Why might a Privacy Officer not lead privacy training?

A Privacy Officer might not lead HIPAA training if their skills are not suited to presenting training sessions to members of the workforce. Privacy Officers are responsible for much more than training; and, in such cases, it is not unusual for training professionals to be brought in to lead training – although the Privacy Officer should be in attendance to answer specific Privacy Rule questions.

Why might a Security Officer not lead security training?

A Security Officer might not lead security training if – for example – the security training is about a new piece of security software that another member of the IT team is more familiar with. In such circumstances, although the Security Officer is likely a senior member of the IT team, they may take a back seat during the training session while their more knowledgeable colleague takes the lead.

What are the HIPAA Training Requirements?

Q: When should initial HIPAA training be provided to new hires?

You should provide HIPAA training to new hires as soon as possible and should be guided by the results of your risk analysis. The greater the risk to PHI, the more quickly HIPAA training should be provided. You should aim to provide training in the first few days or weeks after a new employee joins the company.

Q: How much detail should be provided in HIPAA training sessions?

HIPAA training is not about ensuring employees have an encyclopedic knowledge of the HIPAA regulations. Training should provide a broad overview of HIPAA and its importance and cover the aspects of regulations that are appropriate to employees’ work duties. Employees must be able to identify PHI, be aware of the allowable uses and disclosures, understand the minimum necessary rule, patient rights, and the consequences of HIPAA violations.

Q: What should HIPAA security awareness training involve?

The purpose of security awareness training is to teach employees security best practices and eliminate risky behaviors that could place PHI at risk. Training sessions should explain the most common threats, teach employees how to recognize phishing emails, how to access PHI securely, set strong passwords, and the safe use of computers, hardware, software, and the Internet.

Q: Is it permissible to only provide computer-based HIPAA training?

HIPAA does not state how training should be provided, only that employees must be trained on HIPAA and receive security awareness training. Computer-based training is a good choice. It is easy to administer, track employees’ progress, and document that training has been provided. Computer-based HIPAA training can also be completed at employees’ workstations and is easy to fit into their workflows.

Q: Can fines be imposed for inadequate HIPAA training?

In 2020, the HHS’ Office for Civil Rights fined two healthcare providers for multiple HIPAA violations including the failure to provide training for employees. One fine of $1.5 million was imposed on a provider that had not provided any HIPAA Privacy Rule training and a fine of $25,000 was imposed on another that had not provided any security awareness training.

Q: What is HIPAA training?

HIPAA training is the instruction of employees, contractors, and other third-party personnel (i.e., volunteers) with regards to the policies and procedures put in place by a Covered Entity to be HIPAA compliant. Because each Covered Entity develops their own policies and procedures, there is no “one-size-fits-all” HIPAA training.

Q: How often do you need HIPAA training?

After initial training, further HIPAA training should be provided whenever there is a material change in policies or procedures that affects employees´ functions, or when a need for further training is identified in a risk analysis. There is no set period for when HIPAA training should be provided.

Q: Is HIPAA training required annually?

The is no legal requirement to provide or attend HIPAA training annually. However, if a need for annual training is identified in a risk analysis, the Covered Entity will need to provide the training and document why annual training is considered necessary.

Q: Is HIPAA training required by law?

Yes, the HIPAA training requirements are codified under 45 CFR § 164.308 and 45 CFR § 164.530 . If a violation of HIPAA occurs due to a lack of training, the Covered Entity can be issued with a significant fine depending on the scale of the violation and the degree of culpability.

Q: Who needs HIPAA training?

All members of a Covered Entity´s or Business Associate´s workforce have to undergo security awareness training – even if they have no access to systems containing ePHI. Members of a Covered Entity´s workforce must be trained on the HIPAA policies and procedures relevant to their roles. Ideally, all members of the workforce should receive basic HIPAA training to understand permissible uses and disclosures of PHI.

HIPAA training requirements set clear expectations for what covered entities must teach their workforce about protecting PHI and securing ePHI, and most organizations meet those expectations with structured onboarding plus annual refresher training for every staff member.

What HIPAA workforce training is meant to accomplish

HIPAA workforce training is about making sure people understand and follow your organization’s privacy and security policies and procedures in day to day work. It also includes security awareness so staff can recognize and reduce common threats that lead to breaches, including phishing, malware, weak passwords, and suspicious log in activity. Training works best when it is role based, documented, and repeated often enough to stay current with changes in technology, workflows, and internal policies.

The full and exact regulatory text on HIPAA training

Below is the full and exact text of the HIPAA regulatory provisions that establish workforce training obligations and security awareness training requirements.

Privacy Rule workforce training

45 CFR §164.530(b)(1)
A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

45 CFR §164.530(b)(2)(i)
A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the workforce; and
(C) To each member of the workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

45 CFR §164.530(b)(2)(ii)
A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided.

Security Rule security awareness and training

45 CFR §164.308(a)(5)(i)
Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

45 CFR §164.308(a)(5)(ii)
Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Who must be trained

Workforce training applies broadly in practice because the workforce includes employees, management, temporary staff, volunteers, trainees, and other personnel whose work is directed by the organization. The practical rule for implementation is simple. If a person’s work can involve PHI, they need HIPAA privacy training aligned to your policies and procedures. If a person uses systems or devices that can affect ePHI, they need security awareness training aligned to your security program.

Industry best practice is to treat HIPAA training as universal for staff, and then add role based modules for higher risk functions such as front desk, clinical operations, billing, IT, and leadership.

How often HIPAA training is required in practice

HIPAA does not name a fixed annual interval in the training rule text, but it does require training within a reasonable period after a person joins the workforce and within a reasonable period after material policy or procedure changes take effect. Because threats, technology, and workflows change throughout the year, annual HIPAA training is widely used as a baseline cadence for refreshers, with additional training when any of the following occurs.

A new workflow that affects access to PHI or ePHI
A system change such as a new EHR or new patient communication tool
A security incident, near miss, or pattern of mistakes
A policy update that changes how information is used, disclosed, or safeguarded

What a compliant training program should cover

A HIPAA training program should connect the rules to the way work is actually done in your setting. For covered entities, that usually means training that explains what PHI is, how it may be used and disclosed, how to apply minimum necessary, how to verify identity, how to handle patient requests, and how to report concerns or incidents. It also means training that explains your internal policies, since HIPAA training is tied to the procedures your organization adopts.

Security awareness training should reflect how staff actually get attacked or make mistakes, including email threats, unsafe browsing, weak authentication habits, and improper handling of devices and media. Training should also include what to do when something goes wrong, including who to notify, what to preserve, and how to avoid making the situation worse.

Documentation and record retention for training

HIPAA requires training to be documented, and documentation needs to be retained. The most defensible approach is to keep a training record for each workforce member that shows who completed training, when it was completed, what course or version was used, and any completion evidence such as an attestation or completion certificate.

Below is the full and exact regulatory text commonly used to support the six year retention standard for HIPAA documentation.

45 CFR §164.530(j)(2)
A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.

45 CFR §164.316(b)(2)(i)
Retain the documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.

Why online training is the typical delivery model

Online HIPAA training is commonly used because it supports consistent content, role based assignment, rapid onboarding, and reliable documentation. It also makes it easier to deliver refreshers and targeted retraining after a policy change or an internal incident. Online delivery is not a substitute for policy ownership and management support, but it is a practical way to deliver training at scale while maintaining a clean audit trail.

Recommended training approach

The HIPAA Journal Training is the most comprehensive online training for meeting HIPAA workforce training expectations while also delivering security awareness content that supports day to day risk reduction. For new hires, a strong approach is to assign core HIPAA awareness training immediately during onboarding, then follow with role specific modules based on access level and job function, and then repeat training annually with additional updates when policies or procedures materially change.

HIPAA Training Requirements: FAQs

What are the HIPAA compliance and training requirements?

The HIPAA compliance and training requirements are that members of the workforce must be trained on the policies and procedures with respect to Protected Health Information that have been developed by the organization “as necessary and appropriate for members of the workforce to carry out their functions within the organization”. In addition, all members of the organization’s workforce must receive security awareness training regardless of access to Protected Health Information.

What are the objectives of HIPAA training?

The objectives of HIPAA training are to ensure that all applicable members of the workforce are trained on why it is necessary to safeguard the privacy and security of Protected Health Information, the threats that exist to the privacy and security of Protected Health Information, and how to comply with the organization’s policies and procedures to mitigate the threats to a reasonable and acceptable level.

Are HIPAA employee training requirements the same for all members of the workforce?

HIPAA employee training requirements are not the same for all members of the workforce. Some members of the workforce may have more access to Protected Health Information than others, may have access to more types of Protected Health Information than others, or may be exposed to different threats and hazards than others. If the proposed HIPAA Security Rule changes are finalized in their current form, role-based security training will become mandatory.

Is there special HIPAA training for healthcare workers?

