HIPAA Training for Web Developers: What Is Required?

No federal regulation requires web designers or developers to complete a specific HIPAA training course or hold a HIPAA certification; what the law requires is that Covered Entities and Business Associates train their workforce members under 45 CFR § 164.308(a)(5) and § 164.530(b), and a contracted developer who handles protected health information (PHI) can fall inside that workforce obligation. The market expectation is broader than the legal requirement. Healthcare clients increasingly ask agencies and freelancers for documented training before signing, so understanding both layers matters.

TL;DR: Quick answer

The Security Rule requires security awareness training for "all members of its workforce" at every Covered Entity and Business Associate (45 CFR § 164.308(a)(5)); the Privacy Rule adds policy training for Covered Entity workforces (45 CFR § 164.530(b)).
"Workforce" under 45 CFR § 160.103 includes employees, volunteers, and trainees whose conduct is under the entity's direct control, which can capture embedded contractors; an independent agency handling PHI is instead a Business Associate with its own training duty for its own staff.
There is no official government HIPAA certification for individuals or companies; HHS confirms this, so third-party certificates are training evidence, not legal status.
Training must be documented and retained for six years under 45 CFR § 164.316(b)(2)(i).
Developers building for healthcare clients should know the technical safeguards at 45 CFR § 164.312: access control, audit controls, integrity, authentication, and transmission security.

What does the regulation actually require?

Two provisions govern training. The Security Rule's administrative safeguards require a security awareness and training program for all workforce members, with addressable implementation specifications covering security reminders, malicious software protection, log-in monitoring, and password management (45 CFR § 164.308(a)(5)). This provision applies to both Covered Entities and Business Associates. The Privacy Rule separately requires Covered Entities to train workforce members on privacy policies and procedures "as necessary and appropriate" for their functions (45 CFR § 164.530(b)).

Neither provision names a curriculum, an hour count, a vendor, or an exam. The standard is functional: training appropriate to the person's role, documented, delivered to new workforce members within a reasonable time, and refreshed when material changes occur. Records proving who was trained and when must be kept for six years (45 CFR § 164.316(b)(2)(i)).

Where do developers fit: workforce member or Business Associate?

The distinction drives whose training program covers you.

Embedded contractor. A developer working under a clinic's direct control, using its systems and policies, can qualify as a workforce member under 45 CFR § 160.103. The clinic must then train that developer like an employee.
Independent agency or freelancer. An agency that builds or maintains a site handling PHI on a client's behalf is a Business Associate under 45 CFR § 160.103. It must sign a BAA (45 CFR §§ 164.308(b), 164.504(e)), comply with the Security Rule directly, and run its own § 164.308(a)(5) training program for its own staff. HHS OCR can enforce against the agency itself.
No PHI contact. A designer producing only a brochure site with no PHI-collecting forms, no patient portal, and no access to production data is generally neither, though clients may still contractually require training. The same role analysis applies to marketing agencies serving healthcare clients.

What should HIPAA training for developers cover?

A role-appropriate program for web professionals goes beyond the generic "what is PHI" module. It should map directly to the technical safeguards at 45 CFR § 164.312 and the way websites actually leak data:

Recognizing electronic PHI (ePHI) in web systems: form submissions, database tables, server logs, error traces, analytics payloads, email notifications, and backups.
Encryption mechanics: TLS for data in transit and encryption at rest per 45 CFR § 164.312(a)(2)(iv) and (e), including why a contact form that emails plaintext submissions fails this standard.
Access control and audit logging: unique user IDs, least privilege, and audit controls under § 164.312(a) and (b), applied to CMS admin accounts, SSH access, and deployment pipelines.
Non-production hygiene: never copying production PHI into staging or local environments without the same safeguards; using synthetic test data.
Third-party scripts and tracking: how analytics pixels and chat widgets create disclosure risk on authenticated pages, an area reshaped by the AHA v. HHS ruling (N.D. Tex. 2024) that vacated part of OCR's tracking guidance.
Client-side attack vectors: threats like clickjacking and cross-site scripting that compromise patient-facing pages on otherwise hardened servers.
Breach recognition and reporting: the four-factor risk assessment at 45 CFR § 164.402 and the Business Associate's duty to report incidents to the Covered Entity under the BAA and 45 CFR §§ 164.400-414.
BAA mechanics: what the agency promised contractually, including subcontractor flow-down BAAs for hosts and form processors.

Developers should also understand the infrastructure layer their code sits on. Our guides on making WordPress HIPAA compliant and HIPAA hosting security measures cover the stack-level controls a training course rarely teaches.

Is there an official HIPAA certification for developers?

No. HHS does not certify individuals, courses, products, or companies as HIPAA compliant, and no government program exists for it. Third-party offerings such as "Certified HIPAA Professional" courses, HITRUST CSF assessments, and SOC 2 Type II reports are private attestations. They can be useful evidence of a training program and security posture, but none confers legal compliance status. Any vendor claiming a site or person is "HIPAA certified" is using marketing language, not a regulatory category.

How should an agency evaluate third-party HIPAA courses?

Since no course is official, judge them on substance:

Does it cover the Security Rule technical safeguards (45 CFR § 164.312) with web-specific examples, or only Privacy Rule basics aimed at front-desk staff?
Does it produce completion records you can retain for six years per 45 CFR § 164.316(b)(2)(i)?
Is it updated for current developments, such as the proposed Security Rule update published January 6, 2025 (still a proposal as of June 2026) and the 2026 penalty figures?
Does it avoid claiming the certificate itself makes anyone compliant?

A two-hour generic course plus internal, role-specific procedures usually serves an agency better than an expensive certificate with a compliance-sounding name.

Training is one safeguard among many

Training satisfies one administrative safeguard. A Business Associate agency still needs a documented risk analysis (45 CFR § 164.308(a)(1)(ii)(A)), signed BAAs up and down the chain, and BAA-covered infrastructure for anything touching ePHI. Our HIPAA-compliant hosting guide covers the full stack. hipaacomplianthosting.com provides managed HIPAA hosting on AWS; that is our business, and agencies often build client sites on our HIPAA-compliant WordPress hosting so the platform safeguards and BAA are already in place.

Frequently asked questions

Is HIPAA training legally required for freelance web developers?

Not by name. If the freelancer is a Business Associate, they must comply with the Security Rule, which includes training their own workforce under 45 CFR § 164.308(a)(5); a solo freelancer effectively self-trains and documents it.

How often must HIPAA training be repeated?

The rules require training for new workforce members, after material changes to policies or systems, and periodic security reminders under 45 CFR § 164.308(a)(5)(ii)(A). Annual refreshers are the common industry practice, not an explicit federal mandate.

Does a HIPAA certificate make my agency compliant?

No. Compliance depends on a risk analysis, implemented safeguards under 45 CFR §§ 164.308-312, BAAs, and documentation. A certificate only evidences that training occurred.

Do developers need training if they never see patient data?

Not under HIPAA, if they genuinely have no PHI access and are not workforce members of a Covered Entity or Business Associate. Many healthcare clients require basic training contractually anyway.

Who gets penalized if a trained developer causes a breach?

HHS OCR enforces against the Covered Entity or Business Associate, not the individual developer, with 2026 penalties up to $73,011 per violation and an annual cap of $2,190,294 per provision (45 CFR § 102.3). The entity may then have contractual remedies against the developer.

This article is general information, not legal advice. Consult counsel about your training obligations, and base your safeguards on a documented risk analysis. Reviewed June 2026.

What HIPAA Training Do Web Designers and Developers Actually Need?