A hospital in Texas fired a records clerk in 2023 after she accessed the medical files of 14 patients she had no clinical reason to view. The organization discovered the breach during a routine audit — and then discovered something worse. The clerk had never completed HIPAA and Privacy Act training. Not once in three years of employment. The resulting OCR investigation didn't go well for the hospital.

If you work at a covered entity or business associate, you've probably sat through some version of privacy training. But here's what I see constantly: organizations treat HIPAA and Privacy Act training as a checkbox exercise, and they conflate two separate laws into one vague PowerPoint. That gap between "we did something" and "we did it right" is where enforcement actions live.

This post breaks down exactly what HIPAA and Privacy Act training must cover, where these two laws overlap and diverge, and what happens when your workforce gets it wrong.

HIPAA vs. the Privacy Act of 1974: They Are Not the Same Law

I cannot overstate how often I see these two frameworks treated as interchangeable. They are not. HIPAA — the Health Insurance Portability and Accountability Act — governs how covered entities and business associates handle protected health information (PHI). The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.

The Privacy Act of 1974 is a different statute entirely. It regulates how federal agencies collect, maintain, use, and disseminate personally identifiable information (PII) in systems of records. If you work for the VA, the Department of Defense, or any federal health agency, you fall under both laws simultaneously.

Why This Distinction Matters for Your Training Program

If your organization is a federal healthcare entity, your workforce needs training on both HIPAA and the Privacy Act. Most private-sector covered entities only need HIPAA training. But here's the catch: the Department of Defense's "HIPAA and Privacy Act Training" course — often referenced as the JKO module — has become so widely known that many private-sector HR teams think they need it too.

They don't. What they need is HIPAA-specific training tailored to their actual workflows, patient populations, and risk environment. A generic federal module won't satisfy OCR if your training doesn't address the specific PHI risks your staff encounters daily.

The $5.5 Million Lesson in Skipping Workforce Training

In 2017, Memorial Healthcare System paid $5.5 million to settle HIPAA violations after employees accessed the ePHI of 115,143 individuals without authorization. One of OCR's core findings: the organization failed to implement adequate access controls and workforce training. The settlement agreement with HHS made clear that training wasn't optional — it was a regulatory expectation that Memorial had fumbled.

OCR doesn't require a specific curriculum. What it requires is that every member of your workforce receives training on your organization's HIPAA policies and procedures. The Security Rule at 45 CFR § 164.308(a)(5) mandates a security awareness and training program for all workforce members, including management.

What "Reasonable and Appropriate" Actually Means

OCR uses the phrase "reasonable and appropriate" throughout its guidance. In my experience, that translates to three things:

  • Role-based content. Your front desk staff faces different PHI risks than your behavioral health clinicians. Training should reflect that. If you manage a mental health practice, HIPAA training designed for mental and behavioral health covers the nuances of psychotherapy notes, 42 CFR Part 2, and substance use disorder records that generic training misses entirely.
  • Documented completion. Every training session must be logged with the date, participant name, and topic covered. If you can't produce these records during an OCR investigation, you effectively didn't train anyone.
  • Periodic refreshers. Annual retraining is the industry standard. Any time your organization changes a policy — say, you adopt a new patient portal — additional training is required.

What HIPAA and Privacy Act Training Must Actually Cover

Here's the section I'd want if I were searching for this topic. If your training program doesn't address every one of these areas, it has gaps that OCR can exploit.

Core HIPAA Training Elements

  • The Privacy Rule: Who can access PHI, minimum necessary standard, patient rights (access, amendment, accounting of disclosures), and notice of privacy practices.
  • The Security Rule: Administrative, physical, and technical safeguards for ePHI. Password policies, workstation security, encryption, and audit controls.
  • Breach Notification Rule: What constitutes a breach, the 60-day notification timeline, individual notification requirements, and the role of HHS and OCR in enforcement.
  • Permitted Uses and Disclosures: Treatment, payment, healthcare operations — and the authorizations required for everything else.
  • Sanctions Policy: Your staff needs to know what happens internally when someone violates HIPAA. Vague threats don't count.

