What does HIPAA require for security awareness training?

HIPAA Security Rule 45 CFR 164.308(a)(5) requires covered entities and business associates to implement a security awareness and training program for all members of the workforce, including management. The standard names four addressable implementation specifications: security reminders, protection from malicious software, log-in monitoring and password management. Although addressable, the Office for Civil Rights (OCR) treats these as expected unless the entity documents a reasoned alternative.

Does HIPAA require phishing simulation specifically?

HIPAA does not name phishing simulation as a required control, but the Security Rule's training requirements are routinely interpreted by OCR investigators and breach reviewers to expect simulation as part of credible workforce training. Phishing has been the leading initial-access vector in HHS-tracked PHI breaches for several years; an awareness program that does not test phishing is increasingly difficult to defend as adequate.

How often does HIPAA require awareness training?

HIPAA requires periodic training but does not prescribe a specific frequency. OCR guidance and recurring resolution-agreement language treat annual as a floor and recommend more frequent topical updates. The 2026 industry baseline is monthly phishing simulations with auto-assigned remediation, plus topical micro-modules every 4-6 weeks. Annual-only programs are a recurring finding in OCR enforcement actions.

Who at a covered entity needs HIPAA security awareness training?

Every member of the workforce - defined under HIPAA as employees, volunteers, trainees and other persons whose conduct is under the direct control of the entity - including management. Business associates are separately required to implement equivalent training for their own workforces. Coverage gaps, including executive carve-outs and contractor exclusions, are a recurring source of OCR findings.

What documentation does OCR ask for in HIPAA awareness training audits?

Standard requests include: the written security awareness policy, the training curriculum, evidence of training delivery (rosters or completion exports), records of phishing simulations with dates and outcomes, evidence of remediation for users who failed and evidence of training for new hires within a documented window. OCR investigators have, in resolution agreements, called out the absence of documented phishing testing in training programs as a contributing factor to inadequate workforce security.

HIPAA Security Awareness Training Checklist

HIPAA Security Awareness Training Compliance Checklist

By The Bait & Phish Team
Compliance, HIPAA, Healthcare

The HHS Office for Civil Rights (OCR) breach portal - the public "wall of shame" listing healthcare data breaches affecting 500 or more individuals - has been dominated by phishing-led incidents for several reporting cycles. The pattern is so consistent that any covered entity or business associate operating in 2026 without a documented phishing simulation program is, statistically, betting against the modal breach. HIPAA's Security Rule was written before phishing simulation existed as a category, but its language about "security awareness and training" is now interpreted by investigators with phishing front of mind.

The relevant HIPAA citation

The applicable text is in 45 CFR 164.308(a)(5), the Security Awareness and Training standard. It requires covered entities and business associates to "implement a security awareness and training program for all members of its workforce (including management)." The standard names four addressable implementation specifications:

Security reminders - periodic communications about security (164.308(a)(5)(ii)(A)).
Protection from malicious software - procedures for guarding against, detecting and reporting (164.308(a)(5)(ii)(B)).
Log-in monitoring - procedures for monitoring log-in attempts and reporting discrepancies (164.308(a)(5)(ii)(C)).
Password management - procedures for creating, changing and safeguarding passwords (164.308(a)(5)(ii)(D)).

"Addressable" in HIPAA does not mean optional. It means the entity may either implement the specification, implement an equivalent alternative or document why the specification is not reasonable and appropriate - with the latter two paths bearing significant burden. OCR's posture in enforcement has consistently been that addressable specifications are expected to be implemented unless the entity has a documented, defensible alternative.

Where phishing simulation fits

Phishing simulation is not named in 164.308(a)(5). It is, however, the most direct way to demonstrably address all four specifications:

Security reminders - every campaign is, in effect, a behavioral reminder.
Protection from malicious software - phishing is the modal delivery channel for ransomware and credential theft, both of which lead to malware deployment.
Log-in monitoring - credential phishing is precisely the attack pattern log-in monitoring exists to detect.
Password management - password-reset and credential-handling phishing patterns directly support the password-management specification.

Combined with the broader HHS data showing phishing as the leading initial-access vector in PHI breaches, simulation has effectively become the default method by which covered entities demonstrate operating workforce-security competence. OCR has cited absence of documented phishing testing as a contributing factor in resolution-agreement language.

What a HIPAA-aligned awareness program looks like

The 2026 minimum-credible program for covered entities and business associates:

A written security awareness policy approved by management, covering scope, frequency, content and roles. Reviewed annually.
New-hire training within a documented window of starting (typically 30 days), with completion records.
Continuous phishing simulations at quarterly minimum, monthly preferred, across email, SMS and voice channels. Healthcare environments face all three vectors - front-desk staff are heavily targeted by SMS and voice in particular.
Auto-assigned remediation training for users who fail simulations. Behavior-triggered training at the moment of click satisfies the "security reminders" specification with measurable behavior change.
Topical micro-modules on rotating subjects: password and MFA hygiene, PHI handling, social engineering, device security, incident reporting, malicious software and (newly) AI-generated phishing.
Coverage of all workforce members - employees, contractors, volunteers, trainees, management and business-associate personnel as applicable.
Documented training delivery with completion records retained for at least six years per HIPAA's documentation retention requirement (164.316(b)(2)(i)).
Periodic effectiveness review with metrics reported to leadership.

