How often must a clinic conduct HIPAA training?

At hire for all new workforce members, and again whenever a material change in policies or procedures occurs. Annual refreshers are not explicitly required by the rule but are standard practice and defensible in investigations.

Can a clinic use YouTube videos or free online courses for HIPAA training?

Free training content is permissible if it covers required topics and completion can be documented. The risk is in record-keeping: if you cannot prove who completed training and when, the training is not defensible.

What records must a clinic keep about HIPAA training?

Documentation of who was trained, what content they received, and the date of completion. These records must be retained for six years from the date of creation or last effective date, under both 45 CFR 164.530(j)(2) (Privacy Rule) and 45 CFR 164.316(b)(2) (Security Rule).

Does the training platform need a BAA?

If it stores employee records linked to the covered entity — names, job roles, completion dates — and the covered entity uses it to fulfill a HIPAA obligation, the vendor is likely a business associate. Confirm BAA availability before use.

HIPAA workforce training

Best HIPAA Compliance Training Platforms

A comparison of HIPAA compliance training platforms for medical clinics, covering BAA availability, training content quality, and completion tracking.

Decision summary

The HIPAA Security Rule requires covered entities to train all workforce members on security policies and procedures. The Privacy Rule requires training appropriate to each person's role. Covered entities must retain training records. The training platform itself, if it stores any employee or patient data, is a business associate and must sign a BAA. Platform quality varies widely — from generic compliance checkbox videos to role-differentiated healthcare training with auditable completion records.

The compliance requirement behind HIPAA training

The Security Rule at 45 CFR 164.308(a)(5) requires covered entities to implement a security awareness and training program for all workforce members. The Privacy Rule at 45 CFR 164.530(b) requires training on privacy policies and procedures. Both rules require documentation.

Training is one of the most commonly cited deficiencies in OCR investigations. The question investigators ask is simple: can you produce records showing who was trained, on what, and when? A clinic that ran informal verbal training or used videos without tracking completion cannot answer that question.

What a compliant training program requires

Requirement	Rule reference
Initial training at hire	45 CFR 164.530(b)
Training on policy changes	45 CFR 164.530(b)(2)(ii)
Security awareness program	45 CFR 164.308(a)(5)(i)
Documented completion records	45 CFR 164.530(j)
Six-year record retention	45 CFR 164.530(j)(2)

Training platforms with BAA availability

Accountable HQ — Includes HIPAA training modules alongside its broader compliance platform. Training completion is logged per user. A BAA is available. Well-suited to small and mid-sized practices that want training and compliance documentation in one place.

Compliancy Group — Provides training content as part of its guided compliance platform. Includes coach support for setting up a defensible training program. BAA available. Pricing is higher than self-service options.

HealthStream — A purpose-built healthcare learning management system. Includes HIPAA training content, competency tracking, and role-specific modules. Used widely in hospital systems. Pricing and contract terms are typically oriented toward larger organizations.

MedTrainer — Healthcare-focused compliance and learning management platform. Includes HIPAA training, policy management, and credentialing tools. BAA available. Offers per-user and per-organization pricing. A practical option for small and mid-sized clinical organizations.

What to avoid

Generic LMS platforms — A general-purpose learning management system may offer HIPAA content as a catalog item. These platforms are rarely designed around the audit trail and BAA requirements specific to covered entities.

One-time video courses without tracking — A staff member watching a YouTube video or a webinar recording does not create a documented training record. Completion must be logged in a system that can produce that record on demand.

Decision criteria for small clinics

Role differentiation — Billing staff, clinical staff, and administrative staff have different PHI exposure. Training that is identical across all roles is harder to defend than role-specific content tied to actual job functions.

Record export — Verify that the platform can export training completion records in a format suitable for an audit response. Some platforms lock records behind their own reporting interfaces.

Integration with your compliance program — A training platform that operates in isolation creates a separate record system from your policies, BAA inventory, and incident log. Platforms that combine training with broader compliance documentation reduce the administrative burden.

PHIGuard uses flat per-clinic pricing with annual billing shown by default, no per-user fees, and a BAA included on every public plan. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

Sources