Who Can Deliver HIPAA Training: Covered Entities, Business Associates, and Vendors

Understanding who can deliver HIPAA training helps you assign clear responsibilities, reduce risk, and document compliance. This guide explains the roles of covered entities, business associates, and vendors, and how each ensures Privacy Rule Compliance, Security Rule Training, and Breach Notification Procedures.

Covered Entities Providing Training

Who must be trained

Covered entities—health plans, healthcare clearinghouses, and most healthcare providers that handle electronic transactions—must train their entire workforce. “Workforce” includes employees, volunteers, trainees, contractors under your direct control, and medical staff who access PHI in your environment.

What the training must cover

Training should align with job duties and your policies. Core topics include permitted uses and disclosures, minimum necessary, patient rights, PHI Safeguards, and incident reporting. Security Rule Training should address access controls, secure authentication, phishing, device security, and secure messaging.

Delivery, cadence, and records

You may deliver training internally or use a qualified external provider, but the covered entity remains accountable. Provide onboarding training, refreshers when policies change, and periodic updates. Keep detailed records of dates, curricula, attendees, scores, and acknowledgments to demonstrate Workforce Training compliance.

Business Associates Responsibilities

Core obligations

Business associates that create, receive, maintain, or transmit PHI on your behalf must implement administrative, physical, and technical safeguards. They are required to limit uses and disclosures to what Business Associate Agreements permit and to follow Breach Notification Procedures.

Training scope

Business associates must train their workforce on role-based privacy and security practices. Emphasize secure handling of PHI, access management, data integrity, secure development or configuration practices, and vendor risk reporting.

Proof and oversight

Require documentation that training occurs at onboarding and periodically thereafter. Your oversight can include reviewing curricula, completion metrics, and corrective actions after incidents to verify ongoing Privacy Rule Compliance and Subcontractor Compliance.

Vendor HIPAA Training Roles

When vendors are business associates

Vendors become business associates when they create, receive, maintain, or transmit PHI for a regulated function—examples include cloud hosting, billing, transcription, shredding, EHR, and managed IT. These vendors must run their own HIPAA programs and train their staff accordingly.

When vendors are not business associates

Some vendors only interact with de-identified data or offer services unrelated to PHI. They are not subject to HIPAA, yet basic confidentiality training is still prudent. If their scope changes to involve PHI, reclassify them and require training and a Business Associate Agreement.

Training delivered by vendors

Vendors may deliver training to your workforce under contract. Ensure the content reflects your policies, processes, and systems, and that you retain completion evidence. The covered entity or business associate remains ultimately accountable for outcomes.

HIPAA Training Compliance Requirements

Essential topics

• Privacy Rule Compliance: uses and disclosures, minimum necessary, patient rights, and policy adherence.
• Security Rule Training: access control, authentication, secure device and network use, phishing, encryption, and incident response.
• Breach Notification Procedures: recognizing a potential breach, immediate reporting, containment, and documentation.
• PHI Safeguards: physical security, workstation use, media disposal, and secure communication.

Timing and triggers

Train at hire, when roles change, when policies or technology change, after incidents, and on a periodic basis. Use role-based paths so each person learns the controls they actually use.

Documentation and assurance

• Maintain sign-in or LMS logs, test results, acknowledgments, and curricula versions.
• Map training outcomes to risk analysis findings and corrective action plans.
• Use metrics—completion rates, assessment scores, and phishing results—to demonstrate effectiveness.

Subcontractor Training Obligations

Flow-down responsibilities

Subcontractors that handle PHI on behalf of a business associate are themselves business associates. Require downstream Business Associate Agreements and ensure Subcontractor Compliance through role-based training and proof of completion.

Access gating and monitoring

Training should occur before any PHI access and repeat periodically. Verify with onboarding checklists, attestation, and periodic audits. Suspend access for lapsed training to maintain strong PHI Safeguards.

Business Associate Agreements and Training

What BAAs should require

BAAs should specify permitted uses and disclosures, safeguard expectations, Breach Notification Procedures, and subcontractor obligations. Include explicit duties to conduct Workforce Training, keep records, and provide evidence upon request.

Verification levers

Build in right-to-audit clauses, reporting timelines for incidents, and minimum training frequency. Align measurements with your risk appetite, such as completion thresholds and remediation windows for missed deadlines.

Differentiating Conduits from Business Associates

Conduits

Conduits are transmission-only services that transport PHI but do not access or store it other than fleetingly—think common carriers or basic internet providers. They are typically not business associates and are not subject to HIPAA training mandates.

Business associates

Entities that persistently store or can access PHI—such as cloud backup, data centers, managed email, or eFax providers—are business associates. They must sign BAAs, implement safeguards, and run Security Rule Training for their workforce.

Training implications

Classify vendors by whether they create, receive, maintain, or transmit PHI for you. If yes, require a BAA, training, and evidence. If transmission is purely transient without access, treat as a conduit but still set confidentiality expectations contractually.

Conclusion

Covered entities, business associates, and many vendors can deliver HIPAA training, but accountability follows who controls PHI and sets policy. Use BAAs to codify expectations, require Workforce Training and PHI Safeguards, and ensure Subcontractor Compliance to keep your program defensible.

FAQs.

Who is responsible for HIPAA training within covered entities?

The covered entity is responsible. You may use internal teams or third-party providers, but you must ensure role-based content, timely delivery, and complete records for all workforce members who interact with PHI.

How do business associates ensure HIPAA compliance?

They implement safeguards, conduct Security Rule Training and privacy education, sign and honor Business Associate Agreements, perform risk analysis, follow Breach Notification Procedures, and verify Subcontractor Compliance with flow-down BAAs.

What training must vendors provide?

Vendors that are business associates must train their workforce on Privacy Rule Compliance, Security Rule Training, and incident reporting aligned to their services. Non-BA vendors should still cover confidentiality and site-specific rules, and be re-evaluated if their scope expands to PHI.

When are subcontractors required to undergo HIPAA training?

When they create, receive, maintain, or transmit PHI for a business associate or covered entity. Training should occur before access, repeat periodically, and be documented, with a downstream Business Associate Agreement in place.