Does HIPAA require annual training?

13. Does HIPAA require annual training?

Answer: Does HIPAA require annual training – it does from a security awareness perspective, which is mandated under the following HIPAA Security Rule:

164.308(a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). But notice how the requirement says “and” between security and training, which means that from a compliance perspective – and a best practices – that annual training should be undertaken regarding the following two (2) types:

Security Awareness Training. It’s important to put in place a comprehensive security awareness training program in place, and what’s deemed “comprehensive” can range from a simple, easy-to-follow PowerPoint Presentation to an in-depth online training seminar, along with many other training mandates. It’s important that employees and workforce members are keenly aware of today’s growing security threats, challenges, issues, and best practices. Think about how much and employee can gain from knowing, understanding, and comprehending basic security initiatives, such as a workstation usage, Internet usage, password rules, and so much more? By educating and training your employees properly, businesses are making a sound and long-term investment that pays dividends for years.

Job Specific Training. Along with general security awareness training, it’s important that all employees and workforce members maintain and continue to enhance their applicable skills by undertaking annual training. From medical coders to network engineers, everyone can benefit from annual training, and that’s why it should be looked upon as a mandate for both Covered Entities and Business Associates. And think about it for a minute – healthcare organizations spend billions of dollars each year on consulting, security and software services, so shouldn’t some of this budget be allocated to annual security awareness “AND” training for employees and workforce members – of course it should.

The threats in today’s cyber security world are real – very real – and it’s why HIPAA requires annual training, so make it a top priority within your organization to do just that. Nobody wants a breach of their information systems environment – especially when highly sensitive and critical Protected Health Information (PHI) is at stake, so train all employees and work force members on annual basis – it’s well worth it.


Download HIPAA Security Awareness Training, Policies and Toolkits Today also offers industry leading HIPAA Security and Awareness Training packets, for instant download.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting today.