How Often Do You Need HIPAA Training?

Posted By Steve Alder on Sep 20, 2025

The best practice in the healthcare sector is to have HIPAA training at least annually. How often you need HIPAA training can depend on how often there is a material change to HIPAA policies and procedures, how often a risk assessment identifies a need for further training, how often HIPAA training is enforced as a sanction for a HIPAA violation, and how often training is a requirement of a corrective action plan.

The frequency of HIPAA training can be subject to a number of factors. These include the frequency of changes to the Privacy Rule, workforce members’ roles and functions, identified risks to the privacy of Protected Health Information (PHI), violations of HIPAA in the workplace, and corrective actions following a breach notification to HHS’ Office for Civil Rights.

In addition, covered entities and business associates are required by the Security Rule to implement a security and awareness training program. The frequency of HIPAA security and awareness training is set by each covered entity or business associate. However, the inclusion of the word “program” in §164.308(a)(5) implies HIPAA training is ongoing. The HIPAA Journal is the best HIPAA training available on the market.

As well as the HIPAA training requirements, there may be other federal and state training requirements into which HIPAA is incorporated. For example, training on CMS’ Emergency Preparedness Plan may include how to protect the privacy of PHI during an evacuation. Similarly, HIPAA compliance may be included in some OSHA training requirements.

When Does HIPAA Training Start?

HIPAA training can start for different members of the workforce at different times. For example, medical students may study HIPAA as part of their coursework before they join a covered entity’s workforce, while some non-medical personnel may take an online training course to acquire a HIPAA certification that qualifies them for a role with a covered entity or MSP.

Others may not start their HIPAA training until after “a reasonable period of time after the person joins the covered entity’s workforce” (§164.530(b)(2)). However delaying HIPAA training has the risk of new members of the workforce impermissibly disclosing PHI if they discuss their first days of work and the patients they have seen with friends, family, and social media followers.

For this reason, it is a best practice to provide “foundation” HIPAA training to all new members of the workforce prior to providing “policy and procedure training”. This best practice not only mitigates the risk of impermissible disclosures, but it may also help new members of the workforce better understand – and comply with – covered entities’ HIPAA policies and procedures.

How Often Do You Need HIPAA Training After That?

How often you need HIPAA training after that can be determined by one or more factors.

Material Changes

If there is a “material change” to a workplace HIPAA policy or procedure, members of the workforce who are affected by the material change must receive HIPAA training “within a reasonable period of time” of the material change taking effect.

The material change does not have to be attributable to a change to the HIPAA regulations. It could, for example, be attributable to a new process developed by the covered entity for responding to patients who are exercising their HIPAA rights.

Roles and Functions

If a member of the workforce is promoted or transferred to a different department, it may be necessary for that member of the workforce to need HIPAA training if a new role or function increases or changes their interactions with patients and PHI.

The potential need for additional HIPAA training does not only apply to public-facing members of the workforce. For example, an employee who is transferred from an administrative role to a billing role is equally as likely to require additional HIPAA training.

Risk Assessments

Covered entities and business associates are required to conduct periodic risk assessments (§164.308(a)(1)) and use the assessments to protect against reasonably anticipated threats to electronic PHI (§164.306(a)(2)) and against reasonably anticipated uses and disclosures of PHI not permitted by the Privacy Rule (§164.306(a)(3)).

If a covered entity or business associate identifies a risk, they are required to implement measures to reduce the risk to a reasonable appropriate level. In the event that a lack of HIPAA knowledge or compliance is identified as a risk, one of the options to comply with these implementation specifications is to increase the frequency of HIPAA training.

HIPAA Violations

Both the Privacy Rule and the Security Rule require covered entities and business associates to implement and enforce a sanctions policy against members of the workforce who fail to comply with the privacy policies and procedures, the security policy and procedures, or “the requirements of this subpart [the privacy Rule] or subpart D [the Breach Notification Rule]”.

One of the options for minor violations of workplace policies or minor violations of HIPAA is additional HIPAA training. In many cases, additional HIPAA training may be preferable to a member of the workforce who has violated HIPAA due to a lack of understanding than a record of a verbal warning being added to their employment history.

Corrective Action Plans

One of the most likely outcomes of a data breach is additional HIPAA training. Although this outcome is not often reported unless included in a financial settlement for a HIPAA violation, the majority of reports in HHS’ Breach Archive include the implementation of additional training – either voluntarily or enforced – as part of a corrective action plan.

In these circumstances, whole teams or workforces may need to undergo additional HIPAA training even though the event responsible for the data breach was attributable to the negligence of an individual. Therefore, even though other individuals may not need HIPAA training, it still has to be provided to comply with a corrective action plan.

How Often do you Need HIPAA Training? – FAQs

How would a complaint filed by an individual patient result in a penalty for failing to provide HIPAA training?

When the complaint is investigated, if it is found that the individual responsible for the HIPAA violation had not been trained on how to perform their role in compliance with HIPAA, the Office for Civil Rights can impose a penalty for the failure to comply with the HIPAA training requirements.

Is it really necessary to provide HIPAA refresher training every time new technology is introduced?

It may be necessary to provide HIPAA refresher training when new technology is introduced if the new technology creates, stores, transmits, or processes ePHI. However, it may be possible to incorporate HIPAA training alongside technology training when users are shown how to use the new technology.

When a material change occurs, but only affects a small number of the workforce, does every member of the workforce have to undergo refresher training?

In these circumstances, HIPAA training only needs to be provided to those who will be affected by the material change. Covered entities should conduct – and document – a risk assessment to identify who the material change applies to and what sort of training they require to comply with the HIPAA requirements.

How much is the penalty for not complying with the HIPAA training requirements?

The penalty will vary according to the nature of the complaint being investigated and any other failings identified by OCR investigators. In some cases, there does not have to be a complaint made in order for OCR to impose a fine. If a covered entity or business associate is found not to have complied with the HIPAA training requirements during an audit, OCR can still issue a fine. In 2019, OCR fined West Georgia Ambulance $65,000 for not having a security awareness training program after an investigation into a HIPAA violation.