HIPAA Compliance Training: What Your Practice Is Required to Do
TLDR
HIPAA requires covered entities to train every workforce member on privacy and security policies — at hire and whenever policies change materially. There is no minimum duration or mandated format, but training must be appropriate to each person's role and fully documented. Undocumented training is treated the same as no training during an OCR investigation.
HIPAA compliance training is one of the most commonly cited deficiencies in OCR investigations — not because practices skip it entirely, but because they fail to document it. A staff meeting about privacy policies counts for nothing if there is no record it happened.
This guide covers exactly what the regulation requires, who must be trained, what the training must address, and what documentation you need to survive an audit.
What HIPAA Requires for Employee Training
Two separate HIPAA rules create training obligations.
The Privacy Rule (45 CFR §164.530(b)) requires covered entities to train all workforce members on the practice’s privacy policies and procedures. Training must occur for every new hire and whenever policies change in a material way.
The Security Rule (45 CFR §164.308(a)(5)) requires a separate security awareness and training program. This covers how your practice protects electronic protected health information (ePHI) — including threats like phishing, malware, and unauthorized access.
Neither rule specifies a minimum number of training hours or a required format. The standard is that training must be “appropriate for the functions of the members of the workforce.” A front desk coordinator who handles appointment scheduling needs different training than a billing specialist with access to full patient records. Role-based training that matches what each person actually does satisfies this requirement better than a one-size-fits-all approach.
Who Must Be Trained
The HIPAA definition of “workforce” is wider than most practices realize. It includes:
- All paid employees (full-time, part-time, and temporary)
- Volunteers
- Students and trainees on clinical rotations
- Contractors who work under the direct control of the covered entity
An independent contractor who sets their own hours and methods — and is not under your direct supervision — generally falls outside this definition. However, if that contractor handles PHI, they should be a business associate with a signed BAA and their own training obligations.
When in doubt, train them. The downside of unnecessary training is minimal. The downside of an untrained person causing a breach is a potential HIPAA violation.
What Training Must Cover
Privacy training topics:
- What constitutes protected health information (PHI) — and what does not
- How your practice collects, uses, and discloses PHI
- Patients’ rights regarding their own health information (access, amendments, restrictions)
- Employee responsibilities and the consequences of unauthorized disclosure
- How to identify and report a suspected privacy violation or breach
Security training topics (for staff with access to ePHI):
- Your practice’s security policies and procedures
- Phishing awareness — how to identify suspicious emails and links
- Password policies — length, complexity, reuse, sharing prohibitions
- Device security — screen locks, encryption, proper use of personal devices if permitted
- Incident reporting — how and when to escalate a suspected security event
Not every topic applies equally to every role. A medical assistant with no computer access does not need detailed phishing training. Tailor the content to the access each role actually has.
How Often Training Is Required
HIPAA explicitly requires training:
- At hire — before a new workforce member begins working with PHI
- When material changes occur — any significant revision to privacy or security policies triggers a retraining obligation for affected staff
Annual refresher training is not written into the regulation as a hard requirement. However, OCR guidance, enforcement actions, and the agency’s audit protocol all reflect an expectation that practices conduct periodic retraining. A practice that last trained staff three years ago will have a harder time demonstrating an effective compliance program.
A practical approach: run training at hire, conduct an annual refresh (tied to your policy review cycle), and retrain whenever you change your EHR, add new staff roles with PHI access, or revise your Notice of Privacy Practices.
What Documentation You Need
Documentation is where most practices fail. HIPAA requires covered entities to retain training records for six years from creation or last effective date. The records must show, at minimum:
- Who was trained (by name, not just job title)
- When training was completed (date, not just month or quarter)
- What was covered (topic or training module title)
If you use an e-learning platform, it should generate a completion report automatically. If training is conducted in person, maintain a sign-in sheet with the date and agenda. If you use a handbook or written materials, have each staff member sign an acknowledgment confirming they received and reviewed the content.
Training logs with gaps — missing names, undated entries, no record of new hires — are treated the same as no training during an OCR investigation.
How to Keep Training Records Without a Compliance Officer
Small practices rarely have a dedicated compliance officer. In practice, training administration falls to the practice administrator or office manager. The administrative overhead is manageable if you build a simple system:
Keep a central training log. A spreadsheet with columns for name, role, training date, topic, and trainer works. The goal is to be able to pull a complete record for any staff member on short notice.
Tie training to onboarding. Build privacy and security training into your new hire checklist so it cannot be skipped.
Schedule your annual review. Set a recurring calendar reminder tied to your policy review date. When you review and update policies, schedule retraining for affected staff at the same time.
Store acknowledgment forms with personnel records. Keep signed acknowledgments — whether for handbooks, online completions, or in-person sessions — in each person’s personnel file or a dedicated compliance folder.
PHIGuard’s compliance dashboard tracks training completion by staff member, including date and topic, so you have an audit-ready log without managing a separate spreadsheet. Every tier — including the $20/month Practice plan — includes a BAA and training log features.
The documentation requirement is non-negotiable. A practice that trains well but documents poorly is exposed to the same enforcement risk as one that skips training entirely.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Covered Entity
- A health plan, health care clearinghouse, or health care provider that transmits health information electronically. Covered entities are directly subject to all HIPAA requirements, including workforce training.
DEFINITION
- Workforce
- Under HIPAA, workforce means employees, volunteers, trainees, and other persons whose work is under the direct control of the covered entity — whether or not they are paid. This is broader than most practices assume.
DEFINITION
- Material Change
- A significant revision to privacy or security policies that affects how workforce members handle PHI. Material changes trigger a training requirement — the new policy cannot simply be posted without retraining affected staff.
DEFINITION
- Training Documentation
- The records a covered entity must retain to prove training occurred. Minimum documentation includes who was trained, the date of training, and the topics covered. HIPAA requires retaining these records for six years.
DEFINITION
Q&A
What does HIPAA actually require for training?
The HIPAA Privacy Rule (45 CFR §164.530(b)) requires covered entities to train all workforce members on privacy policies and procedures as necessary for them to carry out their functions. Training must happen for new hires and whenever material changes to policies occur. The Security Rule (45 CFR §164.308(a)(5)) adds a separate requirement for security awareness training, including phishing awareness and password management.
Q&A
What topics must HIPAA training cover?
Privacy training must cover what PHI is, how your practice protects it, employee rights and responsibilities, and how to report a suspected breach or violation. Security training must address security policies and procedures, recognizing phishing and social engineering, password management, and device security — including proper use of personal devices if your practice allows them.
Q&A
What training records does OCR expect to see?
OCR expects a log that shows, at minimum, the name of each workforce member trained, the date training was completed, and the subject matter covered. If training content changes between cycles, records should reflect which version of the training each person received. These records must be retained for six years from creation or last effective date.
Want to learn more?
How often does HIPAA training need to happen?
Does HIPAA training need to be a specific length or format?
Who counts as 'workforce' under HIPAA?
What happens if a staff member does not complete training?
Do business associates need to train their staff too?
Keep reading
HIPAA Compliance Checklist for Small Medical Practices
A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.
What Is a HIPAA Covered Entity? Definition, Types, and Obligations
A HIPAA covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Learn which practices qualify and what compliance requires.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.