Is a Lack of Employee Training a HIPAA Violation?

Is a Lack of Employee Training a HIPAA Violation?


by Katie Palmer        08/27/2020


The short answer: yes. A lack of employee HIPAA training is a violation of the law.

It is not enough to train your employees about the law. The training must be HIPAA-certified. Certified means there is proof of employee retention. For example, exam scores after training. 

After a data breach, you will have to give records of employee training. If you can provide these records, your practice is likely to face less severe penalties. Fines increase with willful neglect.

Why care about HIPAA training?

Penalties already increased in 2019, as outlined by HIPAA Journal

According to Channel Futuresexperts predict penalties will increase in 2020. The government will most likely make up for budget cuts with increased enforcement. 

Let’s forget about fines. Let’s talk about patient trust. After a data breach, you must follow the Breach Notification Rule. You must provide notification of the breach to patients, the Secretary, and sometimes the media.

A data breach could destroy patient trust in your practice. As a result, your patients might leave for a different practice.

Who needs to be trained?

Any employee who encounters Protected Health Information (PHI) needs to be trained. Of course, this includes doctors, dentists, and nurses. But you also need to train other employees. For example:

  • Interns
  • Sanitation workers
  • Administrators
  • Receptionists
  • Researchers
  • Volunteers
  • Business associates 

What should be included in training?

What to include in your HIPAA employee training, according to HIPAA Journal:

When do employees need to be HIPAA trained?

Employees need to receive training:

  • Within a reasonable amount of time after hire
  • When there is a change to policies that affects their job
  • Periodically

“A reasonable amount of time” and “periodically” are vague and up to interpretation. However, most experts recommend giving employees HIPAA training before they start work and annually.

Does lack of training cause violations?

A lack of training is a violation. But not training your employees also causes data breaches.

Becker’s Hospital Review states untrained employees are one of the most common causes of data breaches.

Similarly, CloudApper writes, “While organizations cannot prevent external breaches all the time, most of the internal ones can be prevented.” 

How can you make your practice compliant?

Our compliance experts specialize in HIPAA, so you don’t have to.

Check out Smart Training’s HIPAA 101 and Business Associates HIPAA Training module. We also offer upgraded packages that include:

  • HIPAA Risk Assessment
  • HIPAA Policies and Procedures
  • Up-to-date patient privacy documents

Request a demonstration with a Smart Training Compliance Adviser if you are interested in learning about our upgraded packages.

Compliance is a full-time job; Smart Training is here to help.

Smart Training
820 W Spring Creek Pkwy, Ste 400-R Plano, Tx 75023

1 thought on “Is a Lack of Employee Training a HIPAA Violation?

  1. Pingback: 6 Benefits of HIPAA Online Employee Training Smart Training -

Comments are closed.