Skip to content

HIPAA Training SOP

Sub-procedure of hipaa-gap-sop.md

Overview

Detailed procedures for developing, delivering, and maintaining HIPAA security awareness training programs. This sub-procedure addresses the Security Awareness and Training requirements under §164.308(a)(5) and supports workforce security objectives.

Scope

Parent SOP: HIPAA Gap Assessment Pillar: Protect (Security & Compliance) Service Area: HIPAA Security Awareness Training

Prerequisites

  • Parent SOP requirements met
  • Training program scope defined (all workforce vs. role-based)
  • Training delivery method confirmed (LMS, in-person, hybrid)
  • Employee roster and role classifications obtained
  • Training completion tracking system identified
  • Executive sponsorship for mandatory training confirmed

Procedure

Step 1: Training Needs Assessment

Objective: Identify training requirements based on role and PHI access

Role-Based Training Matrix:

Role Category General HIPAA Security Awareness Role-Specific Frequency
All Workforce Required Required As applicable Annual + Onboarding
PHI Handlers (Clinical) Required Required PHI handling, minimum necessary Annual + Role change
IT Staff Required Required Technical safeguards, incident response Annual + Quarterly updates
Privacy/Security Officers Required Required Advanced compliance, audit procedures Annual + Continuous
Management Required Required Oversight responsibilities, risk management Annual
Third-Party/Contractors Required As applicable Per BAA requirements Per contract

Assessment Activities: 1. Inventory all workforce roles with PHI access 2. Map roles to training requirements 3. Identify role-specific training needs 4. Review prior training completion records 5. Identify gaps in current training program

Step 2: Training Content Development

Objective: Create or customize HIPAA-compliant training materials

General HIPAA Awareness Content (All Workforce):

Module Topics Covered Duration
HIPAA Overview Purpose, history, applicability 15 min
PHI and ePHI Definition, examples, identifiers 10 min
Privacy Rule Basics Patient rights, minimum necessary 15 min
Security Rule Basics Safeguards overview, workforce responsibilities 15 min
Breach Notification What constitutes a breach, reporting requirements 10 min
Your Responsibilities Day-to-day compliance, when to ask questions 10 min
Reporting Concerns How to report violations, non-retaliation 5 min

Security-Focused Content:

Module Topics Covered Audience
Password Security Strong passwords, password managers, MFA All workforce
Phishing Awareness Recognition, reporting, examples All workforce
Physical Security Clean desk, screen locks, visitor management All workforce
Mobile Device Security Encryption, remote wipe, secure apps PHI handlers with mobile access
Incident Reporting What to report, how to report, timeline All workforce
Social Engineering Pretexting, tailgating, impersonation All workforce

Role-Specific Content:

Role Additional Topics
Clinical Staff Minimum necessary, verbal disclosures, patient rights
Front Desk Patient verification, authorization forms, photography
IT Staff Access provisioning, audit log review, incident handling
Management Risk oversight, sanction policy, compliance program

Step 3: Training Delivery

Objective: Execute training program with documented completion

Delivery Methods:

Method Best For Tracking
Learning Management System (LMS) Scalable, consistent, trackable Automatic
In-Person Training Small groups, interactive, Q&A Manual attestation
Hybrid (LMS + Workshop) Comprehensive, engagement Combined
Just-in-Time Training Specific incidents, reminders Manual

New Hire Onboarding: 1. Complete general HIPAA training within first 14 days 2. Complete role-specific training before PHI access granted 3. Document training completion in HR system 4. Obtain signed acknowledgment of policies

Annual Refresher Training: 1. Deploy training during designated compliance month 2. Allow 30-day completion window 3. Send weekly reminders for incomplete training 4. Escalate non-completion to management

Step 4: Ongoing Awareness Activities

Objective: Maintain security awareness beyond formal training

Awareness Program Components:

Activity Frequency Purpose
Security Reminders Monthly Reinforce key topics (per §164.308(a)(5)(ii)(A))
Phishing Simulations Quarterly Test and improve recognition
Newsletter/Updates Monthly Current threats, policy updates
Poster Campaigns Quarterly rotation Visual reminders in work areas
Tabletop Discussions Semi-annually Scenario-based team discussions

Security Reminder Topics (12-Month Rotation):

Month Topic
January Password security and MFA
February Phishing recognition
March Clean desk and physical security
April Mobile device security
May Incident reporting
June Social engineering awareness
July Patient privacy (minimum necessary)
August Email security
September Secure remote work
October Cybersecurity Awareness Month
November Vendor and third-party security
December Year-end compliance review

Step 5: Training Documentation and Reporting

Objective: Maintain evidence of training program compliance

Documentation Requirements:

Document Content Retention
Training Records Completion dates, scores, certificates 6 years
Training Materials Content, version, approval date Current + prior version
Policy Acknowledgments Signed acknowledgment, date 6 years
Assessment Results Quiz scores, remediation if needed 6 years
Awareness Activity Records Dates, participants, topics 6 years

Reporting Metrics:

Metric Target Frequency
Training Completion Rate 100% Quarterly
On-Time Completion 95% Per training cycle
Phishing Simulation Click Rate <5% Quarterly
Training Satisfaction Score >4.0/5.0 Per training
Policy Acknowledgment Rate 100% Annual

Deliverables

Deliverable Format Owner
Training Needs Assessment Document SBK Consultant
Training Content (customized) LMS/SCORM modules or slides SBK + Client
Training Schedule Calendar/Plan HR/Compliance
Completion Reports LMS export/Excel HR/Compliance
Awareness Materials Emails, posters, newsletters SBK/Marketing
Training Effectiveness Report Quarterly summary Compliance Officer

Quality Gates

  • Training content covers all HIPAA Security Rule training requirements
  • Role-specific training aligned with job responsibilities
  • Training tracked in system of record
  • 100% completion rate for active workforce
  • New hires complete training within 14 days
  • Annual refresher training completed by all workforce
  • Training records retained for 6+ years
  • Phishing simulation results trending positively

Last Updated: February 2026 Parent SOP: hipaa-gap-sop.md