Annual HIPAA Training Curriculum (What to Cover + How to Document)
10 min read · Last reviewed May 23, 2026
An annual HIPAA training curriculum is the workforce-training program a covered entity runs each year to satisfy the Privacy Rule training requirement at 45 CFR § 164.530(b) and the Security Rule awareness-and-training requirement at 45 CFR § 164.308(a)(5). It covers privacy, security, breach reporting, sanctions, and role-specific topics, documented per workforce member.
What HIPAA actually requires
Two CFR provisions ground the training program. 45 CFR § 164.530(b) (the Privacy Rule) requires a covered entity to train all members of its workforce on the policies and procedures with respect to PHI, as necessary and appropriate for them to carry out their functions. Training is required within a reasonable period of time after hire and within a reasonable period of time after a material change in policies. 45 CFR § 164.308(a)(5) (the Security Rule) requires a security awareness and training program with four addressable implementation specifications: periodic security reminders, protection from malicious software, log-in monitoring, and password management.
Documentation lives at § 164.530(j)(2) and § 164.316(b)(2)(i) — six-year retention, written, available for OCR review.
The HHS OCR Cybersecurity Newsletter, the HICP / 405(d) program, NIST SP 800-66 Rev. 2, and the CMS Medicare Learning Network (MLN) are the federally-sourced curriculum aids. Most state laws layer on top: Texas HB 300 (Tex. Health & Safety Code Chapter 181) requires biennial training within 90 days of hire; California CMIA expects training but does not specify a cadence; New York SHIELD does not name a cadence but requires an information-security program.
Curriculum modules — eight required topics
The eight modules below are the version we ship in client binders. The total runtime for the live annual delivery is 60-90 minutes. Each module has a topic, a learning objective, a regulatory anchor, and a competency check.
Module 1 — Privacy Rule basics (10 min)
Objective. The workforce can name the Notice of Privacy Practices, identify the Privacy Officer, and describe the minimum-necessary standard.
Anchors. 45 CFR § 164.502 (uses and disclosures); § 164.520 (NPP); minimum-necessary at § 164.514(d).
Competency check. Identify three permitted disclosures without authorization and three that require written authorization.
Module 2 — Security Rule basics and ePHI (10 min)
Objective. The workforce can identify ePHI on practice systems, describe administrative/physical/technical safeguards, and name the Security Officer.
Anchors. 45 CFR §§ 164.308 (administrative), 164.310 (physical), 164.312 (technical).
Competency check. Name the practice's Security Officer; identify five systems the workforce member touches that hold ePHI.
Module 3 — Phishing, social engineering, and password hygiene (15 min)
Objective. The workforce can identify a phishing email, knows not to share credentials, and uses MFA on every ePHI-bearing system.
Anchors. § 164.308(a)(5)(ii)(B) (malicious software); HHS Cybersecurity Newsletter phishing editions; HICP 405(d) baseline practices.
Competency check. Identify the three highest-risk indicators in a sample phishing email; describe the MFA enrollment process for the EHR and email.
Module 4 — Patient rights (10 min)
Objective. The workforce can correctly route a patient request for access, amendment, accounting of disclosures, or restriction.
Anchors. § 164.524 (access), § 164.526 (amendment), § 164.528 (accounting), § 164.522 (restrictions and confidential communications).
Competency check. Describe how a same-day patient request for a copy of their chart is routed and the timeline (generally 30 days under § 164.524(b)(2)).
Module 5 — Breach reporting and sanctions (10 min)
Objective. The workforce can recognize a security incident, knows the 24-hour internal reporting expectation, and understands the sanction policy.
Anchors. § 164.308(a)(6) (incidents); § 164.402 (breach definition); § 164.404 (individual notice); § 164.308(a)(1)(ii)(C) and § 164.530(e) (sanctions). See the HIPAA workforce sanction policy template.
Competency check. Identify the practice's incident contact and the deadline for reporting a discovered incident internally; identify a conduct example for each of the four sanction levels.
Module 6 — Reproductive health information protections and Notice of Privacy Practices update (5 min) — new for 2026
Objective. The workforce understands the current status of the 2024 reproductive-health rule and the Notice of Privacy Practices (NPP) modifications that survived court review. Train staff to flag any reproductive-health-related disclosure request to the Privacy Officer and to use the updated NPP at intake.
