Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Compliance Training Requirements

Healthcare organizations must provide workforce training under HIPAA, OSHA, and federal corporate compliance standards. Learn what is required and how it applies to Covered Entities and Business Associates.

Why Compliance Training Is Required

Healthcare organizations are required to train their workforce to ensure:

  • Patient information is protected

  • Workplace safety standards are followed

  • Fraud and abuse laws are understood

  • Compliance risks are minimized

Training is not optional, it is a regulatory expectation under multiple federal laws.

HIPAA Training Requirements

Who Must Provide HIPAA Training?

HIPAA training is required for:

  • Covered Entities

  • Business Associates

Both are responsible for ensuring their workforce understands HIPAA obligations.

What Does HIPAA Require?

Under the HIPAA Privacy Rule (45 CFR § 164.530(b)), Covered Entities must:

  • Train workforce members on policies and procedures

  • Provide training appropriate to job functions

  • Train new employees within a reasonable timeframe

  • Provide updates when policies materially change

The HIPAA Security Rule also requires workforce training related to safeguarding electronic PHI (ePHI).

What Should HIPAA Training Cover?

Training should address:

  • Privacy Rule basics

  • Security safeguards

  • Access controls

  • Password management

  • Incident reporting procedures

  • Breach response protocols

  • Sanction policies

Training must align with the organization’s written policies.

Frequency of HIPAA Training

While HIPAA does not specify “annual” training, industry best practice (and regulatory expectation( is:

  • Initial training upon hire

  • Refresher training annually

  • Additional training when policies change

Documentation of training completion is essential.

OSHA Training Requirements

OSHA regulations apply to healthcare employers and require specific workplace safety training.

Who Must Comply?

OSHA applies to:

  • Healthcare employers (Covered Entities)

  • Any organization with employees exposed to workplace hazards

Business Associates with employees in clinical environments may also have OSHA obligations.

Required OSHA Training in Healthcare

Common required training topics include:

Bloodborne Pathogens (29 CFR 1910.1030)

  • Required at hire

  • Required annually thereafter

  • Must cover exposure control plans and post-exposure procedures

Hazard Communication (29 CFR 1910.1200)

  • Chemical labeling

  • Safety Data Sheets (SDS)

  • Global Harmonized System (GHS) standards

Personal Protective Equipment (PPE)

  • Proper use and limitations

  • When PPE is required

Emergency Action Plans

  • Evacuation procedures

  • Fire safety

This is not a complete list, training requirements vary depending on workplace hazards.

Documentation Requirements

Employers must:

  • Maintain training records

  • Track attendance and completion

  • Provide retraining when new hazards are introduced

Failure to document OSHA training can result in citations during inspections.

Corporate Compliance Training (OIG Expectations)

The Office of Inspector General (OIG) outlines expectations for compliance training as part of an effective compliance program.

Under the 7 Elements of an Effective Compliance Program, organizations should implement effective training and education for all employees and leadership.

What Should Corporate Compliance Training Cover?

Corporate compliance training typically includes:

  • Code of Conduct

  • Fraud & Abuse laws (Stark Law, Anti-Kickback Statute)

  • False Claims Act

  • Documentation integrity

  • Reporting mechanisms (hotline)

  • Non-retaliation policies

  • Exclusion screening awareness

Training should be tailored to job roles and risk exposure.

Who Must Be Trained?

  • Leadership

  • Providers

  • Administrative staff

  • Billing staff

  • Contractors (as applicable)

Compliance training should not be limited to billing teams, culture-wide awareness is expected.

Frequency of Corporate Compliance Training

Best practice includes:

  • Training upon hire

  • Annual refresher training

  • Additional training for high-risk roles

Many enforcement actions cite failure to implement effective compliance education.

Covered Entities vs Business Associates: Training Differences

Requirement Covered Entities Business Associates
HIPAA Privacy Training Required Required (for workforce handling PHI)
HIPAA Security Training Required Required
OSHA Training Required (if employer with hazards) Required if employer subject to OSHA
Corporate Compliance Training Strongly expected (OIG guidance) Expected if billing federal programs

Business Associates are directly liable under HIPAA and must ensure their workforce understands applicable safeguards.

Why Training Documentation Matters

During audits or investigations, regulators may request:

  • Training records

  • Course content

  • Completion certificates

  • Policy acknowledgment records

  • Dates of training

If training cannot be documented, regulators may assume it did not occur.

Common Compliance Failures

  • Training only once and never refreshing

  • Generic training not aligned with policies

  • No documentation of attendance

  • No sanction enforcement for violations

  • Failing to train leadership

Effective training must be structured, documented, and ongoing.

Unsure whether your current training program meets regulatory expectations?
Review your documentation and ensure it aligns with your policies and risk areas.

Last reviewed: February 2026