HIPAA Training Requirements: Are Students and Interns Considered Workforce Members?

Definition of Workforce Members

Under the HIPAA Privacy Rule, a “workforce member” includes any employee, volunteer, trainee, or other person whose conduct, in performing work for a covered entity or business associate, is under that entity’s direct control—whether or not the person is paid. The definition focuses on control and assigned duties, not job title or payroll status.

This breadth ensures Covered Entity Compliance applies uniformly to people who can influence how Protected Health Information (PHI) is accessed, used, or disclosed. If someone follows your policies, uses your systems, or acts under your supervision, HIPAA treats them as part of your workforce for training and accountability purposes.

What “direct control” looks like

• You assign or approve their work location, schedule, or tasks.
• They use your EHR, devices, badges, or email to handle PHI or ePHI.
• They must follow your privacy, security, and sanction policies.
• Your managers or preceptors supervise and evaluate their performance.

Inclusion of Students and Interns

Students and interns are typically workforce members when they perform duties under your supervision, including clinical rotations, administrative internships, and research placements that involve PHI or ePHI. Their status does not depend on payment or on their school’s payroll; it turns on your control while they are on assignment with you.

During rotations or internships, these trainees operate under your policies and your Role-Based Access Control, so they fall within HIPAA’s workforce scope. They are not business associates of the covered entity merely by virtue of being students; they function as part of your workforce when you direct their work.

Common scenarios

• Clinical rotations with patient contact and EHR access: treat as workforce; restrict access to the minimum necessary.
• Administrative internships (e.g., scheduling, billing): workforce; ensure they handle PHI only as their role requires.
• Research practicums using PHI: workforce; layer HIPAA research requirements (e.g., authorizations, data use agreements) as applicable.
• Remote or telehealth training: still workforce if they access ePHI through your systems.

Training Obligations for Students and Interns

HIPAA Training Requirements apply to all workforce members. Students and interns must receive Privacy Rule training on your policies and procedures relevant to their functions, and Security Rule education through a security awareness and training program. Provide training before or at the start of their assignment and prior to any PHI access.

Refresh training when roles change or when your policies materially change. While HIPAA does not mandate a specific annual cadence, most organizations implement annual privacy and periodic security updates as best practice.

Core topics to cover

• What counts as Protected Health Information and the “minimum necessary” standard.
• Role-Based Access Control, least privilege, and no “curiosity” access.
• Using the EHR properly; screen privacy, workstation security, and clean desk rules.
• Security awareness: passwords and MFA, phishing, encryption, secure messaging, mobile and removable media, and physical safeguards.
• Permissible uses/disclosures, de-identification, and avoiding social media disclosures.
• Incident reporting, breach escalation, and sanctions for violations.
• Signing and honoring Confidentiality Agreements and acknowledging policies.

Documentation and Compliance

Workforce Training Documentation is essential to demonstrate Covered Entity Compliance. Keep records showing who was trained, when, on what content, and how competency was assessed. Maintain signed acknowledgments of policies and Confidentiality Agreements, plus evidence of access provisioning and termination.

Minimum documentation to retain

• Rosters with trainee identity, role, preceptor, and training dates.
• Curriculum or modules completed, scores, and attestations.
• Signed privacy, security, and confidentiality acknowledgments.
• Access provisioning logs (RBAC assignment) and deprovisioning upon departure.
• Records of remedial training, incidents, and sanctions if applicable.
• Retention for at least six years, or longer if your policy requires.

Role-Based HIPAA Training

Effective programs tailor content by role. Role-Based HIPAA Training applies least privilege and Role-Based Access Control to ensure each trainee learns the safeguards they actually use. This improves comprehension and reduces risk while meeting the HIPAA Security Rule’s “awareness and training” expectations.

Examples by role

• Clinical students/interns: bedside privacy, minimum necessary, safe EHR workflows, verbal disclosures, and patient communication.
• Administrative interns: release-of-information basics, accurate mailing/faxing, printing safeguards, and visitor handling.
• IT interns: account management, secure configuration, monitoring, and avoiding access to PHI outside assigned tasks.
• Research trainees: authorizations/waivers, limited data sets, data use agreements, and secure storage/dissemination of data.

Policies Applicable to Workforce Members

Orient students and interns to the same policies that apply to your staff. Provide concise, accessible procedures and require attestations so expectations are clear from day one.

• Use and disclosure of PHI, minimum necessary, patient rights, and authorizations.
• HIPAA Security Rule safeguards: passwords/MFA, encryption, secure remote work, disposal/shredding, and device/media controls.
• Communication: email, texting, patient portals, and strict social media prohibitions regarding PHI.
• Photography and recording restrictions; media inquiries go through designated officials.
• Access management: unique IDs, no password sharing, break-glass rules, and session timeouts.
• Incident response and breach reporting; sanctions for noncompliance.
• Confidentiality Agreements and acknowledgment of the Notice of Privacy Practices’ implications for staff behavior.

Exceptions for Non-Healthcare Observers

Individuals who merely observe and do not perform work under your control—such as brief job shadowers with no PHI access—are typically not workforce members. Treat them as visitors: restrict areas, prohibit system access, and prevent exposure to identifiable PHI.

If observers may be present where PHI could be seen or overheard, implement heightened safeguards. Obtain patient permission before presence in treatment areas, escort continuously, position them away from screens and records, and forbid note-taking or recording devices.

Once an observer performs any task or has more than incidental PHI exposure, they effectively function as workforce and should complete appropriate HIPAA training and attestations before continuing. Clear boundaries and documentation reduce risk and support compliance.

FAQs

Are students and interns legally required to complete HIPAA training?

Yes—when students or interns are under your direct control and perform work for you, they are workforce members. They must complete Privacy Rule policy training and Security Rule awareness education before accessing PHI or ePHI, and receive updates when roles or policies change.

What constitutes a workforce member under HIPAA?

A workforce member is any employee, volunteer, trainee, or other person whose conduct, in performing work for a covered entity or business associate, is under that entity’s direct control—paid or unpaid. Control and assigned duties, not job title, determine inclusion.

How often must students and interns receive HIPAA training?

Provide training at onboarding and whenever policies materially change or duties shift. While HIPAA does not prescribe an annual requirement, most organizations deliver annual privacy refreshers and periodic security awareness updates as a best-practice standard.

Are job shadowing individuals required to complete full HIPAA training?

Not if they are true observers who will not access, create, or handle PHI and are kept from viewing identifiable information. They should sign a confidentiality acknowledgment and be escorted. If any PHI exposure is anticipated—or they perform work—treat them as workforce and require full, role-appropriate HIPAA training.