How Should You Promote HIPAA Awareness in Your Organization?

by | Feb 3, 2021

Every HIPAA-covered entity must conduct HIPAA training on an ongoing basis to ensure that all employees know what they must do to avoid a HIPAA breach occurring. Equally important as conducting the training is choosing the best time to do so.

There is an obligation on HIPAA-covered entities, business associates and subcontractors to provide their staff with HIPAA training, ideally prior to being allowed to access PHI. The training provided must cover the permissible uses and sharing of PHI, patient privacy, data security, job-specific data, internal policies covering privacy & security, and HIPAA best practices.

If employees are not provided with training, they will not be aware of their responsibilities and HIPAA violations are much more likely to take place leading to penalties for HIPAA violations. Of course any time there is a change or update to HIPAA then additional training will be required.

The HIPAA Privacy Rule Administrative requirements, outlined in 45 CFR § 164.530, states that all employees must receive training on HIPAA Rules and policies and procedures in relation to PHI. Training should be conducted, as appropriate, to permit employees to complete their work duties and functions within the covered entity. One training program therefore does not work for every group. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.

The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.

While is it wise to conduct training with new members of staff at the beginning of an employment contract this is only the beginning point. Ongoing training is vital so employees do not forget about their responsibilities. Along with this it will also, in the event of a breach occurring, show that you were doing everything possible to prevent a breach from taking place.

HIPAA legislation does not outright state how regularly refresher training should be conducted. The only stipulation is that is takes place ‘regularly.’ Most advice issued in relation to this advises that it be conducted annually.

In tandem with training for HIPAA compliance and security awareness being conducted it is a good idea to back this up by promoting HIPAA awareness within your organization on an ongoing basis. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules. This can be particularly effective when it comes to security awareness training.

It is a good best practice to provide security awareness training twice per year and to issue cybersecurity reminders every month. When a new threat presents itself you should inform your staff as soon as you can. These work even better with yearly refresher training sessions and retraining on HIPAA Rules iany privacy or security violation and after a data breach.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy