HIPAA training is required by law for employees of Covered Entities and Business Associates who handle protected health information, with the requirement established under the HIPAA Privacy Rule and reinforced by the HIPAA Security Rule. The HIPAA Privacy Rule mandates that Covered Entities train all members of their workforce on policies and procedures relevant to their job functions. The HIPAA Security Rule requires that organizations implement a security awareness and training program for all workforce members with access to electronic protected health information.
Who the Law Covers
The training obligation applies to Covered Entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to Business Associates, defined as organizations or individuals that perform functions or activities involving protected health information on behalf of a Covered Entity. Business Associate employees who access, use, or disclose protected health information must receive training appropriate to their roles and the terms of their Business Associate Agreements.
Documentation and Enforcement
Training must be documented. The Department of Health and Human Services Office for Civil Rights reviews training records during compliance investigations and audits. Absence of training documentation has been cited in enforcement actions and contributes to findings of willful neglect. Organizations cannot demonstrate compliance without records showing who was trained, when, and on what content.
Training Options for Employees and Business Associates
HIPAA Journal Training offers online, comprehensive courses designed for both initial onboarding and annual refresher training. Covered Entities can enroll workforce members in The HIPAA Journal Training course for employees, which addresses the Privacy, Security, and Breach Notification obligations applicable to healthcare staff. Business Associates can enroll their workforce in The HIPAA Journal Training course for Business Associate employees, which covers the specific obligations that apply to organizations handling protected health information under a Business Associate Agreement.
