HIPAA Training Penalties: What Happens When You Don't Train Employees (2026)

Q: What are the penalties for not training employees on HIPAA?

Penalties for failing to provide HIPAA training range from $141 to $2,134,831 per violation. OCR considers lack of training a form of willful neglect, which carries the highest penalty tiers. Organizations have faced settlements exceeding $1 million specifically for training failures.

Q: Has anyone been fined for lack of HIPAA training?

Yes. Multiple organizations have received significant penalties for training failures. Memorial Healthcare System paid $5.5M in part due to inadequate training. Anthem paid $16M with training deficiencies cited. Premera Blue Cross settled for $6.85M with training gaps identified as a contributing factor.

Q: Is HIPAA training legally required?

Yes. HIPAA training is legally required under both the Privacy Rule (45 CFR 164.530(b)) and the Security Rule (45 CFR 164.308(a)(5)). All workforce members must receive training on HIPAA policies and procedures, and security awareness training must be provided to all members of the workforce.

Q: How often must HIPAA training be provided?

HIPAA requires training for new workforce members within a reasonable period after hiring and whenever there are material changes to policies and procedures. While HIPAA doesn't specify an exact frequency, OCR expects annual refresher training as a best practice, and most compliance frameworks recommend it.

Q: What should HIPAA training cover?

HIPAA training must cover: what constitutes PHI, permitted uses and disclosures, minimum necessary standard, patient rights, breach notification procedures, security awareness (password management, phishing recognition, device security), and your organization's specific HIPAA policies and procedures.

TL;DR: HIPAA training is not optional — it’s legally required under both the Privacy Rule and Security Rule. Penalties for training failures range from $141 to $2.13M per violation, and OCR has levied multi-million dollar settlements specifically citing inadequate training. Medcurity includes HIPAA training tracking and documentation in every plan starting at $499/year.

$2.13M

max penalty per
training violation

95%

of breaches involve
human error

$499

Medcurity training
tracking per year

Track HIPAA training compliance across your entire workforce. Medcurity automates training documentation and reminders.

Get a Demo

Is HIPAA Training Legally Required?

Yes — HIPAA training is mandated by two separate rules:

The Privacy Rule (45 CFR 164.530(b)) requires covered entities to train all members of their workforce on the organization’s policies and procedures with respect to PHI. Training must occur within a reasonable period after a person joins the workforce and whenever material changes are made to policies.

The Security Rule (45 CFR 164.308(a)(5)) requires both covered entities and business associates to implement a security awareness and training program for all members of their workforce, including management.

Critical distinction: “Workforce” under HIPAA includes employees, volunteers, trainees, and any other person whose conduct is under the direct control of the organization — whether or not they are paid. Contractors working on-site may also need training.

HIPAA Training Penalty Tiers

OCR enforces HIPAA training requirements through the same penalty structure as other HIPAA violations. However, training failures are particularly dangerous because OCR often treats them as willful neglect — meaning your organization knew training was required and failed to provide it.

Penalty Tier	Culpability	Per Violation	Annual Max
Tier 1	Did not know	$141 – $71,162	$2,134,831
Tier 2	Reasonable cause	$1,424 – $71,162	$2,134,831
Tier 3	Willful neglect (corrected)	$14,232 – $71,162	$2,134,831
Tier 4	Willful neglect (not corrected)	$71,162 – $2,134,831	$2,134,831

Each untrained employee represents a separate violation. If you have 50 employees and none have been trained, that’s 50 separate violations — each subject to the penalty tiers above. This is how training penalties escalate into the millions quickly.

Real-World HIPAA Training Enforcement Actions

OCR has consistently penalized organizations where training failures contributed to breaches:

Organization	Settlement	Training Issue
Memorial Healthcare System	$5.5 Million	Failed to train workforce on access controls; employees accessed PHI of 115,143 patients without authorization
Anthem Inc.	$16 Million	Inadequate security awareness training contributed to the largest healthcare data breach (78.8M records)
Premera Blue Cross	$6.85 Million	Training gaps identified as contributing factor in breach affecting 10.4M individuals
Children’s Medical Center Dallas	$3.2 Million	Repeated failure to train staff on device security; multiple unencrypted device losses
University of Mississippi Medical Center	$2.75 Million	Lack of training on password management and access controls led to unauthorized access

Don’t become the next enforcement example. Medcurity helps you document, track, and prove your training compliance.

Start Free Trial

What HIPAA Training Must Cover

Privacy Rule Training Topics

What constitutes Protected Health Information (PHI)
Permitted uses and disclosures of PHI
The minimum necessary standard
Patient rights (access, amendment, accounting of disclosures)
Your organization’s specific Notice of Privacy Practices
Breach identification and reporting procedures
Sanctions for HIPAA violations

Security Rule Training Topics

Password management and multi-factor authentication
Phishing and social engineering recognition
Workstation and mobile device security
Email and messaging security
Physical security of PHI
Incident reporting procedures
Remote work and telehealth security

How to Document HIPAA Training for OCR

Documentation is just as important as the training itself. During an OCR investigation, you must be able to prove:

Who was trained (complete workforce roster with training status)
What topics were covered (training content and curriculum)
When training occurred (dates with timestamps)
How comprehension was verified (quiz scores, acknowledgments)
Follow-up for employees who missed training or failed assessments

Pro tip: Paper sign-in sheets are the weakest form of training documentation. OCR investigators look for evidence that employees actually understood the material, not just that they attended. Digital training platforms with quiz scores and completion certificates are significantly stronger evidence.

Automate Your HIPAA Training Compliance

Medcurity’s HIPAA compliance platform includes built-in training tracking, automated reminders for annual renewals, completion documentation, and audit-ready reports — all starting at just $499/year.

Request a Demo

Frequently Asked Questions

What are the penalties for not training employees on HIPAA?

Penalties range from $141 to $2,134,831 per violation. Each untrained employee can constitute a separate violation. OCR often treats training failures as willful neglect, which carries the highest penalty tiers.

Has anyone been fined for lack of HIPAA training?

Yes. Notable settlements include Memorial Healthcare System ($5.5M), Anthem ($16M), Premera Blue Cross ($6.85M), and Children’s Medical Center Dallas ($3.2M) — all with training deficiencies cited as contributing factors.

Is HIPAA training legally required?

Yes. Both the Privacy Rule (45 CFR 164.530(b)) and Security Rule (45 CFR 164.308(a)(5)) mandate training for all workforce members.

How often must HIPAA training be provided?

Training must be provided upon hire and whenever policies change. Annual refresher training is strongly recommended and expected by OCR as a best practice.

What should HIPAA training cover?

PHI definitions, permitted disclosures, minimum necessary standard, patient rights, breach reporting, password management, phishing recognition, device security, and your organization’s specific policies.