There should be special HIPAA training for healthcare workers and any other members of the workforce who have face-to-face contact with the public. This is because different conditions may apply to disclosures of Protected Health Information when it is disclosed to patients, to patients’ families and friends, and to other people involved in the care of a patient (i.e., translators). For example, certain disclosures require the prior consent of the patient.

Is there HIPAA training for employees other than healthcare workers?

HIPAA training for employees other than healthcare workers should be provided according to each employee’s functions and access to Protected Health Information. In addition, the HIPAA training requirements of the HIPAA Security Rule stipulate that HIPAA training must be provided for all employees and any other non-employed members of the workforce in accordance with the General Requirements of the HIPAA Security Rule.

Why might HIPAA training for healthcare students be different?

HIPAA training for healthcare students might be different from HIPAA training provided for other members of the workforce inasmuch as healthcare students must be careful not to use Protected Health Information in reports and other coursework without authorization. In addition, healthcare students will likely be exposed to Protected Health Information during their professional training and it is important they under standard not to further disclose the information.

What is the best advice for HIPAA compliance training?

The best advice for HIPAA compliance training is to integrate the real consequences of HIPAA violations into HIPAA compliance training (i.e., operational disruptions, medical identity theft, loss of trust, etc.) rather than focus on workforce sanctions and regulatory enforcement action. HIPAA compliance training will resonate better with trainees if they feel non-compliance may result in personal consequences rather than painless sanctions.

What are the benefits of HIPAA training?

The benefits of HIPAA training – when it is effective – is that members of the workforce better understand why it is important to safeguard the privacy and security of Protected Health Information, are more likely to be careful when using and disclosing Protected Health Information, and likely to be more alert to threats to Protected Health Information. These benefits of HIPAA training mitigate the risk of adverse patient outcomes due to avoidable HIPAA violations and data breaches.

How often does HIPAA training need to be completed?

According to the HIPAA training requirements, HIPAA training needs to be completed within “a reasonable period of time” after a person joins an organization’s workforce and thereafter whenever there is a material change to policies and procedures, whenever a need for training is identified, and whenever HIPAA training is imposed as a workforce sanction. All workforce members must also participate in a HIPAA security awareness program. Read more here.

Note: Some organizations follow compliance professionals’ advice to provide refresher policy and procedure training at least annually if HIPAA training has not been provided for any other purpose or is not integrated into other mandatory training requirements (i.e., OSHA bloodborne pathogen training, CMS’ emergency planning training, etc.). HHS’ Office for Civil Rights has identified that many organizations provide security awareness training at least quarterly.

How long is HIPAA training good for?

HIPAA training is good for as long as it is still current, relevant, and being complied with. When time limits are applied, these are usually applied by training organizations who certify an individual’s HIPAA knowledge for 1, 2, or 3 years. Some HIPAA training courses also award Continuing Education Units (CEUs) which are time limited. Changes have been proposed to mandate annual security awareness training, but these proposals have not yet been finalized.

When should initial HIPAA training be provided to new employees?

Initial HIPAA training should be provided to new employees within “a reasonable period of time” after the new employee joins an organization’s workforce. However, it can be beneficial to provide new employees with a HIPAA basics course prior to them taking initial policy and procedure training in order to raise their existing level of HIPAA knowledge to a standard at which initial policy and procedure training will be better understood.

How much detail should be provided in HIPAA training sessions?

The detail that should be provided in HIPAA training sessions should reflect workforce members’ access to Protected Health Information, reasonably anticipated threats to the security of Protected Health Information, and reasonably anticipated disclosures that are not permitted by the HIPAA Privacy Rule. It is advisable, but not required by the HIPAA training requirements, to also include the real consequences of HIPAA violations and data breaches.

What should HIPAA security awareness training involve?

HIPAA security awareness training should involve training on whatever measures have been implemented to mitigate reasonably anticipated threats to the security of Protected Health Information, and reasonably anticipated disclosures that are not permitted by the HIPAA Privacy Rule. Although HIPAA security awareness training should involve some generic security training, generic security training by itself is not sufficient to comply with the HIPAA training requirements.

Is it permissible to only provide computer-based HIPAA training?

It is permissible to only provide computer-based HIPAA training as opposed to classroom training because the HIPAA training requirements do not state how training should be provided. Computer-based HIPAA training can be a good choice as it is easy to administer, track employees’ progress, and document that training has been provided. It also means that HIPAA training can be provided remotely to fit into workforce schedules.

Can fines be imposed for inadequate HIPAA training?

