HIPAA Employee Training Requirements Checklist (2026)

HIPAA requires workforce training. Most practices know that much.

What they do not know: exactly what topics must be covered, when training must happen, what documentation OCR expects during an investigation, and what changes with the proposed 2026 Security Rule amendments. A practice that trained staff once three years ago and filed away a sign-in sheet is not compliant — regardless of what the training vendor promised.

This checklist covers all of it — written for independent practices that do not have a compliance department to figure it out for them.

What HIPAA Requires for Workforce Training

HIPAA contains two separate training mandates. Most practices conflate them.

Privacy Rule Training — 45 CFR §164.530(b)

The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI. Training must be provided to each new workforce member "within a reasonable period of time" after joining. When policies change in a way that affects a workforce member's duties, additional training on those changes is required.

This is not optional. It is not addressable. It is a mandatory administrative requirement.

Security Rule Training — 45 CFR §164.308(a)(5)

The Security Rule requires a security awareness and training program for all workforce members. It specifies four areas:

• Security reminders — periodic updates on current threats and security practices
• Password management — procedures for creating, changing, and safeguarding passwords
• Login monitoring — procedures for monitoring login attempts and reporting discrepancies
• Malicious software protection — procedures for guarding against, detecting, and reporting malicious software

Currently these are "addressable" — you must implement them or document why an alternative is reasonable. The proposed 2026 amendments would remove the addressable designation and make all four mandatory.

Who Must Be Trained?

Everyone. Under 45 CFR §160.103, "workforce" means employees, volunteers, trainees, and other persons whose conduct is under the direct control of the covered entity — whether or not they are paid. That is broader than "employee."

For an independent practice, this includes:

• Clinicians and clinical staff
• Front desk and reception staff
• Billing and coding personnel
• Office managers and administrative staff
• IT staff or contractors who access systems containing ePHI
• Janitorial and maintenance staff with facility access
• Volunteers
• Interns, externs, and students on clinical rotation
• Temporary or per diem workers

If a person can encounter PHI in any form — electronic, paper, or verbal — they need training.

The Training Checklist

Every workforce member should receive training covering these twelve areas. Depth varies by role, but every area must be addressed.

1. Privacy Rule fundamentals — what constitutes PHI, the minimum necessary standard, permitted uses and disclosures, treatment vs. payment vs. operations
2. Security Rule basics — administrative, physical, and technical safeguards relevant to the person's role
3. Your practice's specific policies and procedures — not generic HIPAA rules, but the actual documented policies your practice follows
4. Password management and authentication — strong passwords, no shared credentials, multi-factor authentication where applicable
5. Recognizing and reporting security incidents — what constitutes an incident, the obligation to report immediately, and who to report to
6. Phishing and social engineering awareness — identifying suspicious emails, calls, and messages that attempt to obtain credentials or PHI
7. Proper use of communication tools — which channels are approved for PHI, what cannot be sent via text or personal email
8. Mobile device and workstation security — screen locks, automatic timeouts, encryption, physical security of devices that access ePHI
9. Breach notification procedures — what to report internally, who to report it to, and the escalation timeline
10. Patient rights — handling access requests, amendment requests, and accounting of disclosures
11. Sanction policy — consequences for HIPAA policy violations, from verbal warning through termination
12. Role-specific training — tailored content for clinical, administrative, front desk, and billing staff

What Documentation OCR Expects

Training that is not documented did not happen. When OCR investigators arrive — whether triggered by a breach report, a complaint, or an audit — training records are among the first documents requested.

For every training session, your records must include:

• Employee name — who completed the training
• Date of training — when it occurred
• Topics covered — specific subjects addressed, not just "HIPAA training"
• Method of training — in-person, online module, video, or combination
• Acknowledgment — a signature or electronic confirmation that the individual completed the training and understood the material

These records must be retained for six years from the date of creation or the date they were last in effect, whichever is later (45 CFR §164.530(j) and §164.316(b)(2)). A spreadsheet with names and dates is not sufficient — OCR expects topic-level detail and individual acknowledgment.

