What HIPAA Says About Workforce Training
The HIPAA Security Rule at 45 CFR 164.308(a)(5)(i) requires covered entities and business associates to "implement a security awareness and training program for all members of its workforce (including management)."
The HIPAA Privacy Rule at 45 CFR 164.530(b)(1) requires training on your organization's privacy policies and procedures for "each new member of the workforce within a reasonable period of time after the person joins" and whenever there are "material changes" to those policies.
Key point: HIPAA defines "workforce" broadly. It includes employees, volunteers, trainees, interns, and any person whose conduct is under your direct control — whether or not they are paid. Everyone with access to PHI must be trained.
HIPAA Training Frequency and Cadence
Before First Day with PHI Access
New team members must finish HIPAA training before they can access patient data. This covers new hires, temps, volunteers, and contractors. Train them during onboarding.
Annual Refresher Training
HHS interprets HIPAA's "periodic" training requirement as at least once per year for all workforce members. Annual training reinforces key concepts, covers regulatory updates, and addresses new threats like phishing and ransomware.
After Material Policy Changes
When your organization makes material changes to privacy or security policies, affected workforce members must be retrained on the new requirements within a reasonable time frame.
After a Security Incident
After a breach, near-miss, or security event, run focused training on what went wrong and the related policies. This is a best practice and a key piece of proof for OCR reviews.
Training Modules from One Guy Consulting
Our training is built for small teams. Each annual session is under 60 minutes, uses plain language, and comes with tracking and completion certificates.
HIPAA Privacy Rule
What PHI is, the minimum necessary standard, patient rights to access and amend records, and when disclosures are and are not permitted.
~15 minHIPAA Security Rule
Password tips, workstation safety, mobile device rules, encryption needs, and access controls.
~15 minBreach Notification
How to spot a breach, how to report it inside your practice, what counts as a reportable breach, and the 60-day notice deadline.
~10 minPhishing & Social Engineering
How to spot scam emails, phone tricks (vishing), bad links, and how to report them.
~10 minPractice-Specific Policies
Your practice.s own rules: where PHI is kept, who can access it, how to dispose of it, vendor handling, and contact guidelines.
~10 minRole-Based Training
Extra training for specific roles: front desk (check-in, phone calls), billing (claims), and IT (access, backups).
15–30 minHow Training Is Delivered and Documented
Delivery Methods
We offer HIPAA training in several formats to fit your schedule:
- Online self-paced modules — complete anytime, anywhere
- Live virtual sessions — scheduled group training with Q&A
- On-site training — available for practices in the New York metro area
- Recorded sessions — for staff who miss live training
Documentation & Attestation
Good records are key to audit readiness. Every session produces:
- Completion certificates — individual attestation for each employee
- Training log — date, topics covered, attendees, trainer name
- Signed acknowledgment — employee signature confirming understanding
- Quiz results — comprehension verification (optional but recommended)
Why documentation matters: During an OCR audit or breach investigation, you must prove that your workforce was trained. Verbal "we told them about HIPAA" is not sufficient. Written attestations, training logs, and completion records are the minimum documentation standard. Pair training documentation with a Security Risk Assessment to demonstrate a comprehensive compliance program.
Training Questions from Small Practices
HIPAA requires training upon hiring and periodically thereafter. HHS interprets "periodically" as at least annually. New employees must be trained before accessing PHI. Additional training is required after material policy changes or security incidents.
Yes. HIPAA defines "workforce" broadly. It covers employees, volunteers, trainees, and anyone under your control — paid or not. If they touch PHI, they must be trained.
One Guy Consulting's annual refresher training takes under 60 minutes. New hire orientation takes approximately 45 minutes. Role-specific supplemental training adds 15 to 30 minutes depending on the role.
Your Sanctions Policy should cover training refusals. If someone refuses training, do not give them access to PHI. Write down the refusal and what you did about it. This shows you take compliance seriously.
HIPAA does not require a specific format. Online, in-person, or a mix all work — as long as the content is thorough, tracked, and understood. Most small practices prefer online self-paced training.
HIPAA training is included in both One Guy Consulting plans. The Self-Guided plan at $675/year includes self-paced training modules. The Full-Scope plan at $1,300/year includes facilitated training sessions with a Certified HIPAA Professional. There are no per-user fees. See the full pricing breakdown.
Ready to Train Your Team?
Book a free 30-minute intro call. We will assess your training needs and recommend the right approach for your practice size and schedule.
Book Your Free Intro Call