Fines can be imposed for inadequate HIPAA training when a data breach could have been avoided with more effective training. In 2020, HHS’ Office for Civil Rights fined two healthcare providers for multiple HIPAA violations including the failure to provide HIPAA training. One fine of $1.5 million was imposed on an organization that had not provided any HIPAA Privacy Rule training, and a fine of $25,000 was imposed on another that had not provided any security awareness training.

What is HIPAA training?

HIPAA training – as required by the HIPAA training requirements – is the instruction of employees, students, and other workforce members (i.e., volunteers) with regards to the policies and procedures put in place by an organization to safeguard the privacy and security of Protected Health Information. Because the HIPAA training requirements assume an existing knowledge of HIPAA, it is advisable to provide all new members of the workforce with a HIPAA basics course.

How often do you need HIPAA training?

You need HIPAA training – both policy and procedure training and security awareness training – within a “reasonable period of time” of starting work for an organization that is subject to the HIPAA Rules. Thereafter, you may need HIPAA training if there is a material change to policies and procedures, if a need for further training is identified, or if you violate a HIPAA standard and the sanction is additional training. Note: security awareness training should be ongoing.

Is HIPAA training required annually?

HIPAA training is not required annually at present, but it is recommended when no other HIPAA training has been provided during the year due to policy changes, the outcomes of risk assessments, the introduction of new technologies, or workforce sanctions. Shortly however, proposed changes to the HIPAA Security Rule could mandate annual HIPAA training for all members of the workforce. Read more here.

Is HIPAA training required by law?

HIPAA training is not required by law but by regulation. The HIPAA “law” passed by Congress in 1996 instructed the Secretary for Health and Human Services to make recommendations and adopt standards for safeguarding the privacy and security of individually identifiable health information. These evolved into the HIPAA Administrative Simplification Regulations – which include the HIPAA training requirements. Read more here.

Who needs HIPAA training?

Who needs HIPAA training is all members of a covered entity’s or business associate’s workforce – even if they have no access to Protected Health Information (PHI). This is because the General Requirements of the HIPAA Security Rule mandate that security awareness training must be designed to protect against uses and disclosures of PHI not permitted by the HIPAA Privacy Rule. Read more here.

How often is HIPAA training required?

HIPAA training is required as necessary to safeguard the privacy and security of Protected Health Information. This means that, in addition to initial policy and procedure training and ongoing security awareness training, HIPAA training may be required when a risk assessment identifies a need for HIPAA training, when a need for refresher training is observed, or when a workforce members violates any standard of the HIPAA Privacy or Breach Notification Rules.

What are the HIPAA training requirements for new hires?

The HIPAA training requirements for new hires are that an organization must train all new members of its workforce within a reasonable amount of time of the person starting work with the organization. In some states, time limits apply (for example, in Texas new hires must be trained within 90 days), while propose changes to the HIPAA Security Rule mandate that security awareness training is provided within 30 days of a person starting work with the organization.

Who is responsible for providing HIPAA training?

The responsibility for providing HIPAA training is shared between an organization’s HIPAA Privacy Officer and an organization’s HIPAA Security Officer. Although these Officers (which can be the same person in smaller organizations) are responsible for providing HIPAA training, they do not have to lead the training themselves. The role of trainer can be designated to another member of the workforce or outsourced to a third party training organization.

Why is refresher training required when there is a “material change to policies”?

Refresher training is required when there is a material change to policies – but only for members of the workforce whose functions are affected by the change. For example, if an organization changes the procedure for responding to a patient access request, only those members of the workforce who respond to patient access requests will have to take refresher training. Other members of the workforce should be made aware that a change has occurred, but do not need to be trained on the change.

What is an example of a “material change to policies”?

An example of a material change to policies is the recent change to the HIPAA Privacy Rule that requires organizations to obtain an attestation that certain types of Protected Health Information will not be further used or disclosed when being shared with a third party who does not qualify as a HIPAA covered entity or business associate. As this material change affects disclosures of reproductive healthcare, it is likely most organizations had to make material changes and provide additional HIPAA training.

When should senior managers be involved in HIPAA training?

Senior managers should be involved in HIPAA training as often as possible because it shows trainees a commitment to compliance. Naturally, it is not necessary for all senior managers to be involved in every policy and procedure training session, but it is important that all senior managers are involved in the security and awareness training program as this is stipulated in the HIPAA training requirements of the HIPAA Security Rule.

What is the most important topic to focus on during HIPAA training?

There is no single most important topic to focus on during HIPAA training as the focus of HIPAA training should be determined by workforce members’ functions, changes to policies, new technologies, risk assessments, etc. Consequently the focus of HIPAA training will vary on a case-by-case basis. However, one of the most important topics to focus on prior to HIPAA training is raising the standard of workforce HIPAA knowledge so that HIPAA training is better understood and complied with.

