documentation for each workforce member for at least six years, measured from the date the record was created or from the date it was last in effect, whichever is later, so you can prove who was trained, when training occurred, and what was covered if asked by regulators.

The HIPAA regulations for training record retention

  • Privacy Rule training requirement
    “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
    45 CFR §164.530(b)(1)

  • Privacy Rule documentation retention
    “A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.”
    45 CFR §164.530(j)(2)

  • Security Rule training requirement
    “Implement a security awareness and training program for all members of its workforce (including management).”
    45 CFR §164.308(a)(5)(i)

  • Security Rule documentation retention
    “Retain the documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.”
    45 CFR §164.316(b)(2)(i)

What to keep in each trainee’s file

  • Completion proof such as certificates or electronic attestations

  • Course title, identifier, and version

  • Enrollment, start, and completion timestamps

  • Assessment or quiz results and pass status

  • Brief topic summary aligned to Privacy Rule and Security Rule subjects

How long to retain

Maintain each trainee’s records for at least six years from creation or last effective date, whichever is later. If you update or replace a course, keep the superseded course records for six years from the date they were last in effect.

HHS OCR audits and investigations

During an HHS Office for Civil Rights audit or investigation, you may be asked to produce training records to demonstrate that required instruction was delivered to the right personnel at the right time. Complete, well-organized HIPAA training records that show who was trained, when training occurred, which course version was used, and how competency was verified can streamline the review and support your compliance program.

HIPAA Training for Employees

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/