Texas HHS HIPAA Training Checklist: Policies, Documentation, and Workforce Readiness

Use this Texas HHS HIPAA Training Checklist to build a workforce-ready program that protects Protected Health Information, meets HIPAA Privacy Compliance, and aligns with the Texas Medical Privacy Act. You will find the essential policies, Workforce Training Documentation practices, and role-based steps you can apply immediately.

The checklist focuses on practical actions: onboarding timelines, Training Retention Requirements, Information Security/Cybersecurity Training, and how to document Training Policy Acknowledgement so you are audit-ready at any time.

HIPAA Training Requirements in Texas

Core federal requirements you must cover

• HIPAA Privacy Rule: Train all workforce members on your policies and procedures for Protected Health Information as necessary and appropriate for their duties, and document that training occurred.
• HIPAA Security Rule: Implement an ongoing security awareness and training program for all workforce members. At a minimum, address security reminders, protection against malicious software, log‑in monitoring, and password management as part of your Information Security/Cybersecurity Training.

Texas Medical Privacy Act (HB 300) additions

• Train employees on both state and federal PHI requirements in a manner tailored to your course of business and each employee’s role.
• New hires must complete training within 90 days of hire; keep a signed Training Policy Acknowledgement or completion statement.
• When state or federal law materially changes, provide additional training within a reasonable time and no later than one year from the effective date of the change.
• Training Retention Requirements: Maintain signed training verification statements for at least six years from the date signed.

Initial Training for New Employees

What to include on day one through completion

• Orientation briefing: Your privacy program overview, permitted uses/disclosures, minimum necessary, and how to report incidents.
• Role-aligned modules: Tailor content to clinical, administrative, billing, IT, and leadership functions so staff learn the PHI risks they actually face.
• Information Security/Cybersecurity Training: Phishing awareness, secure passwords/MFA, device and workstation security, and safe handling of portable media.
• Procedural walk‑throughs: Access request and authorization workflows, patient rights, and breach response steps.
• Completion deadline: Ensure each new employee completes required training within 90 days of hire; best practice is to finish before granting PHI access.

Onboarding checklist

• Assign required curricula by role and location.
• Deliver content (LMS, live, or hybrid) and verify understanding with quizzes or scenario exercises.
• Collect Training Policy Acknowledgement and signed completion statements.
• Record completion date, instructor/materials used, and any remediation provided.

Documentation of Training

Audit‑ready Workforce Training Documentation

• Training roster: Name, role, department, hire date, and completion dates for each module.
• Signed verification: Electronic or wet signatures confirming completion (retain at least six years).
• Content records: Syllabi, slide decks, scenarios, and assessments tied to policy citations and dates.
• Delivery evidence: LMS reports, attendance logs, and evaluation scores.
• Exception tracking: Make‑up sessions, remediation plans, and deadline extensions with justifications.

Store records centrally and make them easily retrievable by employee, location, and training type to demonstrate HIPAA Privacy Compliance and Texas Medical Privacy Act adherence.

Role-Based Training

Align depth and focus to job duties

• Clinical staff: Minimum necessary, disclosures for treatment/payment/operations, patient access requests, and secure messaging/telehealth practices.
• Billing/revenue cycle: Uses/disclosures for payment, anti‑fraud precautions, and third‑party vendor handling of PHI.
• IT and security: Access controls, audit logs, encryption, secure configuration, incident detection/response, and change management.
• Leadership/managers: Governance, risk acceptance/escalation, sanctions, and oversight of Workforce Training Documentation.

Security awareness elements to include

• Security reminders and periodic updates.
• Protection from malicious software and email threats.
• Log‑in monitoring and anomaly reporting.
• Password management and MFA hygiene.

Additional Training on Policy Changes

When to trigger updates

• Material changes to HIPAA or Texas law affecting how your workforce handles PHI.
• Revisions to your internal privacy or security policies and procedures.
• New systems, vendors, or workflows that change PHI access, storage, or transmission.
• Role changes, mergers, or reorganizations that affect duties.
• After incidents, near‑misses, or audit findings to prevent recurrence.

Provide updated training promptly; under Texas HB 300, training tied to a material change in law must occur within a reasonable period and no later than one year from the effective date. Document who was affected, the content delivered, and the completion dates.

Compliance with Texas HB 300

Checklist to stay compliant

• Scope: Confirm you meet the Texas definition of a covered entity and identify all locations and programs handling PHI.
• Timing: Train new employees within 90 days of hire; track and remind proactively.
• Change management: Deliver training on material legal changes within one year of the effective date, and sooner when operationally feasible.
• Tailoring: Map training to each role’s duties and your organization’s course of business.
• Recordkeeping: Maintain signed training verification statements for at least six years, alongside rosters and content records.
• Governance: Assign an owner to monitor laws, update materials, and validate completion metrics.

Training for Contractors and Direct Service Staff

Contractors and business associates

• Require contractually that any contractor with PHI access completes HIPAA and Texas Medical Privacy Act training appropriate to their duties.
• Obtain and file Workforce Training Documentation (e.g., completion attestations, syllabi) or provide your own training when access is onsite or persistent.
• Validate Information Security/Cybersecurity Training coverage for vendor staff who access systems, including incident reporting and breach notification pathways.

Direct service staff

• Ensure staff providing direct services under Texas HHS‑regulated programs complete privacy and security onboarding before accessing PHI.
• Reinforce minimum necessary, appropriate disclosures, and immediate reporting of suspected breaches or misdirected information.
• Capture Training Policy Acknowledgement and maintain records per Training Retention Requirements.

Checklist summary

• Train everyone appropriately (Privacy and Security), on time (90‑day new hire; within one year for legal changes), and by role.
• Document everything: rosters, content, dates, and signed acknowledgements; retain at least six years.
• Extend controls to contractors and direct service staff; verify and file their training proof.
• Continuously improve through security reminders and targeted refreshers after changes or incidents.

FAQs

What are Texas-specific HIPAA training requirements?

Texas HB 300 (the Texas Medical Privacy Act) requires training on both state and federal PHI law tailored to your business and each employee’s duties. New hires must complete training within 90 days, training must be provided when law materially changes (within a reasonable period and no later than one year from the change), and you must retain signed training verification statements for at least six years.

How soon must new employees complete HIPAA training?

Texas requires completion within 90 days of hire. As a best practice, complete core privacy and Information Security/Cybersecurity Training before granting access to systems or any Protected Health Information.

What documentation is required to verify HIPAA workforce training?

Keep signed completion statements (Training Policy Acknowledgement or equivalent), rosters with dates and modules, and records of materials used and instructors. Maintain these Workforce Training Documentation records for at least six years and ensure they are searchable by employee and location.

When is additional HIPAA training required?

Provide additional training whenever your policies or procedures materially change, roles shift, new systems/vendors alter PHI handling, or after incidents and audits. Under Texas law, if the change is to state or federal PHI law, complete training within a reasonable period and no later than one year from the law’s effective date.