HIPAA and CITI Training: Requirements, Modules, and How to Enroll

CITI Training Overview

CITI training provides standardized education in Human Subjects Protection, Research Ethics, and Clinical Research Compliance. Most institutions and their Institutional Review Board (IRB) require it before you conduct research with people, identifiable data, or biospecimens.

The curriculum is modular and role-based. Common tracks include Human Subjects Research (HSR) for biomedical and social/behavioral studies, Good Clinical Practice (GCP) for clinical trials, Responsible Conduct of Research (RCR), and Conflicts of Interest (COI). Each module ends with a short quiz that contributes to your training certification.

You learn at your own pace and can pause and resume anytime. Typical first-time CITI learners complete the basic HSR course in two to six hours, depending on assigned electives and prior experience.

HIPAA Training Overview

HIPAA training focuses on Information Privacy and Security standards for protected health information (PHI). In a research context, it explains the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and how these intersect with IRB oversight when PHI is used or disclosed for studies.

You cover PHI definitions, the minimum necessary standard, permitted uses and disclosures, authorizations and waivers, de-identification approaches, and required administrative, physical, and technical safeguards. Mastering these topics shows you understand Data Protection Requirements when handling medical records, EHR data, or limited data sets.

Depending on your institution, HIPAA training may be assigned inside the CITI Program or through your organization’s learning management system. Your IRB or research office will tell you which path to follow.

Enrollment Process

1. Confirm requirements with your IRB or research office. Identify your learner group and whether HIPAA modules are in CITI or your institution’s LMS.
2. Create or sign in to your CITI account, then affiliate with your institution using your institutional email so the correct course options appear.
3. Select required courses: Human Subjects Research (Biomedical or Social/Behavioral), GCP if you work on clinical trials, and any assigned HIPAA/Information Privacy and Security modules.
4. Answer the enrollment questions to auto-enroll in the correct modules. Add electives your protocol, sponsor, or department requires.
5. Complete each module and quiz. You can return later if needed; progress is saved until all requirements show as complete.
6. Download your completion report or training certification and submit it to your PI, study coordinator, or IRB tracking system.

If you move institutions, add a new affiliation in CITI and transfer eligible completions. Some organizations may still require a refresher tailored to local policies.

Required Modules

CITI core modules (examples)

• History and Ethical Principles (Belmont Report) and foundations of Human Subjects Protection.
• Regulatory definitions of research and human subjects; IRB categories of review and investigator responsibilities.
• Informed consent process, documentation, and culturally responsive communication.
• Privacy and confidentiality, data management, and secure handling of identifiable information.
• Research with vulnerable populations (children, prisoners, pregnant people) and additional safeguards.
• Records-based and secondary research, de-identification versus coded data, and data sharing.
• Good Clinical Practice (for clinical trials), including protocol compliance, safety reporting, and data integrity.
• Responsible Conduct of Research and Conflicts of Interest where required.

HIPAA core modules (examples)

• HIPAA Privacy Rule basics, covered entities, business associates, and research-specific provisions.
• PHI identifiers, de-identification (Safe Harbor and expert determination), and limited data sets with data use agreements.
• Minimum necessary access, role-based permissions, and permitted uses and disclosures for research.
• Security Rule safeguards: passwords, encryption, device security, and secure data transfer/storage.
• Breach identification, reporting timelines, and incident response procedures.
• Common research scenarios: recruitment, preparatory-to-research reviews, and IRB waivers of authorization.

Completion Requirements

To earn a training certification, you must complete all required modules for your assigned course and meet your institution’s passing threshold. Most organizations set the passing score at or above 80% either per module or in aggregate, and many allow quiz retakes with the highest score retained.

Plan for two to six hours for the CITI HSR basic course and one to two hours for HIPAA modules, depending on electives and your familiarity with the material. Some roles or sponsors may add modules that increase total time.

After completing all requirements, download the official completion report or certificate and submit it as directed. Keep a personal copy for future audits or sponsor requests.

Certification Validity

Validity periods are set by your institution, IRB, or sponsor. Common practice is renewal every three years for CITI Human Subjects Research and Good Clinical Practice, often through shorter refresher modules. Some sponsors or departments may require more frequent GCP refreshers.

HIPAA training frequency varies by policy and job duties; many organizations require annual or biennial refreshers to maintain Information Privacy and Security readiness. Always follow your local Data Protection Requirements and monitor your expiration dates.

Documentation and Support

Download and store your CITI completion report and any HIPAA certificates in your study eBinder or personnel file. Share them with your PI or coordinator and upload them to your IRB or compliance system to keep records current.

For course access, module assignment, or policy questions, contact your IRB or research education office. For account issues, duplicate profiles, or affiliation changes, use your institution’s training support channel or the CITI help resources. Document name changes and keep your institutional email up to date so your records remain traceable.

Conclusion

By completing HIPAA and CITI training, you demonstrate competency in Research Ethics, Human Subjects Protection, and Information Privacy and Security. Enroll through your institution, finish the required modules, meet the passing score, and keep certifications current to maintain seamless clinical research compliance.

FAQs

What are the core modules in HIPAA and CITI training?

CITI typically includes Human Subjects Protection foundations, informed consent, privacy/confidentiality, IRB review, and role-specific content such as GCP, RCR, or COI. HIPAA covers the Privacy Rule, Security Rule, PHI identifiers, minimum necessary, de-identification, permitted uses and disclosures, safeguards, and breach response.

How long is the CITI training certification valid?

Validity is institution-specific, but a three-year renewal cycle is common for Human Subjects Research and Good Clinical Practice. Your IRB or sponsor may set a different interval, so always follow local policy.

How do I enroll in HIPAA and CITI training?

Check with your IRB or research office for the correct courses, create or sign in to CITI and affiliate with your institution, select the required learner group and modules, complete the coursework, then download and submit your certificate. If HIPAA is assigned in your LMS, follow those enrollment steps instead.

What is the required passing score for completion?

Most institutions require at least an 80% passing score, either per module or as an overall average. Many systems allow quiz retakes and record your highest score, but you should verify the exact threshold in your local policy.