2026 Security Rule Changes Affecting Training

The HHS Notice of Proposed Rulemaking (NPRM) published in early 2025 includes changes that directly affect training requirements. As of this writing, these are proposed — not final. Check HHS for the current status of the final rule.

The proposed amendments would:

• Eliminate the "addressable" designation — making all four security awareness training specifications mandatory for every covered entity
• Require annual training — establishing a defined minimum frequency instead of "as necessary and appropriate"
• Require training within 30 days of hire — replacing "within a reasonable period of time" with a hard deadline
• Add technical topics — including patch management, network segmentation, and vulnerability management

For independent practices, the most significant change is the shift from addressable to mandatory. Under the proposed rule, every covered entity — regardless of size — must deliver and document training on every specified topic annually. No exceptions.

If your practice already trains annually on the checklist above, you are well positioned. If your training program consists of a one-time onboarding video from 2021, you have work to do.

Common Training Mistakes

These are the failures OCR cites most frequently in enforcement actions against independent practices.

One-time training with no refresher. A single onboarding session does not satisfy HIPAA's ongoing requirement. Annual training is the practical minimum — and the proposed 2026 rule would make it the legal minimum.

No documentation of completion. If you cannot produce records showing who was trained, when, and on what topics, OCR treats it as if training never occurred.

Generic training not tailored to the practice. A video about HIPAA basics that never mentions your specific policies or systems does not meet the requirement.

Not training non-clinical staff. Front desk, billing, office managers — all require training. HIPAA does not distinguish between clinical and non-clinical.

Not retraining when policies change. Updated policies require targeted retraining for affected workforce members.

Using outdated training content. Materials more than two years old do not reflect current threats, enforcement priorities, or regulatory proposals.

How Patient Protect Handles Training

Patient Protect includes workforce training in every plan. The platform provides:

• Role-specific training modules — tailored content for clinical, administrative, front desk, and billing staff
• Completion tracking — timestamped records per workforce member with topics covered
• Acknowledgment capture — electronic confirmation that satisfies OCR documentation requirements
• Annual reminders — automated notifications when training is due
• Policy-linked retraining — policy updates automatically flag affected workforce members

Every completion generates an audit-ready record retained for the full six-year requirement period.

Plans start at $39/month. No long-term contracts. Training is included, not an add-on.

Frequently Asked Questions

How often is HIPAA training required?

At hire, when policies change, and "as necessary and appropriate" — which OCR interprets as at least annually. The proposed 2026 amendments would formally require annual training as a mandatory standard.

Do volunteers need HIPAA training?

Yes. HIPAA's definition of "workforce" explicitly includes volunteers. Anyone who may encounter PHI must receive training before they begin work.

Can I do HIPAA training online?

Yes. HIPAA does not specify a method. Online modules, in-person sessions, and video training are all acceptable — as long as required topics are covered and completion is documented with individual acknowledgment.

What happens if an employee refuses HIPAA training?

Your sanctions policy should address training refusal. An employee who refuses required training cannot be permitted to access PHI. Refusal is a policy violation with documented consequences.

How long must I keep HIPAA training records?

Six years from the date of creation or the date the record was last in effect, whichever is later.

Is annual HIPAA training mandatory in 2026?

Under the current rule, annual training is a best practice OCR effectively expects but not an explicit requirement. The proposed 2026 amendments would make it mandatory. Check the HHS website for the final rule status.

---

HIPAA workforce training is not a one-time checkbox. It is an ongoing operational requirement with specific documentation standards and real enforcement consequences. The 2026 amendments would raise the bar further — mandatory annual training, 30-day onboarding deadlines, and expanded topic requirements.

Patient Protect handles training delivery, completion tracking, and six-year documentation retention in one platform — starting at $39/month.

Start your 14-day free trial