How Often is HIPAA Training Required?
HIPAA training is required as often as is necessary to ensure the privacy of Protected Health Information (PHI) and the confidentiality, integrity, and availability of electronic PHI – notwithstanding that internal and external factors can increase the frequency of HIPAA training. In most cases it is necessary to provide HIPAA training more often than mandated by the HIPAA Privacy and Security Rules, and at least annually.
What Does the HIPAA Privacy Rule Say About HIPAA Training?
The HIPAA Privacy Rule states that covered entities must train workforce members on policies and procedures with respect to Protected Health Information “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”. (§164.530(b). This standard also applies to business associates “where provided” (§160.102).
Policy and procedure training must be provided “within a reasonable period of time after the person joins the covered entity’s workforce” and repeated when “functions are affected by a material change in the policies or procedures.” Material change training must be provided “within a reasonable period of time after the material change becomes effective.”
Deciphering the Privacy Rule HIPAA Training Requirements
Despite being a relatively short standard with few implementation specifications, there is plenty to discuss in the Privacy Rule HIPAA training requirements:
Who needs HIPAA training?
All members of the workforce with access to Protected Health Information (PHI) must receive HIPAA Privacy Rule training. In the case of a public facing organization, most members of the workforce could have access to PHI because (for example) a member of the catering team could identify a celebrity patient while carrying out their functions for the covered entity and disclose the information impermissibly on social media.
It is important to be aware that the term “workforce” does not just mean paid employees. The HIPAA definition of workforce is “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
What is HIPAA policy and procedure training?
HIPAA policy and procedure training is training on policies and procedures developed and adopted by the covered entity or business associate to comply with all applicable HIPAA Administrative Simplification standards. As most covered entities adopt and apply different policies and procedures in different ways, there is no “one size fits all” HIPAA policy and procedure training.
In addition, as HIPAA Privacy Rule training is “with respect to Protected Health Information”, there may be scenarios in which all workforce members of non-public facing organizations have to participate in HIPAA policy and procedure training. Examples include when an organization exclusively provides billing and remittance services as a business associate.
When else might business associates provide HIPAA Privacy Rule training?
Business associates should provide HIPAA Privacy Rule training when any member of the workforce has “hands-on” physical access to PHI. This may be because the business associate is providing a public-facing service for or on behalf of a covered entity, or because the business associate manually processes or analyzes PHI on behalf of a covered entity.
In such circumstances, it may only be necessary to provide HIPAA Privacy Rule training to members of the workforce with hands-on physical access to PHI (although the HIPAA Security Rule training requirements still apply). Additionally, it may only be necessary to provide selective HIPAA privacy training depending on the nature of the service being provided.
What are examples of material changes to HIPAA policies and procedures?
The most recent example of a significant material change to HIPAA policies and procedures that would result in material change training is the introduction of the attestation requirements for certain uses and disclosures of reproductive health information (§164.509) as this material change affects all workforce members with access to reproductive health information.
A further example might be if a healthcare provider receives a complaint that a patient’s request for a copy of their PHI was not attended to within 30 days. In this case, the healthcare provider might amend its procedures for responding to patient requests, but would only need to provide material change training to workforce members who deal with patient requests.
How Often is HIPAA Training Required Thereafter?
How often is HIPAA training required after the initial HIPAA Privacy Rule training has been provided is a fact-specific determination. The only HIPAA standard that stipulates how often is HIPAA training required is the “material change” standard. However, there are several internal and external factors that can increase the frequency of HIPAA training.
Internally, a risk assessment might identify the need for further HIPAA privacy training, or additional training may be used as a sanction for a minor violation of HIPAA by a member of the workforce. Additional training might also be an option if the perception exists that patients do not trust healthcare professionals to keep their sensitive information confidential.
External factors include responding to a complaint, compliance investigation, or data breach with additional training even when there have been no material changes to policies and procedures. HHS’ Office for Civil Rights can also impose corrective action plans that include workforce retraining in lieu of issuing a civil monetary penalty following a data breach.
If none of the internal or external factors occur that determine how often is HIPAA training required, it is a best practice to provide refresher HIPAA training to all members of the workforce annually. Many industry experts believe that annual HIPAA training on the Privacy Rule can help prevent noncompliant practices deteriorating into a culture of non-compliance. The HIPAA Journal has the best quality annual HIPAA training. The HIPAA Journal provides accredited HIPAA training for employees that meets industry standards and includes Continuing Education Units (CEUs). Courses feature testing and certification to ensure comprehension and accountability. Key topics such as social media use are also covered, helping organizations maintain compliance and safeguard patient information.
What Are the HIPAA Security Rule Training Requirements?
The HIPAA Security Rule training requirements are that all covered entities and business associates must “implement a security awareness and training program for all members of its workforce (including management)” (§164.308(a)(5)). However, it is important not to take the HIPAA Security Rule training requirements out of context of the General Security Standards (§164.306(a)) which require each covered entity or business associate to:
(1) Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part [the HIPAA Privacy Rule].
