HIPAA training is not required annually at present, but it is recommended when no other HIPAA training has been provided during the year due to policy changes, the outcomes of risk assessments, the introduction of new technologies, or workforce sanctions. Shortly however, proposed changes to the HIPAA Security Rule could mandate annual HIPAA training for all members of the workforce.
The HIPAA training requirements stipulate that HIPAA covered entities and business associates (“where provided”) must train all new members of the workforce on policies and procedures with respect to Protected Health Information (PHI) as necessary and appropriate for the members of the workforce to carry out their functions. Further HIPAA policy and procedure training only has to be provided if a material change affects a workforce member’s functions.
In addition, all members of a HIPAA covered entity’s or business associate’s workforce must participate in a security awareness and training program regardless of their access to PHI. Security awareness training must be provided “in accordance with §164.306”, which means the training program has to take into account reasonably anticipated threats to the security of PHI and uses or disclosures of PHI not permitted or required by the HIPAA Privacy Rule.
Neither the Privacy Rule training standard (§164.530(b)) nor the Security Rule training standard (§164.308(a)(5)) stipulate the frequency of HIPAA training other than to note that “policy and procedure” training and “material change” training should be provided within a reasonable period of time. As the Security Rule training standard requires a security awareness and training program, the implication is that training should be ongoing and provided periodically.
Other Reasons Why HIPAA Training Might be Provided
In addition to the standards mandating HIPAA training, there are other reasons why HIPAA training might be provided. These include when a risk assessment or periodic nontechnical evaluation (required by §164.308(a)(8)) identifies a need for HIPAA training, or when a new technology is introduced and – although the technology doesn’t affect a workforce member’s functions – they still need to be trained how to use it in compliance with HIPAA.
Some HIPAA covered entities may also incorporate HIPAA awareness training into training mandated by other federal or state regulations. For example, most healthcare organizations are required to provide annual bloodborne pathogen training, annual emergency preparedness training, and annual anti-harassment training. If a lack of HIPAA knowledge is observed in any of these training sessions, workforce members might be provided with further HIPAA training.
HIPAA training can also be imposed as a sanction on workforce members for any violation of the HIPAA Privacy Rule (even when the violated standard has not been covered in HIPAA training), and it is common to see HIPAA training being provided after a privacy complaint, impermissible disclosure, or data breach. Around two-thirds of breach reports in HHS’ Breach Portal conclude “members of the workforce were retrained on XYZ to prevent future breaches”.
How HIPAA Training Required Annually Messaging Evolved
The messaging that HIPAA training should be provided annually evolved between 2013 and 2023 – a period during which there were only two minor changes to the HIPAA Privacy Rule, and no changes at all to the HIPAA Security Rule. Compliance experts believed that, as the lack of HIPAA changes could mean few material changes to policies and procedures, workforce members could go for years without receiving any refresher HIPAA training.
Due to concerns that long periods without refresher HIPAA training could result in compliance shortcuts being taken “to get the job done”, and the compliance shortcuts deteriorating into a cultural norm, HIPAA training required annually messaging started appearing on HIPAA training and compliance websites. The messaging worked as, in 2024, the HIPAAJournal reported that 90% of respondents to an inhouse survey provide annual refresher HIPAA training.
One of the biggest benefits of annual refresher training is that it can be a catchall for members of the workforce who have not received HIPAA training for another reason. For example, some members of the workforce may receive HIPAA training when they are required to use a new technology in compliance with HIPAA, but those who do not use that technology might not have received any HIPAA training within a year if it were not for annual refresher HIPAA training.
Annual HIPAA Security Training May Soon Be Mandatory
The HIPAA training required annually messaging – and the reasons behind it – may soon be a thing of the past. This is because, in January 2025, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) advocating annual role-based HIPAA security training for all members of the workforce. An implementation specification for ongoing education has also been proposed, although few details on this requirement are included in the NPRM.
The proposals align the content of HIPAA security training with the General Requirements of the HIPAA Security Rule (§164.306(a)) which means it will no longer be permitted to provide “generic” security awareness training to members of the workforce. Also – if finalized – the proposals will make compliance compulsory with several of HHS’ Cybersecurity Performance Goals (CPGs) – notably the CPG for Basic Cybersecurity Training and the CPG for Email Security.
HIPAA covered entities and business associates who require more information about the provision of annual HIPAA training or the proposed changes to the HIPAA Security Rule are advised to speak with an independent compliance expert. Workforce members with concerns their employer has not listened to the HIPAA training required annually messaging, and that their HIPAA knowledge may have suffered as a result, are advised to subscribe to an online HIPAA training course.
.