HIPAA training, tracked to done — $1 per test through August 31, 2026.
HIPAA training is an annual requirement for every workforce member of a covered entity. RCMTask assigns training as an owned, due-dated task, walks each staff member through the curriculum, captures the quiz and the signed attestation, stores the certificate in your compliance binder, and surfaces overdue staff on the dashboard. Pricing: $250 Activation plus $9 per training test — $1 per test during our introductory launch through August 31, 2026. One test covers one workforce member for their annual training cycle.
$1 per test through Aug 31, 2026 · Certificates retained 6 years · BAA on every paid tier
HIPAA workforce training, in plain language.
A covered entity must train all members of its workforce on policies and procedures with respect to protected health information (PHI), as necessary and appropriate for them to do their jobs. The HHS Office for Civil Rights does not mandate a specific course or duration — but it does mandate the documentation. Annual refresh is the industry standard. New hires must complete training within a reasonable period of joining.
Who counts as "workforce"?
Workforce includes employees, volunteers, trainees, and any other person whose conduct in the performance of work is under your direct control — regardless of whether they are paid. That means your hourly front-desk staff, your part-time medical assistant, your volunteer intern, and the receptionist who fills in on Saturdays are all in scope.
What the 2026 Security Rule update changes
The 2026 update to the HIPAA Security Rule emphasizes role-based training tied to access privileges and stronger documentation requirements. The practical change for most small practices: keep the certificate, keep the quiz results, keep the attestation — and be able to produce them on demand. Spreadsheets that get overwritten do not satisfy this expectation. A platform with an immutable audit trail does.
Why standalone training tools are the worst kind of compliance debt.
Cheap individual courses ($15–$30 per person) solve the "we need to do training" problem and create three new ones — administration, drift, and audit fragility. By the time you have eight staff members, two new hires a year, and one OCR question, the standalone training tool has cost you more than the integrated alternative.
Admin time you do not have
Industry-average estimates put the admin overhead of a standalone training platform at 5–10 hours per month: sending reminders, exporting completion reports, reconciling against the staff roster. For a practice manager already running payroll, that is a real tax.
Disconnected from the compliance program
A training tool that lives outside your policies, your BAA, and your audit trail produces "completion records" — not a defensible compliance program. When OCR asks, you have to manually stitch three sources together.
Audit fragility
An auditor wants to see who was trained, on which content version, when, with proof of attestation, against which policies in force at the time. Standalone training tools rarely capture the policy version — and the version chain is exactly what proves "we were doing the right thing on the day the incident occurred."
Assign. Take. Pass. Certified.
Each workforce member sees their training assignment on the same dashboard they use for every other task. They take the training, pass the quiz, sign the attestation, and the certificate lands in your compliance binder — without anyone exporting a CSV.
Assign
Pick a curriculum (HIPAA Awareness, role-specific modules, the annual refresh) and assign it to one person, a group, or every staff member. Each assignment is a tracked task with a due date.
Take
The staff member walks through the slides, takes the quiz, and signs the attestation in their RCMTask dashboard. A minimum view-time gate prevents the "skip to the quiz" pattern.
Certified
On pass, the certificate is generated automatically, time-stamped with the policy version in force, and stored in your compliance binder for the HIPAA-mandated six-year retention period. The next annual assignment fires automatically.
The exact records to produce on demand.
When the HHS Office for Civil Rights investigates a complaint or selects a practice for an audit, the training-related ask is consistent. Here is what they want — and where RCMTask stores it.
| OCR asks for | Where RCMTask stores it |
|---|---|
| List of all workforce members trained in the past year | Compliance binder → training register |
| Date of completion per workforce member | Per-employee certificate |
| Content version in force at the time | Module supersession chain |
| Quiz score / proof of comprehension | Attempt log + signed attestation |
| Policies the training covers | Cross-linked from binder policies (with version) |
| Retention for 6 years | Retained automatically; export as PDF |
RCMTask vs. cheap courses vs. compliance platforms.
