HIPAA §164.308(a)(5) Training: Documentation, OCR Audits, and the Six-Year Rule
HIPAA security awareness training is a mandatory Administrative Safeguard under the HIPAA Security Rule. Every covered entity and every business associate must run a training program for all members of its workforce, including management, and the documentation must survive OCR audits that can sample records going back six years.
The rule itself is short. The expectations around it are not. Covered entities that treat HIPAA training as a fifteen-minute annual video tend to learn this the hard way, usually during a breach investigation or a Resolution Agreement that costs six or seven figures.
For the §164.308(a)(5) framework breakdown end-to-end, see our HIPAA security awareness training framework guide. This post focuses on what OCR investigators actually sample during an audit.