What are the HIPAA Training Requirements for New Hires?

Posted By Steve Alder on Jan 13, 2026

The HIPAA training requirements for new hires are that “a covered entity must provide training […] to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce” (45 CFR 164.530(b)(2)). What a “reasonable period of time” is may depend on the new hire’s role and their existing HIPAA knowledge.

Because HIPAA applies to many different types of organizations, it is important the HIPAA training requirements for new hires are put into context rather than taken in isolation. This is because HIPAA requires covered entities and business associates to identify risks to the privacy of Protected Health Information (PHI) and mitigate the risks to a reasonably acceptable level.

If a covered entity conducts a risk assessment, and identifies a risk to the privacy of PHI by allowing an untrained new hire access to PHI, the new hire must be trained before being allowed access to PHI. It may also be the case that the new hire requires security awareness training in addition to HIPAA training if the new hire demonstrates a lack of online security awareness.

What Should New Hires be Trained On?

According to the Administrative Requirements of the Privacy Rule (§164.530), covered entities must develop policies and procedures that “reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart” (e.g., the Privacy Rule).

With regards to the HIPAA training requirements for new hires, covered entities must train all members of the workforce on the policies and procedures developed to comply with §164.530 “as necessary and appropriate for members of the workforce to carry out their functions within the covered entity”. Refresher training must also be provided whenever policies change.

This requirement is most often interpreted as meaning role-specific training. For example, only workforce members that are likely to be involved in responding to patients’ PHI access requests need to be trained on the procedures for when patients exercise their HIPAA rights. However, it is important that every member of the workforce knows patients have rights under HIPAA.

It is also important new hires understand HIPAA basics such as  what is PHI under HIPAA, what the HIPAA social media guidelines are, and the real consequences of HIPAA violations beyond workforce sanctions. If new hires do not understand the basics before being provided with policy and procedure training, the policy and procedure training may make no sense to them. The HIPAA Journal has the most comprehensive HIPAA training for new hires.

Security Awareness Training should be Ongoing

New hires can lack online security awareness for a number of reasons. It may be because they are unfamiliar with a particular style of software (i.e., they are familiar with Gmail, but not with Outlook), or because the security safeguards in a previous job were more relaxed or more stringent than those applied by their new employer.

Because covered entities and business associates may not be able to determine a new hire’s level of security awareness at first impression, it can be beneficial to include some security awareness training in the HIPAA training requirements for new hires. Ideally, this should include tests on the new hire’s susceptibility to email phishing and their responses to being phished.

Thereafter, security awareness training should be ongoing regardless of the new hire’s function and their access to electronic PHI. However, depending on the new hire’s function and their access to electronic PHI, security awareness training can incorporate other areas of HIPAA compliance or similar regulatory requirements (i.e. CMS’ Emergency Preparedness Requirements).

What are the HIPAA Training Requirements for New Hires? Conclusion

Most new members of a healthcare workforce should already have some HIPAA knowledge due to professional certification curricula including modules on regulatory compliance. It may also be the case that a new hire has transferred from another covered entity or business associate at which they received training on their former employer’s HIPAA policies and procedures.

While this means it may not be necessary to include HIPAA basics in the HIPAA training requirements for new hires, it is still necessary to provide policy and procedure training. This is because each covered entity is required to develop its own policies and procedures. The policies and procedures that applied during healthcare training, or in a previous job, are not going to be exactly the same.

Covered entities and business associates who are unsure about the HIPAA training for new hires, how to determine a “reasonable period of time”, or how to incorporate a security awareness assessment into policy and procedure training are advised to seek advice form a HIPAA compliance professional.