Employee Refuses HIPAA Training: Sanctions, Documentation, and Legal Exposure

An employee has refused to complete their HIPAA training. Maybe they said they “already know HIPAA,” that the training is a waste of time, that they are too busy, or that they simply will not do it. Whatever the stated reason, you are now in a position where a member of your workforce who handles protected health information has not completed the training HIPAA requires — and every day that persists, your practice’s compliance exposure grows.

Why This Is Not a Minor HR Issue

HIPAA training is not optional. Under 45 CFR 164.530(b)(1), covered entities are required to train all members of their workforce on the policies and procedures relevant to their job functions. Under 45 CFR 164.308(a)(5), the Security Rule independently requires security awareness training for the entire workforce. The word “required” is not ambiguous. OCR does not accept “the employee refused” as an explanation for why a workforce member was not trained.

When OCR investigates a complaint or breach, one of the first things they request is training records. If they discover an employee who handles PHI was not trained — for any reason — the practice is cited for a training deficiency. The employee’s refusal does not transfer liability to the employee. The obligation to train belongs to the covered entity, and the covered entity bears the consequences for failure.

Your Obligations Under HIPAA

HIPAA establishes two parallel obligations that apply when an employee refuses training. First, the training requirement itself: you must provide training that is appropriate to each workforce member’s role, documented, and repeated when material changes occur. Second, the sanction requirement: under 45 CFR 164.530(e)(1), you must apply appropriate sanctions against workforce members who fail to comply with your HIPAA policies and procedures. If your policies require training completion (and they should), an employee who refuses training is violating your policies — and your sanction policy must be applied.

The Sanction Escalation Framework

An effective response follows a documented escalation path that demonstrates both your commitment to compliance and fair treatment of the employee:

Step 1: Formal Written Notice

Issue a written notice to the employee stating that HIPAA training is a mandatory condition of employment for any workforce member who handles PHI, that refusal to complete training violates the practice’s HIPAA policies, and that specific consequences will follow if training is not completed by a stated deadline. Be specific about the deadline — give the employee a reasonable timeframe (typically 5 to 10 business days) but make it clear that the deadline is firm. Have the employee sign acknowledging receipt. If they refuse to sign, note the refusal with a witness signature.

Step 2: Accommodation Assessment

Before escalating further, assess whether there is a legitimate barrier you can address. Does the employee have a learning disability that makes the training format inaccessible? Is there a language barrier? Is the training platform difficult to navigate? Are scheduling conflicts genuinely preventing completion? Accommodating legitimate barriers demonstrates good faith and may resolve the situation without disciplinary action. What you cannot accommodate is a blanket refusal to complete training that the employee is capable of completing.

Step 3: Restriction of PHI Access

If the deadline passes without completion, restrict the employee’s access to PHI. An untrained workforce member handling protected health information is an active compliance violation. Reassign the employee to duties that do not involve PHI access until training is completed. Document the reassignment, the reason, and the conditions for restoration of full duties. This step serves dual purposes: it demonstrates that you are taking immediate action to protect patient information, and it creates a tangible consequence that often motivates compliance.

Step 4: Progressive Discipline

If the employee continues to refuse, apply progressive discipline consistent with your sanction policy and employment practices. This may include a formal written warning placed in the personnel file, suspension without pay, and ultimately, termination. Each step must be documented with the date, the specific policy violated, the employee’s response, and the individuals involved in the decision.

Documentation Requirements

Documentation is your primary defense if this situation leads to an OCR investigation or an employment dispute. Maintain records of every training opportunity provided to the employee, including dates, format, and duration. Record every communication about the training requirement, including the initial assignment, reminders, and formal notices. Document the employee’s stated reasons for refusal, each sanction applied and the reasoning, and any accommodations offered. HIPAA requires that training records be maintained for six years from the date of creation or the date last in effect. These records should be integrated into your broader compliance training program documentation.

Can You Terminate an Employee for Refusing HIPAA Training?

In most circumstances, yes. HIPAA training is a legitimate job requirement for any position that involves access to PHI. An employee who refuses a legitimate job requirement is subject to termination under standard employment law principles. However, consult with an employment attorney before terminating, particularly if the employee has raised concerns that could be construed as a protected activity (whistleblower complaint, discrimination claim, etc.), the employee is in a protected class and the refusal may be related to a disability or religious objection, the employee has an employment contract or is covered by a collective bargaining agreement that restricts termination, or your state has specific requirements for progressive discipline before termination.

At-will employment, which applies in most states, generally permits termination for refusal to meet job requirements. But the safest path is always documented progressive discipline that demonstrates you gave the employee every reasonable opportunity to comply.

The Ripple Effect: Impact on Your Compliance Program

An untrained workforce member is not an isolated problem. If that employee is involved in a breach, the fact that they were not trained will be cited as a contributing factor — and it will increase your penalty exposure. OCR’s penalty tiers explicitly consider whether the violation resulted from willful neglect, and allowing an untrained employee to continue handling PHI after they refused training comes dangerously close to that standard.

Additionally, other employees observe how you handle non-compliance. If one employee refuses training without meaningful consequences, others will question whether training is truly mandatory. Consistent enforcement of your training requirements sets the tone for your entire compliance culture.

Preventing Training Refusals

Most training refusals stem from training programs that employees find irrelevant, excessively long, or disrespectful of their time. Investing in training that is role-specific, scenario-based, and concise reduces resistance significantly. Make training completion a documented condition of employment from the first day — include it in your offer letter and onboarding checklist. When training is presented as a non-negotiable professional obligation (like maintaining a license or completing continuing education), refusals are rare.