Skip to main content
CoreFolioHIPAA
How-to

HIPAA workforce training: what the rule requires and what actually works

HIPAA requires workforce training on security policies and procedures. Here is what the rule actually says, what OCR has cited in settlement agreements, and what training looks like in a small practice.

5-minute read

Workforce training is an administrative safeguard under 45 CFR § 164.308(a)(5). Like most HIPAA requirements, the rule is intentionally general — it requires covered entities to implement a training program appropriate for their size and complexity, without prescribing a specific curriculum, format, or duration.

That flexibility is both a feature and a problem. It means there is no universally accepted "enough." It also means that when OCR asks to see your training documentation and you cannot produce it, the requirement is treated as unmet.

What the rule actually requires

45 CFR § 164.308(a)(5)(i) requires covered entities to "implement a security awareness and training program for all members of its workforce (including management)."

Two implementation specifications apply:

Required: security reminders (periodic updates about security policies and current security threats).

Addressable: protection from malicious software; log-in monitoring; password management.

"Addressable" means you assess whether each specification is reasonable and appropriate for your environment, implement it if so, and document your decision.

The documentation requirement (45 CFR § 164.316(b)(1)) means you have to maintain written evidence that training happened, when, who attended, and what was covered. Verbal training with no record is treated as no training.

What OCR has cited in settlement agreements

Resolution agreements involving workforce training failures follow a pattern:

  • The practice had some form of onboarding orientation that included a mention of HIPAA
  • No annual training was documented
  • No records showed which specific employees had completed training
  • When a breach occurred (or OCR investigated), the workforce had no documented understanding of the relevant policies

The finding is typically: "the covered entity failed to implement a security awareness and training program for all members of its workforce."

Note the phrase "all members." A practice where the dentist and office manager received training but the medical assistants and front desk staff did not is non-compliant. Everyone with access to systems that touch ePHI needs to be documented as trained.

What "security awareness training" covers

The regulation does not prescribe a curriculum. Based on OCR guidance and the common findings in resolution agreements, effective security awareness training for a small practice covers:

Phishing recognition. The most common cause of healthcare data breaches at small practices is a phishing email — a staff member clicks a link, enters credentials, and an attacker gains access to the EHR or email account. Training on how to recognize and report phishing emails is the highest-ROI security investment available.

Password management. Unique passwords for each account, no sharing of credentials, requirements to change passwords when a staff member leaves or when there is reason to believe a password is compromised.

Device security. What to do when a work laptop is lost or stolen; whether patient data can be accessed from personal devices; how to lock a workstation when stepping away.

Incident reporting. How a workforce member reports a suspected security incident — a clicked phishing link, a lost device, unauthorized access to a record. The practice needs a clear reporting path.

Policies. Where your security policies are documented and where workforce members can find them. The policies do not need to be memorized, but staff should know they exist.

What documentation you need

For each training event, you need documentation of:

  • The date training occurred
  • The topic(s) covered
  • Who attended (by name or employee role)
  • Confirmation of completion (a sign-in sheet, a completion certificate, an electronic attestation)

The format does not matter. A sign-in sheet with names and dates works. An electronic completion record from a training platform works. A shared spreadsheet with employee names, training dates, and topics works.

What does not work: an undated certificate from an online training vendor with no record of which employees completed it.

How often training must occur

The rule does not specify a frequency. The required implementation specification for "security reminders" implies ongoing communication, not a single annual event. Resolution agreements consistently treat annual training (at minimum) as the floor.

In practice, this means:

  • Comprehensive initial training for all new workforce members (before or very shortly after they begin handling ePHI)
  • Annual refresher training for all existing workforce members
  • Ad hoc training when a relevant policy changes, when a new system is introduced, or when a security incident reveals a gap

"Annual" in enforcement practice means within 12 months. A practice whose last documented training was 14 months ago is in a gap.

Practical formats for a small practice

Online training platforms. Many HIPAA training vendors offer short (15–30 minute) online modules with built-in completion tracking. Some are free; most cost $10–30 per person per year. The tracking is the main advantage — the platform generates a certificate or completion record automatically.

In-person sessions. A 30–45 minute staff meeting covering the topics above, with a sign-in sheet and an agenda on file, satisfies the requirement. This works well for new employee onboarding and for annual refreshers in a practice small enough to gather everyone.

Written attestations. Giving staff a copy of your security policies and having them sign that they have read and understood them is one component of training. It is not sufficient on its own, but it is valuable documentation to have alongside the training record.

The sanctions policy requirement

Separate from training, 45 CFR § 164.308(a)(1)(ii)(C) requires covered entities to implement a sanctions policy — a documented policy for workforce members who violate security policies.

The sanctions policy does not need to be punitive. It needs to exist, be documented, and be communicated to the workforce. "Staff who violate our HIPAA security policies will be subject to disciplinary action up to and including termination" covers the requirement. Including it in your training materials addresses both requirements at once.

What to do if you have no current training documentation

If your last documented training was more than 12 months ago, or if you have no training records at all:

  1. Schedule training within the next 30 days
  2. Use a format that generates a completion record for each participant
  3. File the records in your compliance documentation
  4. Schedule the next annual training for 12 months from today
  5. Include training completion in your annual risk analysis documentation

Starting from scratch is not ideal, but it is recoverable. The risk analysis is the right place to document where you are and your plan to close the gap.

Sources: 45 CFR § 164.308(a)(5) (security awareness and training program); 45 CFR § 164.308(a)(1)(ii)(C) (sanction policy); 45 CFR § 164.316(b)(1) (documentation); HHS OCR resolution agreements (2024–2025), available at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements.