What HIPAA Says About Workforce Training
The HIPAA Security Rule at 45 CFR 164.308(a)(5)(i) requires covered entities and business associates to "implement a security awareness and training program for all members of its workforce (including management)."
The HIPAA Privacy Rule at 45 CFR 164.530(b)(1) requires training on your organization's privacy policies and procedures for "each new member of the workforce within a reasonable period of time after the person joins" and whenever there are "material changes" to those policies.
Key point: HIPAA defines "workforce" broadly. It includes employees, volunteers, trainees, interns, and any person whose conduct is under your direct control — whether or not they are paid. Everyone with access to PHI must be trained.
HIPAA Training Frequency and Cadence
Before First Day with PHI Access
New workforce members must complete HIPAA training before they are given access to Protected Health Information. This includes new hires, temporary staff, volunteers, and contractors. Training should occur during orientation or onboarding.
Annual Refresher Training
HHS interprets HIPAA's "periodic" training requirement as at least once per year for all workforce members. Annual training reinforces key concepts, covers regulatory updates, and addresses new threats like phishing and ransomware.
After Material Policy Changes
When your organization makes material changes to privacy or security policies, affected workforce members must be retrained on the new requirements within a reasonable time frame.
After a Security Incident
Following a breach, near-miss, or security incident, targeted training should address the root cause and reinforce the relevant policies. This is both a best practice and a documented corrective action for OCR investigations.
Training Modules from One Guy Consulting
Our training is designed for small practice staff — under 60 minutes per annual session, delivered in plain language, with completion tracking and attestation certificates.
HIPAA Privacy Rule
What PHI is, the minimum necessary standard, patient rights to access and amend records, and when disclosures are and are not permitted.
~15 minHIPAA Security Rule
Password best practices, workstation security, mobile device handling, encryption requirements, and access control procedures.
~15 minBreach Notification
How to recognize a potential breach, internal reporting procedures, what qualifies as a reportable breach, and the 60-day notification timeline.
~10 minPhishing & Social Engineering
Recognizing suspicious emails, phone-based social engineering (vishing), malicious links, and how to report suspected phishing attempts.
~10 minPractice-Specific Policies
Your organization's custom policies: where PHI is stored, who has access, disposal procedures, vendor handling, and communication guidelines.
~10 minRole-Based Training
Additional training for staff in specific roles: front desk (patient check-in, phone calls), billing (claims handling), IT (access management, backups).
15–30 minHow Training Is Delivered and Documented
Delivery Methods
One Guy Consulting delivers HIPAA training through multiple formats to fit your practice schedule:
- Online self-paced modules — complete anytime, anywhere
- Live virtual sessions — scheduled group training with Q&A
- On-site training — available for practices in the New York metro area
- Recorded sessions — for staff who miss live training
Documentation & Attestation
Proper documentation is essential for audit readiness. Every training session produces:
- Completion certificates — individual attestation for each employee
- Training log — date, topics covered, attendees, trainer name
- Signed acknowledgment — employee signature confirming understanding
- Quiz results — comprehension verification (optional but recommended)
Why documentation matters: During an OCR audit or breach investigation, you must prove that your workforce was trained. Verbal "we told them about HIPAA" is not sufficient. Written attestations, training logs, and completion records are the minimum documentation standard.
Training Questions from Small Practices
HIPAA requires training upon hiring and periodically thereafter. HHS interprets "periodically" as at least annually. New employees must be trained before accessing PHI. Additional training is required after material policy changes or security incidents.
Yes. HIPAA defines "workforce" to include employees, volunteers, trainees, and any person under the direct control of the covered entity, whether or not they are paid. If they access PHI, they must be trained.
One Guy Consulting's annual refresher training takes under 60 minutes. New hire orientation takes approximately 45 minutes. Role-specific supplemental training adds 15 to 30 minutes depending on the role.
Your HIPAA Sanctions Policy should address non-compliance with training requirements. An employee who refuses training should not be granted access to PHI. Document the refusal and the corrective action taken. This demonstrates your organization takes compliance seriously.
HIPAA does not mandate a specific delivery method. Online, in-person, or hybrid training are all acceptable as long as the content is comprehensive, documented, and understood by the workforce. Most small practices find online self-paced training the most practical option.
HIPAA training is included in both One Guy Consulting plans. The Self-Guided plan at $675/year includes self-paced training modules. The Full-Scope plan at $1,300/year includes facilitated training sessions with a Certified HIPAA Professional. There are no per-user fees. See the full pricing breakdown.
Ready to Train Your Team?
Book a free 30-minute intro call. We will assess your training needs and recommend the right approach for your practice size and schedule.
Book Your Free Intro Call