Myth vs. Fact: HIPAA Training Requirements


HIPAA law is a complex world of “dos,” “don’ts,” and grey areas. You know HIPAA training is required by law, but you may feel unsure exactly how and when you’re supposed to train your staff. What makes it worse is that many vendors mislead HIPAA-covered companies in order to sell a product, such as HIPAA training programs.

But you can’t rely on vendors to tell you what you need to do for your staff. Therefore, making good decisions starts with knowing truth from fiction. In fact, you may find that HIPAA allows for more flexibility than you once thought.

What Is HIPAA Training?

Let’s see what the law actually says and put to rest a couple common myths about HIPAA training.

§ 164.530(b)(1) TrainingA covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

§ 164.530(b)(2)(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity; (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and (C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.


Myth:  HIPAA training must be done in person.

Fact:  HIPAA does not specify how the training should be accomplished. Therefore, you can train employees in any format you believe will be most effective, whether in person or online. You can train them during employee orientation, email them a PowerPoint presentation, or even have them watch training videos at their workstation. The key is that you give them the information they need to successfully do their job and comply with HIPAA.

Myth:  HIPAA privacy training must be done every year.

Fact:  Although HIPAA recommends periodic privacy reminders to employees, it doesn’t set a training schedule. According to the privacy rule, you must train new employees on HIPAA privacy soon after they start their job. However, you only need to train them on a periodic or as-needed basis after that. You get to decide how this looks practically, based on your organization’s needs.

So, How Should You Do HIPAA Training?

Because HIPAA applies to a large variety of organizations, from huge hospitals to tiny clinics, it’s flexible and allows you to design a training plan that fits your organization’s workflow. You can get basic HIPAA training for free from the U.S. Department of Health and Human Services (HHS). Basic training is good for staff members who are new to the health care industry. You can also use it as a periodic reminder for experienced staff.

However, you’ll need to go beyond the basics. After initial employee training, HIPAA training efforts should be as detailed and department-specific as possible. This means you should train employees on the little-known HIPAA rules or exceptions that apply directly to their day-to-day work.

READ MORE: Target Trouble Areas With HIPAA Training

Lastly, the security rule requires you to send periodic security reminders to your staff. However, this requirement doesn’t have to be painful. The HIPAAtrek platform sends security reminders automatically and allows you to create and send messages to all your staff members, which makes training easier. Additionally, HIPAAtrek houses all your policies and procedures, reminding employees to read them and complete other training tasks as needed.

Remember, when creating a HIPAA training plan, don’t rely on others’ interpretation of HIPAA law, and don’t fall prey to deceptive marketing tactics. Read the HIPAA rule for yourself and learn from trustworthy sources, such as HHS. For more information, contact HIPAAtrek at

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like