The greatest threat to patient data is your staff. While malicious intent is possible, it is uncommon. Careless staff, however, are common and often the root cause of a security breach. With good reason, the HIPAA Security Rule is riddled with references to staff training and makes mention of specific topics your training program must include.

It should be noted that a well documented security policies and procedures manual is a precursor to training. This is because staff training must be derived from your policies manual; therefore, without compliant policies you cannot possibly be compliant with training. Checkout What is a Compliant Policies & Procedures Manual? to learn more about policies.

Let's get to it, the annual HIPAA staff training topics.

Sanction policy

Closely mirror your actual Sanction Policy document, of which all employees, contractors, and volunteers should sign upon hiring. A sanction policy contains many examples of violations and associated disciplinary actions. The simple act of educating employees about violations, and consequences should a violation occur, is arguably the easiest and most effective HIPAA safeguard to implement.

Breach notification

It’s perfectly reasonable to simply read your practice’s breach notification policy to workforce members; however, some content is relevant only to your privacy officer and practice owner(s), so feel free to skip material beyond definitions and the importance of reporting a possible breach to the privacy officer. With that said, you may choose to outline the reporting process your practice is required to follow in the event patient data is compromised to reinforce why security must be taken seriously.

Password management

The HIPAA requires staff be informed about their responsibilities regarding your practice’s password management policy. Given you have a password policy, this training session will be a quick. Training content must cover:

  1. Number of unsuccessful logon attempts before system is locked
  2. Passwords requirements regarding:
    1. Length
    2. Complexity
    3. Change
    4. Reuse
  3. Avoid common words, names, initials, birthdays, or phone numbers
  4. Refuse offers by software and Internet sites to automatically login
  5. Password confidentiality

Emergency operations

Discuss procedures for managing and documenting patient encounters when EHR and PM systems are unavailable due to planned or unplanned outages, and your plan for restoring systems and recovering data following an emergency. You guessed it, all you’ll do is review with staff your written emergency operations plan (a.k.a. contingency plan) and data backup plan, both of which should be a part of your policies and procedures manual.

Workstation use

There are two learning objectives, the first of which is employee responsibilities. Examples of employee responsibilities include: challenge unrecognized personnel, workstation configuration (e.g., inhibit incidental screen viewing by non-employees), home use of practice assets, and a clear desk, clear screen policy. The second objective, prohibited employee activities, pertains to software use restrictions, such as: crashing, attempting to break in or inject code, browsing (accessing info for which you haven’t a "need to know"), personal use, and terms of use violations.


Considering the proliferation of ransomware, this topic is of great interest. Content must include email phishing schemes, what to do if you suspect an infected workstation, and malware prevention. Sufficient training here will greatly reduce the likelihood a virus wreaks havoc on your system.

This article won’t be complete without discussing training documentation requirements. You’ve heard the saying "if it wasn’t documented, it didn’t happen." The same is true with HIPAA compliance; if you don’t document your efforts, then it’s going to be tough proving you did anything at all. At a minimum, training records should include a date, what topics were covered, and who was in attendance. It’s that simple.

Remember, relevant and regular staff training will do more to protect patient information than any other HIPAA safeguard. Plus, it’s free to implement!