A $4.3 Million Wake-Up Call That Started with Untrained Staff

In 2023, the University of Washington Medicine agreed to a $750,000 settlement with OCR after a malware incident exposed 90,000 patients' ePHI. One of the root findings? Insufficient workforce training on security awareness. They weren't the first. They won't be the last.

If you're an employer at a covered entity or business associate, HIPAA training requirements for employers aren't optional guidance — they're federal mandates baked into the Privacy Rule and Security Rule. And OCR doesn't care whether you thought someone else was handling it.

This guide breaks down exactly who you must train, what the training must cover, how often it needs to happen, and what enforcement actions look like when employers skip these steps. If you run a medical practice, health plan, clearinghouse, or any business associate operation, this is the compliance baseline you can't afford to miss.

What Does Federal Law Actually Require?

Two separate HIPAA rules impose training obligations on employers. Both carry independent enforcement consequences.

The Privacy Rule: 45 CFR § 164.530(b)

The HIPAA Privacy Rule requires every covered entity to train all members of its workforce on policies and procedures related to protected health information (PHI). The regulation uses the word "workforce" deliberately — it includes employees, volunteers, trainees, and any person under the organization's direct control, whether or not they receive compensation.

Training must happen by the compliance date for new workforce members and whenever material changes occur to policies or procedures. There is no exemption for small practices, rural clinics, or employers who believe their staff "don't touch PHI."

The Security Rule: 45 CFR § 164.308(a)(5)

The Security Rule adds another layer. It requires covered entities and business associates to implement a security awareness and training program for all members of the workforce, including management. This includes training on malicious software protection, login monitoring, password management, and handling of ePHI.

Notice: HHS doesn't say "clinical staff" or "people with EHR access." It says all members of the workforce.

Who Exactly Must Be Trained?

This is where most employers make their first mistake. HIPAA's definition of "workforce" is broader than your payroll roster.

  • Full-time and part-time employees — every single one, including those in billing, IT, administration, and janitorial roles
  • Temporary staff and contractors under your direct control
  • Volunteers — including unpaid interns and community service workers
  • Trainees and students — medical residents, nursing students, and externs rotating through your facility
  • Management and executives — the Security Rule explicitly includes them

I've seen dental practices skip training for their front desk staff because "they just answer phones." Those front desk staff handle appointment scheduling, insurance verification, and patient check-in — all PHI-intensive activities. A focused course like the HIPAA Training for Employees: Front Desk & Reception exists precisely because this role carries outsized compliance risk.

How Often Must HIPAA Training Happen?

Here's the answer OCR gives, and the answer that actually keeps you safe — they're not the same.

The Regulatory Minimum

The Privacy Rule requires training for new workforce members "within a reasonable period of time" after joining and whenever policies materially change. The Security Rule requires an ongoing "security awareness and training program" but doesn't specify a calendar interval.

What OCR Actually Expects

In every corrective action plan I've reviewed, OCR mandates annual training as part of the remediation. That's not coincidence — it's the de facto standard. If you train your workforce once and never revisit it, you're building an enforcement case against yourself.

Annual refresher training keeps your organization current with regulatory changes, emerging threats, and new internal policies. Our Annual HIPAA Refresher course is designed specifically for this cycle — it's built to satisfy the recurring training expectation without repeating content your workforce has already mastered.

The $1.9 Million Lesson Most Employers Haven't Learned Yet

In 2017, Memorial Healthcare System paid $5.5 million to settle HIPAA violations that included impermissible access to PHI by employees and affiliated physician office staff. The investigation uncovered that workforce members accessed patient records without authorization for more than a year.

Proper training doesn't just check a box. It creates the behavioral expectation that accessing PHI without a legitimate purpose is a fireable offense and a federal violation. Without that training, staff members often don't understand the boundaries — and employers can't credibly claim they enforced them.

OCR's enforcement pattern is consistent: when a breach happens, investigators ask for training records first. If you can't produce them, the conversation shifts from "incident response" to "willful neglect."

What Must HIPAA Training for Employers Cover?