There are good reasons to pick a $20 individual course (a single contractor doing one-time training). There are good reasons to pay $300/month for a compliance platform (a 50-person clinic with a dedicated compliance officer). For most small medical practices, RCMTask sits between them — at a price point and integration depth neither extreme can match.
| RCMTask | Cheap courses (TeachMeHIPAA, HIPAATraining.com) | Compliance platforms (Medcurity, Compliancy Group) | |
|---|---|---|---|
| Per-test (per-employee) fee | $1 intro · $9 standard | $15–$30/person/year | Bundled |
| Typical 3-yr cost (8-person practice) | $274 intro · $466 standard | ~$431 ongoing | $1,497–$10,800 |
| Track completion centrally | ✔ | — | ✔ |
| Automatic annual refresh | ✔ | — | ✔ |
| Linked to compliance policies | ✔ | — | ✔ |
| BAA on file | Yes (paid tiers) | Usually no | Yes |
| Records release, denials, prior auth also tracked | ✔ | — | — |
| Survives an OCR audit | ✔ | ? | ✔ |
What changes for your practice.
- 100% of staff trained on schedule — overdue staff surface automatically
- Audit-ready training records, exportable as PDF
- $1 per test through Aug 31, 2026 — a fraction of standalone training vendors
- Training tied to the policies in force on the training date
- New-hire onboarding fires the assignment automatically
- One dashboard for HIPAA training plus eligibility, prior auth, denials, records release
Common questions about HIPAA training
How often is HIPAA training required?
HIPAA does not name a specific frequency, but annual training is the industry-accepted standard and what most auditors expect. New workforce members must be trained within a reasonable period of joining. Training is also required after a material change to policies or to applicable law.
Who must take HIPAA training at a medical practice?
All workforce members. That includes employees, contractors under your direct control, volunteers, trainees, and part-time staff — regardless of pay status or schedule. Independent contractors operating under their own policies (e.g., a billing company) are typically Business Associates, not workforce.
What does RCMTask's HIPAA training cover?
A standard HIPAA Awareness curriculum covering the Privacy Rule, the Security Rule, the Breach Notification Rule, workforce sanction policy, and the practice's own policies as applied on activation. Role-based add-ons (front desk, billing, clinical) are also available.
Is RCMTask training enough on its own, or do we still need to do something separately?
RCMTask's curriculum is designed to satisfy the standard annual workforce training requirement. Some practices supplement with role-specific clinical training, OSHA training, or state-specific privacy training — RCMTask tracks those as additional task assignments alongside the HIPAA module.
How much does the HIPAA training module cost?
RCMTask's HIPAA training module is $250 Activation plus $9 per training test. Our introductory launch offer of $1 per test runs through August 31, 2026. One test covers one workforce member through their annual training cycle (curriculum + quiz + signed attestation + certificate). Re-quiz attempts after a failed pass are free. Compare to standalone training vendors at $17.95–$30 per person per course, billed annually — and a covered entity has to do this every year. Confirm current pricing in-app before purchase.
How do we prove training to an auditor?
Export the training register from your compliance binder. The export shows each workforce member, the curriculum version they completed, the completion date, the quiz score, the signed attestation, and the policies in force at the time. The file is suitable as-is for an OCR document request.
What if a staff member fails the quiz?
They retake. RCMTask logs each attempt with the date, score, and module version. The task stays open until pass; the audit trail shows the path to competency, not just the final result.
Does training reset automatically each year?
Yes. On the anniversary of completion, RCMTask creates a new training task assigned to the workforce member with a due date. Optional: configure your reminder cadence (default is 30, 14, and 3 days before due).
The wider compliance program.
HIPAA compliance →
The umbrella program — policies, BAA, risk analysis, compliance binder.
Medical records release →
Track every records request to the 30-day HIPAA deadline with a full audit trail.
Security & trust →
Encryption, audit trail, MFA, and subprocessors — what procurement teams ask for.
Free training tracker template →
A free spreadsheet to track HIPAA annual training across your workforce. Use it today, graduate to RCMTask when an OCR audit looms.
Train your team — and prove it.
Start free with demo data. Activate ($250) to assign training to your real staff and get audit-ready records the same day.