HIPAA Employee Training: Training Staff on HIPAA Security

By | May 5, 2020

HIPAA Employee Training: Training Staff on HIPAA Security

Covered entities should make employee HIPAA training on security for employees a top priority. HIPAA-compliant security training should foster in employees an understanding of HIPAA Security Rule principles, and data security practices. When a covered entity is faced with the prospect of a Department of Health and Human Services’ (DHHS) Office of Civil Rights (OCR) audit or fine due to a data breach, the explanation “I’m sorry; my employee just didn’t know enough about data security” is not a valid excuse. Training staff is crucial.

What Should HIPAA Security Training Consist of?

The Administrative Safeguards requirement of the HIPAA Security Rule imposes a HIPAA training requirement on employees. HIPAA training for employees must include employee security training. Under this requirement, covered entities and business associates should “implement a security awareness and training program for all members of the workforce (including management).” The HIPAA law and HIPAA regulations do not, however, impose any specific HIPAA employee training measures or steps. 

Fortunately, once you have satisfied a particular HIPAA Security Rule requirement – conducting a security risk assessment – you will have a clearer picture of what training is needed in terms of HIPAA security training. In the security risk assessment, the organization defines the functions of each workforce member who may have contact with PHI or ePHI

This information as to function should be incorporated into a security awareness and training program – the program should include a description of workforce members in terms of their rules, job functions, and how (if at all) those job functions relate to PHI or ePHI. 

The HIPAA employee training to be given to each workforce member, depends upon each workforce member’s role. HIPAA employee training content should be relevant to a particular trainee. 

HIPAA training program content considerations should also include the current regulatory and legal landscape. Changes in laws or regulations that have an impact on an individual’s job duties, require that the individuals be trained as to the new developments.   

How Should HIPAA Training Cover the Issue of Employee Sanctions?

Security training should address the matter of employee sanctions. Sanctions are disciplinary measures an employer may take against an employee who violates a provision of a HIPAA rule. 

Employees should be trained, as part of the overall training program, about sanctions – 

specifically, what rule violations will trigger sanctions; what kinds of sanctions may be imposed; and what factors the employer considers in using sanctions. 


Sanctions may include, among other things, verbal warnings coupled with additional training, written warnings, and more serious measures, such as suspension without pay, revocation of job privileges, demotion, or termination. Sanctions should be proportional to the violation, and should be administered in a standard, uniform fashion.

A covered entity must take into account various factors when considering what sanctions to administer. These factors can include:

  • The severity of the violation
  • The employee’s past history (if any) of the same, or similar, or other violations
  • The employee’s supervisory level within the organization
  • Whether any mitigating factors or extenuating circumstances present.