The regulations don't prescribe a specific curriculum, but OCR's guidance and enforcement history make the required content clear.

Privacy Rule Training Must Include:

  • What constitutes PHI and how your organization uses and discloses it
  • Patient rights under HIPAA (access, amendment, accounting of disclosures)
  • Your organization's Notice of Privacy Practices
  • Minimum necessary standard
  • Internal policies and procedures specific to each role
  • How to report suspected violations internally

Security Rule Training Must Include:

  • Handling and protection of ePHI
  • Password management and access controls
  • Recognizing phishing, social engineering, and malware threats
  • Physical security of devices and workstations
  • Incident reporting procedures

Breach Notification Rule Awareness:

  • What constitutes a breach versus a security incident
  • Internal reporting obligations and timelines
  • The 60-day notification window for breaches affecting 500+ individuals

Your training program should also address role-based responsibilities. A billing coordinator faces different PHI risks than a systems administrator. Generic, one-size-fits-all training misses this — and OCR knows it.

What Documentation Does OCR Expect?

Training without documentation is training that never happened. Here's what you need to maintain:

  • Training logs with dates, attendee names, and topics covered
  • Signed attestations or electronic completion records from each workforce member
  • Copies of training materials — slides, handouts, course content
  • Records of policy updates that triggered retraining

HIPAA requires you to retain these records for six years from the date of creation or the date the policy was last in effect — whichever is later. If OCR comes knocking in 2026 about a 2022 incident, you need to produce records from that period.

Can Employers Use Online Training to Meet HIPAA Requirements?

Yes. Neither HHS nor OCR mandates in-person training. Online, self-paced courses satisfy the requirement as long as the content is comprehensive, role-appropriate, and documented. In fact, online training often produces better audit trails than live sessions because completion is tracked automatically.

What matters is substance, not format. A 15-minute video with no assessment doesn't meet the standard. A structured course like HIPAA Fundamentals — covering Privacy Rule, Security Rule, and Breach Notification — gives your workforce the foundation OCR expects and generates the completion records your compliance officer needs.

Three Mistakes Employers Make Every Year

1. Training Only Clinical Staff

Your IT team handles servers storing ePHI. Your HR department processes employee health information for FMLA and workers' comp. Your janitorial staff accesses areas where PHI sits on desks and in trash bins. If they're in your workforce, they need training.

2. No Retraining After Policy Changes

Switched EHR platforms? Updated your breach response plan? Adopted a new telehealth policy? Each of these triggers a retraining obligation under 45 CFR § 164.530(b)(2)(i). I've seen organizations update their Notice of Privacy Practices and never tell a single employee.

3. Treating Training as a One-Time Event

New hire orientation is the beginning, not the end. Threats evolve. Regulations change. Staff forget. Annual training isn't gold-plating — it's the recognized standard that separates compliant organizations from negligent ones.

Building a Training Program That Survives an OCR Audit

Here's the framework I recommend to every employer I work with:

  • Day one: Every new workforce member completes foundational HIPAA training before accessing any PHI or systems containing ePHI.
  • Annually: All workforce members complete refresher training covering regulatory updates, emerging threats, and organization-specific policy changes.
  • Role-specific modules: Front desk staff, billing teams, IT administrators, and clinical personnel each receive targeted content reflecting their actual PHI exposure.
  • Policy-triggered retraining: Any material change to privacy or security policies triggers a focused retraining session within 30 days.
  • Documentation: Every session — online or in person — generates a dated completion record stored for a minimum of six years.

Browse the full HIPAACertify training catalog to build a program that covers each of these checkpoints.

The Bottom Line for Employers in 2026

HIPAA training requirements for employers are not ambiguous. The Privacy Rule demands it. The Security Rule demands it. OCR enforces it — with settlements routinely reaching six and seven figures. Every workforce member, every year, documented and retained.

The employers who get this right don't treat training as a regulatory nuisance. They treat it as the cheapest insurance policy they'll ever buy. Because when a breach happens — and in 2026's threat landscape, it's when, not if — the first question OCR asks is simple: "Show me your training records."

Make sure you have an answer.