Who Provides HIPAA Training? Approved Providers, Roles, and Requirements Explained

You are responsible for ensuring that your organization’s workforce understands how to handle Protected Health Information (PHI) securely. This guide explains who provides HIPAA training, what the law expects, how roles and records fit together, and where state rules—like Texas HB 300—add deadlines.

Covered Entities and Business Associates

HIPAA applies to covered entities—health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically for standard transactions. It also reaches business associates that create, receive, maintain, or transmit PHI on behalf of a covered entity, as well as their subcontractors.

Your “workforce” includes employees, management, volunteers, trainees, and others under your direct control. Contractors under your control may be workforce; independent vendors are typically business associates and need a Business Associate Agreement (BAA). Hybrid entities must ensure HIPAA training reaches designated health care components.

Training scope depends on access and duties. Staff who never touch PHI need awareness-level content; those who use, disclose, or secure PHI need deeper, role-based instruction aligned to your policies and procedures.

Workforce Training Requirements

The Privacy Rule requires covered entities to train workforce members on privacy policies and procedures as necessary for their roles and when material changes occur. The Security Rule requires security awareness and training for all workforce members, including management. Business associates must also implement Security Awareness Training and, in practice, provide privacy training tied to their permitted uses and disclosures under BAAs.

At a minimum, ensure your program covers:

• Permitted uses/disclosures, the minimum necessary standard, and patient rights under the HIPAA Privacy Rule.
• Security Awareness Training: passwords, access controls, phishing, malware/ransomware, device and media controls, secure messaging, and remote/telehealth workflows.
• Incident identification and internal reporting, including HIPAA Breach Notification basics.
• Sanction policies and escalation paths for Workforce Compliance issues.

Best practice is onboarding training within a short window after start, refresher training at least annually, and just-in-time updates when policies or risks change.

HIPAA Privacy and Security Rules

HIPAA Privacy Rule

The HIPAA Privacy Rule governs how PHI is used and disclosed and grants individual rights (access, amendments, restrictions, confidential communications, and an accounting of disclosures). Your training should map directly to your Notice of Privacy Practices and local policies so staff know when authorization is required, how to apply minimum necessary, and how to respond to patient requests.

HIPAA Security Rule

The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Training should reinforce outcomes of your risk analysis: appropriate access provisioning, authentication, encryption, workstation security, mobile device safeguards, auditing, and incident response. Ongoing microlearning and simulated phishing strengthen security culture.

HIPAA Breach Notification

Under HIPAA Breach Notification, you must assess potential impermissible uses/disclosures to determine if PHI was compromised. If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days after discovery; additional reporting to regulators (and, for large incidents, the media) may apply. Teach your workforce to recognize and report incidents quickly so investigations start immediately.

Roles of Privacy and Security Officers

You must designate a Privacy Officer and a Security Officer. In smaller organizations one person may serve both roles; larger enterprises often separate them and add deputies or committees.

• Privacy Officer: oversees privacy policies, Workforce Compliance training on uses/disclosures, handles complaints, monitors BAAs, manages investigations, and enforces sanctions.
• Security Officer: leads risk analysis and risk management, directs technical and physical safeguards, delivers Security Awareness Training, coordinates incident response, and oversees audits.

Both officers should validate that training content mirrors your current policies, risk profile, systems, and state obligations, and that completion and comprehension are measured and documented.

Authorized HIPAA Training Providers

There is no official government “approved provider” list for HIPAA training. The law lets you deliver training internally or outsource it; either way, your organization remains accountable for accuracy, relevance, and completion.

Who can provide training

• Internal teams (Privacy/Security/Compliance, HR, or clinical leadership) using organization-specific materials.
• Third-party eLearning vendors offering modular HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification courses.
• Healthcare compliance consultants or law firms tailoring training to your risk, BAAs, and state requirements.
• Professional associations or insurers that bundle sector-specific training.

How to evaluate a provider

• Curriculum mapped to HIPAA Privacy/Security/Breach rules and your policies, with role-based tracks.
• Customization options (workflows, EHR screenshots, incident reporting steps, sanctions).
• Assessments, certificates, remediation for low scores, and accessibility features.
• Admin tools for reminders, dashboards, and exportable Training Documentation Requirements.

Documentation and Recordkeeping

Maintain written policies and keep training records for at least six years from the date of creation or last effective date. Centralized records help you prove compliance during audits, investigations, or contract reviews.

• Current training policy and schedule; versioned curricula and materials used.
• Attendance/completion logs with names, roles, dates, delivery method, and scores.
• Signed attestations, certificates, and remediation evidence for failed assessments.
• Records of material policy changes and the training updates triggered by them.
• Vendor contracts/BAAs describing training responsibilities and reporting.

Align your LMS or tracking spreadsheets with HR data to auto-enroll new hires, monitor overdue training, and archive records on termination while preserving retention requirements.

State-Specific Training Deadlines

HIPAA sets content and documentation expectations but not a universal training cadence. Some states add timing rules or sector obligations that effectively set deadlines.

Texas HB 300 (commonly cited)

• Requires privacy training for employees who handle PHI within 90 days of hire.
• Requires refresher training at least once every two years.
• Requires documentation of completion; content must reflect the entity’s operations.

Other state considerations

• Several states (for example, California’s CPRA and New York’s SHIELD Act) require appropriate privacy/security training but do not impose fixed HIPAA training intervals.
• State Medicaid or managed care contracts, licensure bodies, and hospital bylaws may require annual compliance training—verify your contractual and accreditation terms.

Practical multi-state approach

• Adopt the strictest cadence you face (e.g., onboarding within 30–90 days plus annual refreshers).
• Trigger role-based micro-updates whenever policies, technology, or risks change.
• Localize modules to cover any state-specific rights or reporting obligations that exceed HIPAA.

Conclusion

HIPAA training can be delivered internally or by reputable third parties, but you own the outcome. Map content to the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification; tailor it to roles; document everything for six years; and follow the most stringent state timelines you face to keep Workforce Compliance strong.

FAQs.

Who is required to provide HIPAA training?

Covered entities must train their workforce on privacy policies and procedures, and both covered entities and business associates must provide Security Awareness Training for all workforce members. You may deliver training internally or outsource it, but your organization remains responsible for ensuring it is accurate, role-based, and completed.

What topics must HIPAA training cover?

Cover permitted uses/disclosures, the minimum necessary standard, patient rights and your Notice of Privacy Practices, security safeguards for electronic PHI, incident recognition and reporting, HIPAA Breach Notification basics, sanctions, and any state-specific obligations. Tailor depth by role and access to PHI.

How often should HIPAA training be updated?

Provide onboarding training promptly, refresh at least annually as a best practice, and update whenever you have material policy, system, or legal changes. If you operate in Texas, follow HB 300’s 90-day onboarding and biennial refresher requirements.

Can HIPAA training be outsourced to third-party providers?

Yes. Many organizations use eLearning vendors, consultants, or association courses. Ensure the provider maps content to your policies and BAAs, offers assessments and certificates, supports recordkeeping, and allows customization. Even when outsourced, you remain accountable for compliance outcomes.