New Employee HIPAA Training Checklist

Determine workforce classification: employee, volunteer, trainee, or contractor/business associate. This determines whether a Business Associate Agreement (BAA) is required.

If contractor or vendor with PHI access: execute a Business Associate Agreement before any PHI is shared or system access is provisioned (45 C.F.R. § 164.502(e))

Conduct role-based access determination: what minimum PHI access does this role require to perform job functions? Apply the minimum necessary standard (§ 164.502(b)).

Configure system access controls: role-based permissions, unique user ID, audit logging enabled for this user's account

Run background check if required by your organization's policy (not a HIPAA requirement, but a common compliance best practice for roles with access to sensitive PHI)

Prepare a signed confidentiality agreement covering PHI obligations, sanctions for violations, and survival provisions after employment ends

Privacy Rule basics: what is PHI (any individually identifiable health information in any form), the 18 HIPAA identifiers, and what makes information 'de-identified'

Permitted uses and disclosures: treatment, payment, healthcare operations (TPO), and the situations requiring written patient authorization (§ 164.508)

Patient rights: access to records (§ 164.524), right to request amendments (§ 164.526), right to accounting of disclosures (§ 164.528), right to request restrictions (§ 164.522)

Security Rule basics: the three safeguard categories (administrative, physical, technical), why passwords matter, workstation security, mobile device policies

Breach reporting: what constitutes a breach, the employee's obligation to report suspected breaches IMMEDIATELY to the Privacy Officer or compliance department, and that failure to report is itself a sanctionable offense

Sanctions policy: review the organization's sanctions for HIPAA violations, including progressive discipline up to and including termination. HIPAA requires that sanctions be applied consistently (§ 164.530(e)).

Have the employee sign acknowledgment of HIPAA training completion with date and signature. Retain for 6 years.

System access training: how to use the EHR/EMR in a HIPAA-compliant manner, proper login/logout procedures, session timeout awareness, shared workstation protocols

Role-specific PHI handling: what PHI this role will encounter, where it is stored, how to transmit it securely, and what to do if PHI is received in error

Email and messaging: which platforms are approved for PHI communication, encryption requirements, prohibition on texting PHI via consumer messaging apps (iMessage, SMS, WhatsApp) unless an approved secure messaging system is used

Physical safeguards training: clean desk policy, locking workstations, secure printing (pull-printing), proper disposal of paper PHI (shredding, locked bins), visitor escort policies in PHI areas

Mobile device and remote work: VPN requirements, prohibition on storing PHI on personal devices (unless MDM is installed), screen lock requirements, lost/stolen device reporting procedures

Social media policy: never post photos of patients, patient charts, or any content from which a patient could be identified. This includes 'anonymous' stories that contain enough detail for identification.

Verify the employee can correctly identify PHI in their daily workflow and knows the reporting chain for suspected incidents

Conduct annual HIPAA refresher training for all workforce members (HIPAA requires training at 'periodic' intervals; annual is the industry standard and OCR expectation)

Update training content to reflect new regulations, OCR enforcement actions, and organizational policy changes from the past year

Include real breach examples from OCR enforcement (use the HHS Breach Portal and OCR resolution agreements as case studies)

Review the organization's Notice of Privacy Practices and any changes made in the past year

Test comprehension: use quizzes, scenario-based questions, or tabletop exercises rather than passive slide reviews

Address emerging threats: current-year phishing trends, social engineering attacks, AI-generated deepfake risks to authentication, and ransomware targeting healthcare organizations

After any breach or security incident: conduct targeted training for the affected department on what happened and how to prevent recurrence

After policy changes: train affected workforce members on the new policy before the effective date, not after

After system changes: if EHR, email, or communication platforms change, provide HIPAA-specific training on the new system before go-live

Phishing simulation: conduct periodic (quarterly recommended) simulated phishing exercises and provide immediate feedback training to employees who click

After an OCR investigation or audit: train leadership and compliance team on findings and corrective action requirements

Document all incident-specific training: date, attendees, content covered, instructor. Retain for 6 years.

Maintain training records for every workforce member: date of training, content covered, format (in-person, online, targeted), comprehension verification method, and signed acknowledgment

Retain all training documentation for a minimum of 6 years from date of creation or last effective date, whichever is later (§ 164.530(j)(2))

Track training completion rates by department. Target 100%. OCR will ask for completion metrics during an investigation.

Maintain a training curriculum document that shows what content is covered at each stage (pre-employment, Day 1, 30-day, annual, incident-specific) and when it was last updated

Conduct periodic audits: pull random workforce member files and verify training documentation is complete, current, and signed

Integrate training compliance into performance reviews: make HIPAA training completion a condition of annual review and system access renewal

Prepare a 'training at a glance' summary that can be produced within 48 hours if OCR requests it during an investigation