Status note. On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most provisions of the 2024 HIPAA Privacy Rule to support reproductive health care privacy, including the 45 CFR § 164.509 attestation requirement. HHS has confirmed (see the HHS reproductive health page) that the attestation requirement is no longer in effect; do not train as if § 164.509 attestation is mandatory unless the rule is reinstated on appeal.
Anchors that survived. The Notice of Privacy Practices modifications under 45 CFR § 164.520 (Substance Use Disorder and other surviving NPP changes) carry a February 16, 2026 compliance date. The practice's NPP must be updated and posted by that date.
Competency check. Describe what to do when a non-treatment, non-payment, non-operations request relating to reproductive health care arrives at the front desk; identify the practice's most current NPP version and where it is posted.
Module 7 — Role-specific: billing and coding integrity (10 min, billing roles only)
Objective. Billing staff can identify the practice's coding-review cadence, the overpayment workflow, and the OIG Self-Disclosure Protocol.
Anchors. 42 USC § 1320a-7k(d) (60-day overpayment); OIG Self-Disclosure Protocol; CMS Pub. 100-08 (Program Integrity Manual).
Competency check. Describe what happens when a billing error is identified on a paid Medicare claim from 90 days ago.
Module 8 — Role-specific: clinical workflow (10 min, clinical roles only)
Objective. Clinical staff understand chart-snooping prohibitions, telehealth consent, social-media restrictions, and the documentation expectations attached to billing.
Anchors. Workforce sanction policy (Module 5); telehealth consent under state law; § 164.530(e).
Competency check. Describe what to do if a clinical staff member's family member is checked in as a patient.
Documentation template — training log
The format below maps to § 164.316(b) and § 164.530(j) retention expectations.
| Workforce member | Role | Hire date | Initial training (date) | Annual refresher (date) | Modules completed | Score / pass | Reviewer | Next due | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Jane Doe | MA | 2024-03-15 | 2024-04-02 | 2026-04-10 | 1-6, 8 | 92% / pass | M. Garcia (Privacy Officer) | 2027-04-10 | | John Smith | Biller | 2023-11-01 | 2023-12-04 | 2026-04-10 | 1-7 | 88% / pass | M. Garcia (Privacy Officer) | 2027-04-10 |
The log is filed in the compliance binder and updated within 7 days of each completion. A workforce member without a current row is, by definition, out of compliance.
How to deploy
The deployment sequence we use with new clients: schedule the annual training as a single 90-minute calendar block for the entire workforce (or two blocks if clinical coverage requires); use a deck that walks the eight modules in order; capture sign-in evidence (paper or LMS); follow with a short post-training quiz (10 questions, 80% pass); update the training log within seven days; deliver role-specific modules to billing and clinical staff in a separate 30-minute block; archive the deck, sign-in sheet, quiz, and log in the binder.
For new hires: within 30 days of start, the new workforce member completes initial training. The hire date and training date both appear in the log. The new hire signs the Code of Conduct, the workforce sanction policy acknowledgement, and (for billing roles) the OIG exclusion-screening attestation on the same day as the training.
Common gaps
What we see fail in practice is the same five things:
- Training happened; no evidence exists. No sign-in sheet, no LMS report, no copy of the deck. OCR cannot tell training occurred.
- The practice owner is missing from the log. The owner is a workforce member and must appear.
- No role-specific modules. Generic privacy training is delivered to billing staff; the 60-day overpayment rule and exclusion screening are never covered.
- Stale modules. The 2026 NPP update tied to the surviving portions of the reproductive-health rule (compliance date February 16, 2026) is missing or still trains § 164.509 attestation as mandatory after the June 18, 2025 N.D. Tex. vacatur; the deck still references pre-Omnibus terminology.
- No competency check. Attendance ≠ comprehension. A short post-training quiz with a recorded score is the difference between a present workforce and a trained one.
Maintenance cadence
Annual refresher for every workforce member; initial training within 30 days for new hires; material-change training within a reasonable period after any policy change; quarterly security reminders to the workforce (email, posted notice, or all-hands minute on huddle) to satisfy § 164.308(a)(5)(ii)(A); six-year retention of all evidence per § 164.316(b)(2)(i).
A program with a current curriculum, dated completion records for every active workforce member (including owners), and a quarterly reminder cadence is the program that answers OCR's training audit element in a single page.
How d3rx fits
The d3rx compliance binder generates the eight-module curriculum, the role-specific add-ons, the training log template, the competency quiz, and the quarterly reminder bank, with citations to § 164.530(b), § 164.308(a)(5), and the 2026 reproductive-health overlay inline. The practice's Privacy and Security Officers remain responsible for delivering, scoring, and documenting the training.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Annual HIPAA Training Curriculum (What to Cover + How to Document). We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does HIPAA say 'annual' training?
Not in those words. [45 CFR § 164.530(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) (Privacy Rule) requires training of every workforce member within a reasonable period of time after hire and within a reasonable period of time after material changes to policies. [45 CFR § 164.308(a)(5)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308) (Security Rule) requires a security awareness and training program, with periodic security reminders. Annual training is the industry interpretation of 'periodic' and is what OCR auditors expect. Many state laws (e.g., Texas HB 300, which requires biennial training within 90 days of hire) lay out an explicit cadence.
How long does training need to be?
HIPAA does not specify. In practice, 60-90 minutes for the annual refresher and 90-120 minutes for the initial hire training covers the curriculum below in a single session. The duration is less important than the topics covered and the documentation kept.
Can training be self-paced video instead of live?
Yes. OCR has not specified a delivery modality. What OCR asks for is evidence: completion records per workforce member, dates, topics covered, and (for higher-risk roles) competency confirmation. A learning-management-system completion report is acceptable and often easier to retain than sign-in sheets from a live session.
Do business associates need to train their workforce too?
Yes. [45 CFR § 164.308(a)(5)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308) applies to covered entities and business associates. A business associate that touches PHI must run its own security awareness and training program. The covered entity's Business Associate Agreement should reference this — see [our BAA list for small practices](/sra-guides/baa-vendor-list-small-practice).
Does the practice owner need to take the training?
Yes. Workforce at [45 CFR § 160.103](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103) includes employees, owners, contractors, volunteers, and trainees. The practice owner is a workforce member. A documented completion record for the owner is one of the easiest credibility wins on an OCR audit.
How long do training records need to be kept?
Six years from the date of creation or the date the record was last in effect, whichever is later, per [45 CFR § 164.316(b)(2)(i)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316) (Security Rule) and [§ 164.530(j)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) (Privacy Rule). Most practices retain training records indefinitely because storage cost is trivial.
Does Section 1557 add training requirements on top of HIPAA?
OCR's 2024 final rule under Section 1557 of the Affordable Care Act adds nondiscrimination, language-access, and accessibility training expectations for covered providers receiving federal financial assistance. Many practices fold a short Section 1557 module into the annual HIPAA training session so the workforce gets the federal nondiscrimination curriculum in a single sitting.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 45 CFR § 164.308(a)(5)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- § 164.316(b)(2)(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
- HHS OCR Cybersecurity Newsletterhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter/index.html
- HICP / 405(d) programhttps://405d.hhs.gov/
- NIST SP 800-66 Rev. 2https://csrc.nist.gov/pubs/sp/800/66/r2/final
- CMS Medicare Learning Network (MLN)https://www.cms.gov/training-education/medicare-learning-network
- Tex. Health & Safety Code Chapter 181https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm
- 45 CFR § 164.502https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
- § 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
- § 164.514(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514
- 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
- 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- § 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- § 164.526https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.526
- § 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
- § 164.522https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.522
- § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.402
- § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.404
- 45 CFR § 164.509https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.509
- HHS reproductive health pagehttps://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/index.html
- OIG Self-Disclosure Protocolhttps://oig.hhs.gov/compliance/self-disclosure-info/
- CMS Pub. 100-08 (Program Integrity Manual)https://www.cms.gov/regulations-and-guidance/guidance/manuals/internet-only-manuals-ioms-items/cms019033
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- ComplianceHIPAA Security Officer: Required Duties + Job Description TemplateRequired duties under 45 CFR 164.308(a)(2), a copy-ready 2026 HIPAA Security Officer job description, and what we see fail in practice.
- ComplianceHIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))A 2026 HIPAA workforce sanction policy template — required by 45 CFR 164.308(a)(1)(ii)(C), with a four-tier discipline matrix and documented application examples.
- ComplianceNotice of Privacy Practices (NPP) Template — 2026A 2026 Notice of Privacy Practices template aligned to 45 CFR 164.520, with every required header, the post-Dobbs reproductive-health content, and CMIA/HB 300 carveouts.
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.