The Health Insurance Portability and Accountability Act (HIPAA) contains in its regulations an administrative requirement in the HIPAA Privacy Rule (Section 45 CFR § 164.530) and another administrative requirement in the Security Rule of HIPAA (45 CFR §164.308).  

The HIPAA Privacy Rule specifies that training should be “as necessary and appropriate for members of the Workforce to carry out their functions”.  However, there are no specific details of what constitutes HIPAA training requirements.

It is therefore up to the medical or dental practice to choose what training procedure fits their needs.  Generally, HIPAA training should be provided to (i) employees who are initially joining the practice and (ii) other regular employees on an annual basis.

The Federal Office of Civil Rights (OCR), a section of HHS, is charged with enforcing HIPAA requirements. Therefore, each medical or dental practice should keep a record of how often and when HIPAA training is provided to its employees, so the practice has a record to show to the OCR, if it is ever audited.