Additional Privacy Act Elements (Federal Entities Only)

  • The system of records notice (SORN) requirement.
  • Individual rights to access and amend records held by a federal agency.
  • Criminal penalties under 5 U.S.C. § 552a for willful, unauthorized disclosures.
  • The "routine use" exception and how it interacts with HIPAA's permitted disclosures.

If you're building a program from scratch or onboarding new employees, the New Hire Onboarding: HIPAA + Security Awareness course covers both the Privacy Rule and Security Rule fundamentals in a single, structured module. That's the fastest way to get new staff compliant before they ever touch a patient record.

Who Exactly Needs This Training?

The HIPAA definition of "workforce" is broader than most people realize. It includes employees, volunteers, trainees, and any person whose conduct is under the direct control of your covered entity — whether or not they are paid. That means your unpaid interns in the billing office need the same training as your chief privacy officer.

I've seen organizations exclude IT contractors because "they're not really employees." That argument collapses immediately under OCR scrutiny. If a contractor has access to ePHI and operates under your control, they're workforce. Train them.

The Business Associate Angle

Business associates have their own training obligations under the HIPAA Omnibus Rule. If your cloud hosting provider, billing company, or shredding service handles PHI on your behalf, their staff needs HIPAA training too. Your business associate agreement (BAA) should explicitly require it — and you should verify compliance, not just assume it.

How Often Should You Retrain? The Answer OCR Actually Gives

HIPAA doesn't specify an exact interval. The regulation says training must occur "as necessary and appropriate." In practice, OCR expects — and every settlement agreement I've reviewed confirms — that annual training is the baseline. Beyond that, you need additional training whenever:

  • You adopt new technology that touches PHI (telehealth platforms, patient portals, new EHR systems).
  • Your organization experiences a breach or near-miss.
  • You update policies or procedures.
  • An employee changes roles and gains access to new categories of PHI.

The HIPAA Introduction Training 2026 is built for annual refreshers — it's current with the latest HHS guidance and covers the regulatory landscape as it stands right now, not five years ago.

The Real Cost of Getting HIPAA and Privacy Act Training Wrong

Let's talk numbers. OCR's enforcement record speaks for itself:

  • Premera Blue Cross (2020): $6.85 million settlement after a breach affecting 10.4 million people. Lack of adequate security training was cited.
  • Anthem Inc. (2018): $16 million — the largest HIPAA settlement in history at the time. Workforce training deficiencies were among the findings.
  • Memorial Healthcare System (2017): $5.5 million, as noted above, with training failures front and center.

These aren't theoretical risks. They're public enforcement actions documented on the HHS Resolution Agreements page. Every one of them involved organizations that believed they were "probably compliant enough."

Building a Training Program That Survives an Audit

After fifteen years in this space, here's the framework I recommend:

  • Map your workforce. Every person with PHI access gets listed. No exceptions for part-timers, volunteers, or contractors under your control.
  • Assign role-based training. Administrative staff get one track. Clinical staff get another. IT staff get a third. One-size-fits-all doesn't survive scrutiny.
  • Document everything. Use a learning management system or at minimum a signed attestation form with date, name, and training topic.
  • Test comprehension. A quiz or assessment demonstrates that your staff didn't just click through slides. OCR has specifically noted the value of testing in corrective action plans.
  • Retrain annually and on trigger events. Set calendar reminders. Automate it if possible.
  • Review and update content annually. HHS guidance evolves. Your training should evolve with it.

You can explore the full catalog of role-specific courses at HIPAACertify.com's training page to match your workforce to the right content.

Don't Wait for OCR to Tell You What You Already Know

Every organization I've worked with that faced an OCR investigation said some version of the same thing: "We thought our training was good enough." It wasn't. The Privacy Rule, the Security Rule, and — for federal entities — the Privacy Act of 1974 all demand deliberate, documented, ongoing workforce education.

HIPAA and Privacy Act training isn't a formality. It's the single most cost-effective control you have against insider threats, accidental disclosures, and the kind of headline-making breaches that destroy patient trust. Your staff handles PHI every day. Make sure they know exactly what that means — and what happens when they don't.