The healthcare-specific wrinkles

Three considerations that change a HIPAA program relative to a general-purpose one:

Front-desk and clinical staff are heavily targeted. Patient-portal credential phishing, fake insurance verification calls and EHR password-reset smishing all hit clinical staff disproportionately. Templates need to reflect healthcare-context pretexts, not just generic banking and shipping themes.
BYOD and shared workstations. Many clinical environments rely on shared workstations and personal devices. Awareness content needs to address the risks specific to multi-user environments - not just single-user device hygiene.
Patient communication. Staff need to know how to recognize a phishing call posing as a patient, and how to handle suspicious patient-channel messages without violating PHI handling rules in the response.

The Bait & Phish template library includes content adapted for healthcare environments, and the platform supports five intent categories at three difficulty levels with multi-language coverage - useful in healthcare environments with diverse workforces. Contact us to scope healthcare-specific deployment.

The risk analysis tie-in

HIPAA's risk analysis requirement (45 CFR 164.308(a)(1)(ii)(A)) is the foundational standard from which most other Security Rule controls derive. A defensible awareness program ties back to a documented risk analysis that names phishing and social engineering as identified risks, and points to the awareness program as part of the risk-management response.

This isn't a paperwork exercise. OCR has been explicit, in multiple resolution agreements and guidance documents, that risk analysis must be ongoing - refreshed when threats change, when systems change and when evidence (like a phishing-led incident) suggests existing controls are inadequate. The tie between risk analysis and awareness training should be visible: the risk analysis identifies phishing as a specific threat, the risk-management plan names training as a control and the training program produces evidence the control is operating.

Practical implication: when you update your awareness program (adding SMS coverage, increasing campaign frequency, adopting AI-template generation), update the risk analysis at the same time. It's a small operational discipline that materially strengthens the audit position.

Business associates: the often-ignored half

Business associates have the same Security Rule obligations as covered entities, including 164.308(a)(5). In practice, business associate awareness programs are inconsistent - small business associates often run minimal annual training and have no documented phishing simulation program. This is a problem on two fronts.

For the covered entity: the business associate agreement (BAA) typically requires the business associate to maintain HIPAA-compliant safeguards. A business associate breach traceable to inadequate awareness training is a contractual exposure for the covered entity, not just for the business associate.
For the business associate: OCR enforcement has reached business associates directly, and the patterns of finding match those for covered entities - annual-only training, no phishing testing, coverage gaps.

Both sides benefit when business associate awareness programs are scoped, documented and tested with the same rigor as covered entity programs. For business associates without their own platform, Bait & Phish supports BAA-backed deployment and HIPAA-aligned reporting.

OCR investigation evidence

If OCR opens an investigation - whether in response to a breach notification or a complaint - the documentation requests around training are predictable. Be ready to produce:

Written security awareness policy with version history.
Training curriculum and content samples.
Roster or export of training delivery and completion across the workforce, by name and date, for the period under investigation.
Phishing simulation campaigns conducted during the period, with dates, target populations, click rates and reporting rates.
Evidence of remediation for users who failed simulations or were involved in the incident under investigation.
New-hire training records for any employees hired during the period.
Risk analysis and risk management documentation referencing the workforce security control.
Reporting to the privacy or security officer with cadence and format.

Common HIPAA awareness-training findings

Annual-only training with no documented intervening reinforcement.
No phishing testing at all, or sporadic email-only testing.
Coverage gaps - contractors, volunteers, executives or business-associate workforce members not included.
Stale policy not updated to reflect current threats (smishing, vishing, AI-generated phishing).
No completion tracking - training is delivered but completion isn't recorded.
No remediation - users who fail simulations get no follow-up training.
No retention discipline - required six-year retention not maintained.

Where Bait & Phish fits for HIPAA

Bait & Phish supports HIPAA-aligned awareness programs across covered entities and business associates of every size. Continuous monthly phishing simulations across email, SMS and voice, auto-assigned remediation training the moment a user clicks, multi-language content and a single-PDF export covering campaigns, completion, coverage and metrics for any audit window - including six-year retention to satisfy 164.316(b)(2)(i). New-hire training delivers automatically; coverage tracking flags gaps before an OCR request does.

If your HIPAA risk analysis flagged awareness training as a gap, or if you've outgrown an annual-video program, start a free trial with up to 25 users - no credit card - and run your first month of compliant training and a phishing simulation in the same week. For full deployment to a healthcare environment, see pricing or contact us to discuss scope, BAA and rollout.

State law overlay

HIPAA establishes a federal floor; many US states impose additional or stricter requirements that affect how a healthcare awareness program must be structured.

State breach-notification laws often have shorter timelines than HIPAA's 60-day window - California, Texas and others. Awareness content needs to teach staff how to recognize and escalate potential breaches with the speed those laws demand.
State-specific privacy laws (e.g., the Texas Medical Records Privacy Act, New York SHIELD Act, California's CMIA) extend protections beyond HIPAA in specific ways and require corresponding training nuance for staff in those jurisdictions.
Cybersecurity regulations in some states (notably the New York DFS regulation 23 NYCRR 500 and equivalents) layer additional training expectations on top of HIPAA for organizations that fall under both frameworks.

For multi-state and multi-jurisdiction healthcare organizations, the practical answer is a single core curriculum that meets the highest applicable bar, with a small jurisdiction-specific module layered on for staff in stricter-regulated states. Bait & Phish supports group-segmented training assignment so jurisdictional add-ons can target the right cohorts without duplicating the entire curriculum.

See also: Phishing training compliance comparison across SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR and NIS2 - side-by-side table of clauses, expected cadence and audit posture.

This post is informational and does not constitute legal or compliance advice. Consult counsel and your privacy and security officers for binding guidance on your HIPAA program.

Related compliance guides

9dec