Free HIPAA Training: You Get What You Pay For

By | April 8, 2020

Many companies claim to offer “Free HIPAA Training,” promising to train you and your workforce in all aspects of the HIPAA law and HIPAA rules. Many of these same companies claim that, through their “Free HIPAA Training Process,” you, the trainee, will become “HIPAA-certified.” Cliches are often cliches are a reason; with respect to these “Free HIPAA Training Offers,” the old adage applies: If something sounds too good to be true, it is too good to be true. This article explains why.

“Must” v. “Should” – What’s the Difference?

Let’s start at a basic level. When a law or regulation is created, the law or regulation may contain, within its language, a training requirement. This requirement will specify matters such as:

  • Who must be trained
  • What topics or issues the training must covered
  • When (how often) training must be provided
  • Where training must be provided (i.e.,  onsite, through streaming a video in the comfort of one’s home)
  • How training must be provided (i.e., online, in-person)

If the law or regulation (or any other law or regulation) does not specify any additional required training, then such “additional” requirement does not exist. Requirements, mandates, and obligations do not materialize out of thin air. They must exist somewhere, in writing – in a rulebook, a statute, a regulatory code. If that writing does not exist, there is no training requirement.

Of course, the federal government frequently issues guidance in which it suggests training on a particular subject is a good idea, or “should” be implemented. “Should,” however, legally speaking, is a completely different word than “shall” or “must.” If a law or regulation reads, “training shall be provided,” or “training must be provided,” provision of the training is a required legal obligation. The language of “Training should be provided” does not impose a requirement. 

Sometimes, the government, when assessing whether an entity is in compliance with the law, may look at whether someone conducted training that “should be provided,” to assess whether an entity has made an attempt to comply with the law, or has taken measures to comply with the law. However, the failure to provide the “should” training in and of itself, standing alone, is not a violation of the law. 

Is Free HIPAA Training Required? If Not, is it A Good Idea?

The HIPAA rules mandate training as follows:

  1. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). Under this provision, a covered entity must train all members of its workforce on the policies and procedures with respect to protected health information (PHI). Under the rule, training must be provided to each new workforce member within a reasonable period of time after the person joins the workforce. Workforce members must also be trained if their functions are affected by a material change in a medical office’s HIPAA Privacy Rule policies and procedures.
  2. The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5). The Security Rule requires covered entities to implement a security awareness and training program for all workforce members.  


Beyond these two requirements, neither the HIPAA statute, the HIPAA rules, nor any other law or regulation, requires “HIPAA training.” 

Therefore, covered entities and business associates should be on the lookout for companies offering “Free HIPAA Training.” Such companies, which purport to provide “comprehensive training on all aspects of HIPAA,” are claiming to offer a service which the law does not require a covered entity to use. In addition, many of these companies are implicitly (if not directly) representing that “comprehensive training on all aspects of HIPAA” is required by law, and that if a covered entity does not avail themselves of such training, the covered entity is “violating HIPAA.” These representations are false.

In addition, unwary web surfers may, when visiting these companies’ websites, may be particularly taken in by the use of the word “free” in “Free HIPAA Training.”  “How,” the unsuspecting may ask, “Can free training be bad, even if it is not required?” “At the end of the day, what’s the harm?”

The answer to these questions is simple: sites that purport to offer comprehensive free HIPAA training, do not actually offer comprehensive free HIPAA training. Some of these sites’ “comprehensive free HIPAA training” consists of fairly short videos (under an hour in length). After the user watches the video, the user may be invited to download a “certificate of HIPAA compliance.”

The misinformation here is operating on three different levels.

First, some sites charge a fee for the user to download the “certificate.” The user is only informed that “free is not really free,” AFTER they’ve completed the training.

Second, there is no such thing as a “certificate of HIPAA compliance.” The federal government does not “award” such certificates, nor does it recognize a private entity’s “certificate” or “certification.”

Third, as a simple logistical matter, NO video lasting an hour or less can cover the entirety of the HIPAA law. It’s physically impossible. Even if it were not physically possible, these companies offer no guarantee that their “comprehensive free HIPAA training” is completely up-to-date. Such a guarantee, as a practical matter, is pretty much worthless in any event. Unless these companies actually indemnify, in the event of a HIPAA fine, users who have relied on the “training” to those users’ detriment, the user has little to no legal recourse (except for maybe a refund of the “download” fee that the user didn’t know about when he or she signed up for the service). Even if, hypothetically, a user has a viable claim for false advertising against the company, which is the better option? Resorting to a (time and dollar-expensive) lawsuit, or simply not purchasing the ineffective, not-really-comprehensive product? If the goal is to become HIPAA-compliant (and it is), a lawsuit will not achieve that goal.

What can covered entities do to become HIPAA-compliant?

Covered entities can work Compliancy Group to achieve HIPAA compliance. Compliancy Group is the industry leader in HIPAA compliance software. Compliancy Group is composed of HIPAA experts, who will educate your staff as to all that is required of them under HIPAA law and regulation. We provide this education through our proprietary software, The Guard ™. The Guard is Compliancy Group’s simple, cost-effective software that addresses every aspect of HIPAA compliance under the law. Our proprietary Achieve, Illustrate, and Maintain methodology, alongside support from your dedicated Compliance Coach, helps you satisfy the full extent of HIPAA, HITECH, and Omnibus regulations!