How Often is HIPAA Training Required?

Posted By Steve Alder on Jan 20, 2026

HIPAA training is required when a new staff member joins the workforce, when there is a material change to their role or the policies and procedures that apply to their role, when a risk analysis identifies a need for HIPAA training, and when a staff member violates a policy or procedure for which the sanction is further training. HIPAA training may also be required as part of a corrective action plan agreed with the HHS’ Office for Civil Rights.

In addition, HIPAA security and awareness training must be ongoing and provided to all members of the workforce at regular intervals. The training must be provided in accordance with the HIPAA Security Rule’s General Requirements and developed to protect against any reasonably anticipated uses and disclosures of Protected Health Information (PHI) not permitted by the HIPAA Privacy Rule. Training topics must be reinforced between training sessions via periodic security reminders.

What Does HIPAA Say About Employee Training?

Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule training standard states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The HIPAA Security Rule training standard states:

“Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

With regard to both these standards, it is advisable to provide new members of the workforce with HIPAA awareness training prior to policy and procedure training or security training – for example, during onboarding. This will help new members of the workforce better understand, absorb, and apply HIPAA policies and procedures and better connect security training with HIPAA compliance.

How Often is HIPAA Training Required?

Employee HIPAA training must be provided “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Thereafter, further training is required when “functions are affected by a material change in policies or procedures”, with the training provided “within a reasonable period of time after the material change becomes effective.”

Further training is also required when a risk analysis identifies a threat to the privacy or security of Protected Health Information (PHI) that could be mitigated with further training, when the sanction for a minor violation is further training, or when HIPAA training is required as part of a corrective action plan agreed with the HHS’ Office for Civil Rights following a data breach.

Although not “required”, most compliance experts agree it is beneficial to provide annual HIPAA refresher training to all workforce members as this can strengthen good habits, correct small misunderstandings, and bring everyone up to date with policy changes or new threats that might not affect them directly – but which they may need to know exist.

How Frequently Should HIPAA Security Awareness Training be Provided in Healthcare?

HIPAA security awareness training is also required when a new member of staff joins the workforce, when policies or procedures change, in response to a risk assessment, or as a sanction for violating a security policy. It may also be necessary to provide HIPAA security awareness training when new technologies are adopted by a healthcare organization if the new technologies have access to PHI.

Regarding the frequency of HIPAA security awareness training, there is no time frame currently mandated by the HIPAA Security Rule. However, a proposed update to the HIPAA Security Rule suggests that it may soon become a compliance requirement to provide formal, role-based security awareness training before any member of the workforce has access to PHI and thereafter at least twice per year.

Ideally, HIPAA security awareness training should be provided more frequently than twice a year, but in smaller sessions to accommodate employees’ workflows and to prevent overloading employees’ memories with too many policies at once. Ultimately, covered entities and business associates should be guided by the results of workforce monitoring and the volume of security incident reports.

Document All Employee Training

There have been several enforcement actions by OCR where covered entities and business associates have not been able to provide documentation to prove that they are in compliance with the requirements of the HIPAA Privacy Rule and HIPAA Security Rule. If documentation cannot be provided to prove that all members of the workforce have been trained, accidental HIPAA violations by employees may be viewed as training failures.

The HIPAA Privacy Rule only states that “A covered entity must document that the training as described [in the HIPAA Text] has been provided.” You should therefore ensure that you create a training log that includes all employee names and record the date training was provided, the type of training, and the course that was completed. Self attestation for HIPAA training does not work because learners do not pay attention if they are not tested at the end of the training.

HIPAA Penalties for Inadequate Training

The penalties for training failures can be severe. HHS’ Office for Civil Rights has not, at the time of writing, imposed a penalty solely for training failures, but there have been enforcement actions where the lack of either Privacy Rule training or security awareness training was a cited HIPAA violation that contributed to the financial penalty – such as the St. Joseph’s Medical Center data breach in 2023.

How Often is HIPAA Training Required? – FAQs

How much can a covered entity be fined for not providing HIPAA training?

The amount of an OCR fine for not providing HIPAA training depends on a number of factors – for example, the degree of “willful neglect” and the consequences of the willful neglect. Therefore, a minor violation may only result in corrective action being required, whereas a significant HIPAA data breach attributable to a lack of training will be viewed more seriously.

How does OCR get to hear about HIPAA training violations?

The Office for Civil Rights can find out about HIPAA training violations in a number of ways. The three most common are when investigating a patient complaint, looking into the cause of a data breach, or during a HIPAA audit.

Is it necessary to provide refresher training to the full workforce whenever there is a material change to policies and procedures?

When there is a material change to policies and procedures, only members of the covered entities workforce whose functions are affected by the material change are required to undergo refresher training. However, this may be a good opportunity to involve more of the workforce in order to refresh their HIPAA knowledge.

What about when new technology is introduced? Does HIPAA training have to be provided each time?

If a covered entity or business associate introduces a new technology that creates, stores, transmits, or processes ePHI, then HIPAA training has to be provided – but only to members of the workforce whose functions are affected by the new technology (i.e., those who will use it). If the new technology does not create, store, transmit, or process ePHI, no HIPAA training is required.

It is recommended above that security awareness training should be ongoing. How often should other types of HIPAA training be provided?

Other than as required by HIPAA (new member of the workforce/material change), other types of HIPAA training should be provided periodically as identified by a risk assessment or when it becomes apparent refresher training is required. It may also be necessary to provide additional policy and procedure training when an existing member of the workforce is promoted or transferred to another role if the new role increases their interactions with patients and PHI.