(4) Ensure compliance with this subpart [the HIPAA Security Rule] by its workforce.
With this in mind, the content of a HIPAA security awareness and training program should be based on an “assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI” (as required by §164.308(a)(1)) and the workforce’s knowledge of applicable HIPAA Privacy Rule standards. The content of the training also must be relevant to members of the workforce with no access to PHI.
The reason why the content of HIPAA security awareness training must be relevant to members of the workforce with no access to PHI is that any member of the workforce who uses a network-connected device could be a target for a cybercriminal. Cybercriminals that infiltrate network-connected devices can move laterally through the network to access systems containing PHI or deploy malware that could cripple the network.
How Often Must HIPAA Security Awareness Training be Provided?
HIPAA security awareness training is not a one-off event, but rather a “program”. Consequently, it is necessary to schedule regular security awareness training to comply with HIPAA. In the context of how often is HIPAA training required to satisfy the HIPAA Security Rule training requirements, this is also a fact-specific determination.
The factors that determine how often is HIPAA training required to satisfy the HIPAA Security Rule training requirements not only include risk assessments, sanctions, and materials changes. HIPAA security awareness may also be required whenever a new technology is implemented or when configuration changes are made to an existing technology.
The frequency and content of HIPAA security awareness training may also be dependent on how much responsibility individual workforce members have for the security of devices and how they are used. If access to electronic PHI is closely controlled and monitored, it may only be necessary to provide generic security awareness training quarterly (i.e., phishing simulation).
However, if workforce members (for example) create, receive, store, or transmit electronic PHI via personal devices, use removable media in their roles, or are responsible for transferring electronic PHI to third parties, it will be necessary to provide HIPAA security awareness training more frequently to ensure workforce members are kept up to date with cybersecurity threats.
HHS Penalties for the Failure to Provide HIPAA Training
When HHS’ Office for Civil Rights issues penalties for HIPAA violations, it is usually the “headline” violation that gets noticed (i.e., a data breach due to an unencrypted laptop). However, an underlying reason for a data breach may be the failure to provide HIPAA privacy and security awareness training.
When this is the case, the amount of the HHS penalty can be increased to reflect the secondary HIPAA violation (e.g., the failure to provide HIPAA privacy and security awareness training) . Examples of HHS penalties for the failure to provide HIPAA training include:
- In September 2020, Athens Orthopedic Clinic agreed to pay $1.5 million to resolve alleged violations of HIPAA including the failure to provide Privacy Rule training prior to 2018. As part of a corrective plan, the Clinic was required to retrain its workforce.
- In November 2023, St. Joseph’s Medical Center agreed to an $80,000 settlement for disclosing three patients’ PHI to news reporters. Although only a few workforce members were responsible for the impermissible disclosure, all members of the workforce had to retake HIPAA training.
- In December 2019, West Georgia Ambulance Inc agreed to pay $65,000 and adopt a corrective action plan following the loss of an unencrypted laptop. During the investigation into the breach, it was found the organization did not have a security awareness training program
- State Attorneys General can also issue fines for violations of HIPAA; and, in October 2023, the NY State Attorney General fined Personal Touch Holding Corp. $350,000 for multiple violations of HIPAA and state law, including inadequate HIPAA security training.
- Previously, a 2022 settlement between Aveanna Healthcare and the Massachusetts AG had unique training requirements inasmuch as members of the workforce that did not complete a mandatory training course were to have access to PHI removed.
Workforce Self-Responsibility for HIPAA Knowledge
So far, this article has focused on how often is HIPAA training required from an employer’s perspective. However, all members of a covered entity’s or business associate’ s workforce are responsible for ensuring their knowledge of HIPAA is adequate to perform their functions in compliance with HIPAA and understand their employer’s HIPAA policies and procedures.
This is because the HIPAA Privacy Rule requires covered entities (and business associates where applicable) to impose sanctions on workforce members for violations of the HIPAA Privacy Rule or HIPAA Breach Notification Rule even if the nature of the violation has not been covered in the employer’s HIPAA policy and procedure training (§164.530(e)).
The HIPAA Security Rule requires regulated entities to apply sanctions on workforce members who fail to comply with the organization’s security policies and procedures (§164.308(a)). These standards imply that not only is it necessary for all workforce members to have a knowledge of applicable HIPAA standards, but also that the knowledge is adequate to understand HIPAA policies and procedures.
For example, if a covered entity does not train members of the workforce on its social media policies, and a member of the workforce impermissibly discloses PHI via a private social media account from home, the employer must sanction the workforce member for violating the HIPAA Privacy Rule or themselves be in violation of the HIPAA Privacy Rule.
With regards to understanding HIPAA policies and procedures, a HIPAA Security Officer may train members of the workforce to use technologies A, B, and C to transmit electronic PHI, but if a member of the workforce downloads an unsanctioned technology D “to get the job done”, they will be in violation of the organization’s security policies and procedures even though no violation of HIPAA may have resulted from their non-compliance.
How Workforce Members Can Take Responsibility for HIPAA Knowledge
Workforce members can take responsibility for their HIPAA knowledge by subscribing to an external HIPAA awareness training course that provides “foundation-level” knowledge of the HIPAA Rules and regulations. In many cases, courses can be taken remotely at a pace to suit individuals’ availability, and typically award a certificate of completion following an end of course test. Self attestation for the HIPAA training is ineffective and unlikely to meet the HIPAA requirements for training due to the lack of retention during passive training.
Having a foundation level knowledge of HIPAA can mitigate the risk of a violating HIPAA due to a lack of knowledge or understanding, or due to workplace HIPAA training failing to cover “all potential risks and vulnerabilities” and the workforce’s knowledge of applicable HIPAA Privacy Rule standards. It is not safe to assume an organization will cover all bases in its training.
Having a certificate of HIPAA training – particularly when the course is provided by an accredited training provider – demonstrates a commitment to HIPAA compliance and can mitigate the sanctions applied to a workforce member in the event of an accidental HIPAA violation. It can also help jobseekers apply for more rewarding positions in the healthcare industry.
One final benefit of having access to an on demand HIPAA training course is that workforce members can retake the course whenever they feel it is necessary. This means it is no longer reliant on an employer to determine how often is HIPAA training required, and that workforce members can take responsibility for their knowledge of HIPAA and understanding of HIPAA policies and procedures.
How Often is HIPAA Training Required? FAQs
How might training differ for different categories of the workforce?
This can depend on the nature of the covered entity’s operations, but a good example is when a covered entity employs public-facing employees and “backroom” employees who never deal with the public. Those with public-facing roles may need more training on policies relating to the Minimum Necessary standard, while those who never deal with the public may need more training on the Administrative Requirements.
How could a covered entity provide unnecessary training?
Topics such as the background to HIPAA and the evolution of HIPAA may be interesting to trainers; but, for those who have to apply the HIPAA Rules in their day-to-day roles, such topics can be a distraction. While it can be helpful to include some background information to put the rest of the training in context, focusing too much on who signed HIPAA, or the effective date of each Rule, can obscure the purpose of HIPAA training.
Do business associates only have to comply with the Security Rule training requirements?
Although the only reference to HIPAA training for Business Associates appears in the Security Rule, the standards of the HIPAA Privacy Rule can apply to a business associate depending on the service being provided for a covered entity. In some circumstances, it may be necessary for business associates to provide training on the HIPAA Administrative Requirements, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule
What should be included in HIPAA security and awareness training?
The contents of a security and awareness training program should be determined by a risk analysis. The risk analysis will help Security Officers identify vulnerabilities that could result in a data breach and should help identify the best solutions to fix the vulnerabilities. Importantly, security and awareness training should be an ongoing program rather than a one-off event, giving Security Officers the opportunity to revise the content of training as new vulnerabilities are identified.
How often should all staff be trained on HIPAA?
All staff should be trained on the applicable standards of the HIPAA Privacy Rule at least annually, while security awareness and training should be provided more frequently. Annual training ensures that if some members of the workforce have received refresher training due to a limited material change, new technology, or sanction, other members of the workforce are reminded of their compliance obligations.
Is HIPAA training required annually?
HIPAA training is not required annually inasmuch as annual HIPAA training is not mandated by the HIPAA Privacy and Security Rules. Nonetheless, it is a best practice to provide refresher training at least annually if it has not been provided due to a material change, new technology, or sanction. If HIPAA training is not provided at least annually by a covered entity or business associate, it is advisable for workforce members to take responsibility for their HIPAA knowledge by subscribing to an external HIPAA training course.
With regards to the HIPAA training requirements, how often must HIPAA privacy training be updated?
With regards to the HIPAA training requirements, how often HIPAA privacy training must be updated depends on factors such as material changes, the results of risk analyses, and corrective action plans issued by HHS Office for Civil Rights. However, it is advisable to continually monitor workforce compliance and update HIPAA privacy training whenever it is considered necessary to prevent avoidable violations of HIPAA. The HIPAA Journal provides HIPAA training that is constantly updated with the latest HIPAA rules and best practices, making it one of the best choices for HIPAA training.
How often should HIPAA training be done?
HIPAA training should be done by a covered entity or business associate as often as necessary to maximize the likelihood of a compliant workforce. HIPAA training should be done by individual members of the workforce whenever they feel there is a gap in their HIPAA knowledge or understanding, or whenever they feel their employment prospects will improve by achieving a HIPAA certification.
After initial training, how often must security and privacy training be completed?
After initial training, how often security and privacy training must be completed is a fact specific determination. For example, if a risk analysis identifies compliance failings due workforce members sharing login credentials, it will be necessary to repeat security awareness training. Similarly, if a risk analysis identifies a misunderstanding of patients’ HIPAA rights, it will be necessary to provide additional HIPAA privacy training.

