45 CFR Part 164 training refers to the workforce education requirements established under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, all of which are codified within this part of the federal regulations. The HIPAA Journal’s training courses are structured to address each of these 45 CFR Part 164 training requirements as distinct compliance obligations. Under 45 CFR §164.530(b)(1), the HIPAA Privacy Rule requires that all workforce members receive training on the policies and procedures governing protected health information, calibrated to what is necessary and appropriate for each individual’s job functions. Separately, 45 CFR §164.308(a)(5)(i) under the HIPAA Security Rule requires a security awareness and training program covering every workforce member, including management. The HIPAA Breach Notification Rule adds a further requirement: workforce members must understand what constitutes a breach of unsecured protected health information and how to report a suspected incident through internal escalation procedures. These three obligations sit within the same part of the regulation but are independent of one another, and satisfying one does not satisfy the others. A training program must address each requirement on its own terms to meet the overall standard set out in 45 CFR Part 164.
The HIPAA Privacy Rule Training Requirement
The HIPAA Privacy Rule training requirement applies to every workforce member who accesses, uses, or discloses protected health information in any capacity, regardless of role or seniority. Training must cover permitted and required uses and disclosures, patient rights under the regulation, and how the HIPAA Minimum Necessary Rule applies to routine access and disclosure decisions. The requirement also has a timing component: new workforce members must receive training within a reasonable period after joining the organization, and additional training is required when a material change in policies or procedures affects a workforce member’s functions. A program that delivers training only at fixed annual intervals without a mechanism for identifying these triggered updates does not fully satisfy the standard.
The HIPAA Security Rule Training Requirement
The security awareness training requirement under the HIPAA Security Rule is independent of the Privacy Rule training obligation and applies to all workforce members with access to systems containing electronic protected health information, including administrative staff and management who do not handle clinical records directly. Training must address the behavioral and technical risks that most commonly lead to unauthorized access, including phishing, credential misuse, social engineering, and improper handling of devices and media. An organization that provides HIPAA Privacy Rule training without a corresponding security awareness program has met only part of its obligations under 45 CFR Part 164.
The HIPAA Breach Notification Rule Training Requirement
Workforce members must be able to distinguish a security incident from a reportable breach and understand the internal procedures for escalating a suspected incident. Under 45 CFR §164.410, a business associate must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. Meeting that deadline depends on workforce members recognizing and reporting incidents promptly, which makes breach notification training a practical operational requirement rather than a theoretical one.
How The HIPAA Journal’s Courses Address Each Requirement
Courses including HIPAA Training for Employees, HIPAA Training for Business Associate Employees, HIPAA Training for Small Medical Practice Employees, and the specialist practice programs each contain mandatory modules that treat the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule as separate subjects rather than combining them into a single general overview. Staff learn how the HIPAA Minimum Necessary Rule governs their access and disclosure decisions, what safeguards the HIPAA Security Rule expects of them in their day-to-day work, and how to identify and escalate a potential breach within the timeframe the HIPAA Breach Notification Rule requires.
To meet the security awareness training obligation at 45 CFR §164.308(a)(5)(i), The HIPAA Journal provides dedicated cybersecurity programs, including Cybersecurity Training for Healthcare Employees and Cybersecurity Training for Business Associate Employees. These courses can be deployed alongside HIPAA Privacy Rule training so that both obligations under 45 CFR Part 164 are managed through a single coordinated program with a combined discount applied.
Documentation Required Under 45 CFR Part 164
Both 45 CFR §164.530(b)(2)(i) and 45 CFR §164.308(a)(5) require organizations to maintain records demonstrating that training was completed, including the dates of completion, for a minimum of six years. During an Office for Civil Rights investigation, training that cannot be demonstrated through records is treated as training that did not occur. The HIPAA Journal Training platform generates these records automatically as each workforce member progresses through a course, with an administration dashboard that shows completion status by individual and module, exportable in formats suitable for audit submission.
Individual Certification Under 45 CFR Part 164
Individuals who need to demonstrate 45 CFR Part 164 training independently of an employer-provided program, including compliance officers, privacy officers, and consultants, can complete the Accredited HIPAA Certification for Individuals. This course covers the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule and issues an accredited certificate upon completion, verifiable through The HIPAA Journal’s certificate verification system.
