HIPAA Training Requirements for a Small Practice
5 min read · Last reviewed May 22, 2026
Two training rules, two homes in the regulation
Small practices often think there is "the HIPAA training," singular. There are actually two parallel requirements.
- Privacy Rule training under 45 CFR 164.530(b)): the covered entity must train all members of its workforce on policies and procedures with respect to PHI, as necessary and appropriate for the workforce member to carry out their function. Training must occur within a reasonable period of time after a person joins the workforce, after a material change in policies, and for each member whose function is affected by a change.
- Security Rule training under 45 CFR 164.308(a)(5)(5)): the security awareness and training program is a standard with four implementation specifications (all addressable): security reminders, protection from malicious software, log-in monitoring, and password management.
The two are complementary. Privacy Rule training is about PHI use and disclosure; Security Rule training is about how ePHI gets protected on the practice's systems.
"Reasonable period of time" is the actual deadline
Neither rule says "30 days" or "90 days." The text says reasonable. OCR has not enforced a single fixed clock through published settlements, but in practice the defensible expectations are:
- New hire: train before the workforce member is allowed independent access to ePHI. For most practices this means before their first unsupervised day with the EHR open.
- Annual refresh: most practices use an annual cycle because it ties cleanly to other annual obligations and produces a clean documentation rhythm.
- Material change: training event after each major policy change, system migration, or vendor change that affects ePHI handling.
What the training should cover
A defensible training program covers, at minimum:
- The practice's specific Notice of Privacy Practices and how to deliver it under 164.520
- Minimum necessary and use/disclosure rules under 164.502
- Patient right of access under 164.524 and the right to amend under 164.526
- The practice's sanction policy and the consequences of violations under 164.530(e))
- Security awareness topics: phishing recognition, password hygiene, MFA, locked workstations, lost device reporting, removable media handling
- Incident reporting procedures under 164.308(a)(6)(6))
- Breach Notification Rule basics under 164.400 through 164.414
- The HHS Office for Civil Rights Cybersecurity Newsletter themes for the year
- Role-specific add-ons (front desk, biller, IT support, provider)
Most off-the-shelf training products cover the federal baseline. Practices still need to layer their own policies and procedures into the training so workforce members can follow them in practice.
Documentation is the whole point
45 CFR 164.530(j)) requires a covered entity to maintain training documentation for six years from the date of creation or the date last in effect, whichever is later. Equivalent retention for Security Rule policies is at 164.316(b)).
A defensible training log captures:
- Workforce member name and role
- Training topic and version
- Training date and delivery method
- Time spent (helpful for completeness review)
- Acknowledgment/signature of completion
- Linked sanction policy and reporting procedure version
The HHS Cybersecurity Newsletter on Security Reminders walks through what a "security reminder" implementation specification looks like at small-practice scale.
What recurring security reminders look like
Section 164.308(a)(5)(ii)(A)(5)(ii)(A)) asks for periodic security updates. Practical patterns:
- Monthly one-page security email to staff
- Quarterly phishing simulations with documented results
- Standing agenda item on the staff meeting
- Posted "what to do if you click a bad link" workflow on the staff intranet
- Annual practical exercise of the breach response procedure
What matters is that the practice writes down what was sent and when, so the program is auditable later.
Sanction policy is a separate-but-linked piece
Section 164.308(a)(1)(ii)(C)(1)(ii)(C)) and 164.530(e)) require a sanction policy and the application of appropriate sanctions. Training should explicitly walk staff through this policy. Documentation of actual sanctions imposed (even minor ones) is one of the elements OCR often asks to see during investigations.
Workforce changes and termination
Training overlap with the workforce security standard at 164.308(a)(3)(3)) — authorization, clearance, and termination procedures. When a workforce member leaves, the access termination procedure should be documented and executed promptly. Training should walk through who triggers offboarding and what the timing expectation is.
A realistic small-practice rhythm
- New-hire HIPAA training before first independent ePHI access, documented
- Annual full refresh on a fixed month (often January or the practice's fiscal new year)
- Material-change training event when a major system, vendor, or policy changes
- Monthly one-page security reminder
- Quarterly phishing simulation with results recorded
- Documented sanction policy with any imposed sanctions logged
- Six-year retention of all of the above
Restraint about claims
No training program, by itself, makes a practice compliant. Training is one of many administrative safeguards under the Security Rule. The point is to give workforce members the information and habits they need to handle PHI consistent with the practice's policies, and to keep a written record of having done so.
How D3rx fits
D3rx SRA Binder Studio captures the training cadence, training records, sanction policy, and security reminder log inside the binder, and links each section back to the underlying HHS, OCR, eCFR, and NIST sources. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance of every training session.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(b
- 45 CFR 164.308(a)(5)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
- 164.502https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
- 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 164.526https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.526
- 164.530(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(e
- 164.400 through 164.414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- Cybersecurity Newsletterhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
- 45 CFR 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
- 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
- Cybersecurity Newsletter on Security Remindershttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readTechnical SafeguardsDoes HIPAA Require MFA? What the Security Rule Actually Says
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readFoundationsHIPAA Security Rule vs Privacy Rule: A Plain-English Map
5 min readRelated across the archive
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRADoes HIPAA Require MFA? What the Security Rule Actually SaysWhether multi-factor authentication is required by the HIPAA Security Rule, how 45 CFR 164.312(d) frames person or entity authentication, and how HHS guidance and the proposed Security Rule update push toward MFA in practice.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingHIPAA Training Log Requirements for Small PracticesWhat HIPAA actually requires for workforce training, what your training log should contain, and how long to keep it. Built for small practices and office managers.