Workforce and Training

HIPAA Training Requirements for a Small Practice

5 min read · Last reviewed May 22, 2026

Two training rules, two homes in the regulation

Small practices often think there is "the HIPAA training," singular. There are actually two parallel requirements.

  • Privacy Rule training under 45 CFR 164.530(b)): the covered entity must train all members of its workforce on policies and procedures with respect to PHI, as necessary and appropriate for the workforce member to carry out their function. Training must occur within a reasonable period of time after a person joins the workforce, after a material change in policies, and for each member whose function is affected by a change.
  • Security Rule training under 45 CFR 164.308(a)(5)(5)): the security awareness and training program is a standard with four implementation specifications (all addressable): security reminders, protection from malicious software, log-in monitoring, and password management.

The two are complementary. Privacy Rule training is about PHI use and disclosure; Security Rule training is about how ePHI gets protected on the practice's systems.

"Reasonable period of time" is the actual deadline

Neither rule says "30 days" or "90 days." The text says reasonable. OCR has not enforced a single fixed clock through published settlements, but in practice the defensible expectations are:

  • New hire: train before the workforce member is allowed independent access to ePHI. For most practices this means before their first unsupervised day with the EHR open.
  • Annual refresh: most practices use an annual cycle because it ties cleanly to other annual obligations and produces a clean documentation rhythm.
  • Material change: training event after each major policy change, system migration, or vendor change that affects ePHI handling.

What the training should cover

A defensible training program covers, at minimum:

Most off-the-shelf training products cover the federal baseline. Practices still need to layer their own policies and procedures into the training so workforce members can follow them in practice.

Documentation is the whole point

45 CFR 164.530(j)) requires a covered entity to maintain training documentation for six years from the date of creation or the date last in effect, whichever is later. Equivalent retention for Security Rule policies is at 164.316(b)).

A defensible training log captures:

  • Workforce member name and role
  • Training topic and version
  • Training date and delivery method
  • Time spent (helpful for completeness review)
  • Acknowledgment/signature of completion
  • Linked sanction policy and reporting procedure version

The HHS Cybersecurity Newsletter on Security Reminders walks through what a "security reminder" implementation specification looks like at small-practice scale.

What recurring security reminders look like

Section 164.308(a)(5)(ii)(A)(5)(ii)(A)) asks for periodic security updates. Practical patterns:

  • Monthly one-page security email to staff
  • Quarterly phishing simulations with documented results
  • Standing agenda item on the staff meeting
  • Posted "what to do if you click a bad link" workflow on the staff intranet
  • Annual practical exercise of the breach response procedure

What matters is that the practice writes down what was sent and when, so the program is auditable later.

Sanction policy is a separate-but-linked piece

Section 164.308(a)(1)(ii)(C)(1)(ii)(C)) and 164.530(e)) require a sanction policy and the application of appropriate sanctions. Training should explicitly walk staff through this policy. Documentation of actual sanctions imposed (even minor ones) is one of the elements OCR often asks to see during investigations.

Workforce changes and termination

Training overlap with the workforce security standard at 164.308(a)(3)(3)) — authorization, clearance, and termination procedures. When a workforce member leaves, the access termination procedure should be documented and executed promptly. Training should walk through who triggers offboarding and what the timing expectation is.

A realistic small-practice rhythm

  • New-hire HIPAA training before first independent ePHI access, documented
  • Annual full refresh on a fixed month (often January or the practice's fiscal new year)
  • Material-change training event when a major system, vendor, or policy changes
  • Monthly one-page security reminder
  • Quarterly phishing simulation with results recorded
  • Documented sanction policy with any imposed sanctions logged
  • Six-year retention of all of the above

Restraint about claims

No training program, by itself, makes a practice compliant. Training is one of many administrative safeguards under the Security Rule. The point is to give workforce members the information and habits they need to handle PHI consistent with the practice's policies, and to keep a written record of having done so.

How D3rx fits

D3rx SRA Binder Studio captures the training cadence, training records, sanction policy, and security reminder log inside the binder, and links each section back to the underlying HHS, OCR, eCFR, and NIST sources. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance of every training session.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(b
  2. 45 CFR 164.308(a)(5)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  3. 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
  4. 164.502https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
  5. 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  6. 164.526https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.526
  7. 164.530(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(e
  8. 164.400 through 164.414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
  9. Cybersecurity Newsletterhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
  10. 45 CFR 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
  11. 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
  12. Cybersecurity Newsletter on Security Remindershttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides