Keep online HIPAA training records for each trainee for at least six years from the date the record was created or last in effect, whichever is later, including items such as completion certificates, timestamps, assessment results, and attestations so they can be produced on request. The precise regulations are:
Privacy Rule training requirement:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
45 CFR §164.530(b)(1)
Privacy Rule documentation retention:
“A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.”
45 CFR §164.530(j)(2)
Security Rule training requirement:
“Implement a security awareness and training program for all members of its workforce (including management).”
45 CFR §164.308(a)(5)(i)
Security Rule documentation retention:
“Retain the documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.”
45 CFR §164.316(b)(2)(i)
Keep complete online HIPAA training records for each trainee because they are critical evidence if a HIPAA violation occurs, and they may be requested during an HHS OCR audit to verify who was trained, when training occurred, and what content was covered.