Is HIPAA Training Required Annually?

Posted By Steve Alder on Mar 12, 2025

Yes, HIPAA training is required annually because it is a best practice to schedule HIPAA annual refresher training. This is required in case additional training has not been necessary due to a change in policies, the outcome of a risk assessment, the enforcement of a sanctions policy, or a corrective action plan following the notification of a data breach.

Is HIPAA Training Required Annually?

The HIPAA text does not provide a deadline for providing training and incorporates flexibility to make it easier for healthcare organizations to fit training into busy workflows. The HIPAA Privacy Rule states “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

In addition to initial training, a covered entity must provide training when “functions are affected by a material change in the policies or procedures.” That means further training is required when updates are made to the HIPAA Rules, or when a material change is attributable to the outcome of a HIPAA risk assessment. Training must also be provided when internal policies and procedures change, or when new technology is introduced that affects HIPAA-related operations.

Periodic refresher HIPAA training sessions are not required, but are recommended to remind employees of the requirements of HIPAA and the importance of compliance. By providing regular refresher training sessions, the risk of accidental HIPAA violations will be reduced, and it is a best practice – rather than a requirement – to provide refresher training sessions annually as this can demonstrate a good faith effort to maintain a compliant workforce in the event of a compliance investigation.

Should I Conduct Annual Security Awareness Training?

Security awareness training is a requirement of the HIPAA Security Rule, which has the following provision: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

The purpose of security awareness training is to raise awareness of threats to electronic protected health information (ePHI), and the systems and devices through which ePHI could be accessed. By teaching workforce members about these threats and helping them develop the skills they need to identify and avoid these threats, the risk of data and privacy breaches can be significantly reduced. Unlike Privacy Rule training, security awareness training should be an ongoing program.

The frequency of security awareness training should reflect the level of risk. It was once acceptable to provide this training annually, but the level of risk has increased sharply in recent years and cyber actors are actively targeting healthcare employees. New threats are constantly emerging so training should be provided more frequently than once a year. Risk analyses and individual security assessments should be used to determine the frequency of security awareness training.

How Long Should Training Courses Be?

HIPAA does not state how long training courses should be, but you must make sure the training is sufficiently comprehensive to teach employees about all appropriate requirements of the HIPAA Privacy and Security Rules and cybersecurity best practices. Try to keep training sessions to 40 minutes to an hour for each training session. Any longer and attention starts to wander.

If you develop a modular training course, or use a third-party online training course, modules can easily be completed outside the classroom when employees have time. Modular training courses are much more practical and can easily be fitted into the busiest of workflows.

Keeping Records of Training Sessions

Remember that providing training is important, but so is proving that training has been provided. HIPAA requires all training to be documented. The HHS’ Office for Civil Rights and state attorneys general will want to see records of training when investigating complaints and data breaches, and conducting HIPAA audits.

Your training log should list all employees and clearly show the date(s) training was provided, the type of course completed, and the content of the training sessions. This log should be kept with your HIPAA documentation along with a copy of any training material.

Is HIPAA Training Required Annually? FAQs

Why might the failure to provide training attract a penalty for noncompliance?

When HHS´ Office for Civil Rights conducts an investigation into a complaint or data breach, it will usually ask for training documentation to help identify the cause of the complaint or data breach. If there has been a failure to provide training, the penalty imposed by OCR investigators will reflect this – along with any other areas of noncompliance found during the investigation (for example, the failure to conduct and document a risk analysis).

When functions are affected by a material change, do all members of the workforce required refresher training?

This depends on the nature of the material change. If, for example, a change is made to the requirements for Business Associates Agreements, only members of the workforce who deal with Business Associates will require refresher training. If, however, restrictions are applied to permissible uses and disclosures of PHI, it may be necessarily to provide refresher training for all members of the workforce.

Why do all members of a workforce have to undergo security and awareness training?

The purpose of security and awareness training is to increase security defenses against all forms of cyberattack – not just those attempting to access ePHI. The reason for this being a requirement of HIPAA is that cybercriminals can infiltrate systems via the login credentials of employees who do not have access to ePHI. They can then move laterally through the network until they reach systems and databases on which ePHI is stored.

Why is security and awareness training referred to as a “program”?

This is because most organizations have an ongoing program of security and awareness training. Although the program may not be apparent to all members of the workforce at all times, it is not unusual for new security practices to be adopted department by department so that any issues or glitches can be resolved before the security practice is adopted organization-wide and formally announced in security and awareness training.

What is the benefit of a third-party training course if each organization is required to develop its own policies and train workforce members on the policies?

While third-party training courses cannot predict what each organization will include in its policies (although many are now customizable), they can be used as an introduction to HIPAA to put specific training on policies and procedures into context. They are also non-intrusive tools for providing refresher training (inasmuch as courses can be completed online), and the course documentation demonstrates a good faith effort to comply with HIPAA in the event of an investigation.