In 2023, OCR investigated a mid-size hospital that suffered a breach traceable to a volunteer who accessed patient records without authorization. The hospital argued the volunteer wasn't an employee. OCR disagreed — and imposed a corrective action plan. The reason is straightforward: training requirements include volunteers under the direction of an entity, not just salaried staff. This distinction catches more organizations off guard than almost any other workforce compliance issue.

Why HIPAA Training Requirements Include Volunteers Under the Direction of an Entity

The HIPAA Privacy Rule at 45 CFR §160.103 defines "workforce" broadly. It's not limited to employees. The regulatory text states that workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid.

This is not a gray area. If a volunteer operates under your organization's direction — answering phones at the front desk, delivering flowers to patient rooms, assisting with filing, or supporting any function that could involve exposure to protected health information — they are part of your workforce under HIPAA.

The Security Rule at 45 CFR §164.308(a)(5) and the Privacy Rule at 45 CFR §164.530(b) both require covered entities to train all members of their workforce on policies and procedures related to PHI. Volunteers are explicitly included in that mandate.

The Workforce Definition Most Organizations Underestimate

Healthcare organizations consistently struggle with mapping their full workforce. In my work with covered entities, I've seen compliance officers build training programs that cover every full-time and part-time employee — yet completely omit volunteers, student interns, and temporary contractors working on-site.

This is a significant gap. OCR does not ask whether someone receives a paycheck. They ask whether that person performs functions under your direction and could reasonably encounter PHI. If the answer is yes, that person must receive HIPAA training before they begin their duties, and whenever material changes occur in your policies.

Consider these common volunteer roles in healthcare settings:

  • Hospital gift shop attendants who overhear patient conversations
  • Volunteers escorting patients between departments
  • Community health event volunteers handling sign-up forms with health data
  • Clergy or chaplains visiting patients under a hospital's coordination
  • Students fulfilling observation hours in clinical areas

Every one of these individuals falls under your HIPAA training obligation.

What Your Volunteer HIPAA Training Program Must Cover

Training for volunteers doesn't need to be identical to training for your billing department or IT staff. The minimum necessary standard applies — you train workforce members based on their role and the level of PHI access that role entails. But certain baseline topics are non-negotiable for every workforce member, including volunteers:

  • What constitutes protected health information and why it must be safeguarded
  • Your organization's Notice of Privacy Practices and what it communicates to patients
  • Permitted uses and disclosures of PHI under the Privacy Rule
  • How to report a suspected HIPAA violation or breach internally
  • Physical safeguards: not leaving records visible, logging out of systems, escorting visitors in restricted areas
  • Sanctions your organization applies for workforce non-compliance

Your HIPAA training and certification program should include a dedicated track or module that addresses volunteer-specific scenarios. Generic training that only references employee responsibilities leaves volunteers confused about how the rules apply to them.

Documentation Is Your Defense in an OCR Investigation

Training volunteers is only half the requirement. You must also document that training occurred. Under 45 CFR §164.530(j), covered entities are required to retain training records for six years from the date of creation or the date the policy was last in effect — whichever is later.

For every volunteer, your records should include the date training was completed, the content covered, the trainer or platform used, and an acknowledgment signature or electronic equivalent. If OCR comes knocking after a breach involving a volunteer, your first line of defense is a complete training record. Without it, you face potential penalties ranging from $100 to $50,000 per violation under the HITECH Act's tiered penalty structure, with annual maximums reaching $1.5 million per violation category.

Organizations that manage high volunteer turnover — hospitals, free clinics, community health centers — benefit significantly from an online, trackable training platform. HIPAA Certify's workforce compliance platform allows you to assign, deliver, and document training for every workforce member, including volunteers, with audit-ready records.

Conduct a Risk Analysis That Accounts for Volunteers

Your HIPAA risk analysis under the Security Rule must evaluate all points where PHI could be accessed, used, or disclosed — and that includes volunteer touchpoints. Where do volunteers physically go in your facility? Do they have badge access to areas with workstations displaying electronic PHI? Could they inadvertently access paper records in nursing stations?

Map these scenarios and build administrative, physical, and technical safeguards around them. Restrict system access so volunteers cannot log into EHR platforms. Ensure paper-based PHI in volunteer-accessible areas is secured. These steps flow directly from a risk analysis that treats volunteers as the workforce members they legally are.

Business Associates and Volunteer Oversight

If your organization sends volunteers to work at or with a business associate — or if a business associate provides volunteers to your facility — clarify training obligations in your Business Associate Agreement. The entity that directs the volunteer's conduct bears the training responsibility. Ambiguity in BAAs has led to enforcement scenarios where neither party trained the volunteer, and both were found deficient.

Act Before OCR Acts for You

OCR enforcement trends over the past several years make one thing unmistakable: regulators expect covered entities to know their workforce and train every member of it. The fact that training requirements include volunteers under the direction of an entity is written plainly in the regulation. Non-compliance is not a technicality — it's a preventable risk.

Audit your volunteer roster today. Verify that every person operating under your direction has completed documented HIPAA training appropriate to their role. If gaps exist, close them now with a structured HIPAA training and certification program designed for your entire workforce — paid and unpaid alike.