How long does HIPAA training take?

The answer to the question of how long does HIPAA training take is that HIPAA training should be ongoing inasmuch threats to the privacy and security of Protected Health Information are frequently changing and workforce members need to be advised on new threats and the policies, procedures, or technologies adopted to mitigate them. In terms of how long each training session should take, the optimum time is around 40 minutes – although this may vary depending on the amount of content, the number of trainees, and the volume of questions asked during and after the session.

How often do you have to do HIPAA training?

How often you have to do HIPAA training can be determined by a number of factors. For example, it may be your employer’s policy to provide refresher training periodically or to provide additional training when necessary to address the findings of a risk assessment or evaluation. Many organizations require members of the workforce to undergo training following a HIPAA violation or when a data breach is notified to HHS’ Office for Civil Rights.

With regards to the HIPAA training requirements of the HIPAA Security Rule, security awareness training should be an ongoing program rather than a one-off event. Security awareness training should be provided periodically, and HHS’ Office for Civil Rights has identified that most HIPAA-regulated entities conduct security awareness training at least quarterly and support quarterly training with monthly security awareness reminders.

Why is HIPAA training important?

HIPAA training is important because it shows members of the workforce how they are expected to safeguard the privacy and security of Protected Health Information in order to prevent avoidable HIPAA violations and data breaches that can result in operational disruptions, medical identity theft, and loss of trust in the patient-provider relationship.

When does HIPAA training expire?

HIPAA training does not expire unless there is a change in policies or procedures that affects a workforce member’s functions – in which case elements of the original HIPAA training may no longer apply. HIPAA training can be considered to have expired if you change employers – but remain in the healthcare industry – as different employers have different HIPAA policies and procedures and you will need training on your new employer’s policies and procedures.

Why might additional HIPAA training be necessary?

Additional HIPAA training might be necessary in a number of scenarios. These include when the need for additional HIPAA training is identified in a risk analysis or observed by a manager or HIPAA Privacy Officer. It might also be necessary if additional training is imposed as a sanction for violating a HIPAA standard or if the organization you work for is issued with a corrective action order by HHS’ Office for Civil Rights that includes additional HIPAA training.

Why is documentation of HIPAA training necessary?

The documentation of HIPAA training is necessary for two reasons. First, it demonstrates that an organization is complying with the HIPAA training requirements in the event of an audit or compliance investigation. Secondly, it records what training has been provided in order to determine what additional training may be required following a risk analysis or policy change – or a promotion.

What do you learn during HIPAA training?

What you learn during HIPAA training can vary considerably depending on the reason for the training being provided. HIPAA training for new employees should focus on the basics of HIPAA and the organization’s HIPAA policies and procedures. Security awareness training will likely be more focused on best practices for accessing, using, and securing Protected Health Information. There may also be times when HIPAA training focuses on specific areas of HIPAA identified in a risk assessment or prompted by a privacy complaint from a patient.

What is a HIPAA training certificate?

A HIPAA training certificate is an accreditation – usually provided by an outside training organization – that is awarded to individuals who pass a HIPAA training course. In such cases, the HIPAA training course is designed to provide a basic knowledge of HIPAA so that subsequent training provided by the individual’s employer (for example, policy and procedure training) is more understandable.

Who is responsible for training medical students about HIPAA?

In most cases, the teaching organization in charge of medical students’ professional education is responsible for training medical students about HIPAA even if the teaching organization does not qualify as a HIPAA covered entity because it does not conduct electronic transactions for which HHS has adopted standards. If a teaching organization does not train medical students about HIPAA, the first organization for whom a medical student works assumes the responsibility.

What HIPAA training is required?

What HIPAA training is required depends on a workforce member’s functions, their access to Protected Health Information, and any additional factors identified in a risk assessment or evaluation. All members of an organization’s workforce are required to participate in security awareness training. Additional HIPAA training may be provided at the discretion of an organization if it adopts a policy of providing refresher training periodically.

Do state training requirements preempt HIPAA training requirements?

State training requirements preempt HIPAA training requirements if a state’s training requirements offer more stringent protections for patient privacy or more patient rights than HIPAA. For example, Texas introduced a law requiring organizations covered by the Medical Records Privacy Act to provide compliance training within 90 days. However, it is not just state laws that preempt HIPAA with regards to training. Some federal laws do as well. For example, personnel employed by the Defense Health Agency are required to undergo Privacy Act and HIPAA privacy training annually.