How to keep your OSHA and HIPAA compliance programs updated

So you’ve instituted an OSHA and HIPAA compliance program in your office, great! The next step is to maintain it and keep it up to date. You may be thinking – why and how often do I need to update my documentation, posters, re-do training, etc. OSHA and HIPAA have different requirements on this, see below:

Note: this article is not providing guidance for new-hire training (which for OSHA mandated within 10 business days of hire and for HIPAA is required “within a reasonable period of time”). This is a separate subject and will be covered in another post.


OSHA is broken down into various standards – the Bloodborne Pathogen Standard, Hazard Communications Standard, Fire Prevention, Emergency Action, Workplace Violence Prevention, etc. In the regulations, each standard actually has it’s own training and documentation upkeep requirements but in general, they mandate:

  1. 1. Minimally an annual review and update of documentation should there be any regulatory changes or changes in the office that would trigger a documentation update
  2. 2. Annual re-training of staff members on the applicable OSHA standards for their job responsibility


Similar to OSHA, HIPAA is broken down into two main Rules – the Privacy Rule and Security Rule. Both have specific training requirements.

Privacy Rule

The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1).The HIPAA Privacy Rule states that training must be provided to “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce” and to “each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures […] within a reasonable period of time after the material change becomes effective.” Basically, the Privacy Rule requires new hire training and training if there is a regulatory or changes in the office that trigger an update to your HIPAA policies (e.g. new computer systems).

Security Rule

The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5).The HIPAA Security Rule requires a security awareness and training program for all workforce members including “periodic security updates:. The Security Rule doesn’t define what “periodic” means or when and how often people must be trained. Nor does it define what the periodic security updates must consist of.

Our recommendations

While OSHA is pretty clear on an annual cycle for review and updates of documentation and training, HIPAA is more ambiguous. For both compliance program however, we recommend annual updates. An annual cadence for this review is a good industry guideline as well as ensures this important information is not forgotten or allowed to age. Policies change and can change often so getting into the habit of reviewing your compliance programs every year will help you stay up to date.

Our services

Our packages come with four years of service support including free annual updates making the maintenance of your OSHA and HIPAA compliance packages simple! Every year during your support period we’ll email you letting you know that your update is available for download through our website.

For more information, feel free to contact us.