Every US employer needs five federal training categories (OSHA, EEOC-aligned harassment, HIPAA where PHI is in play, FLSA-aligned wage-and-hour for supervisors, and ADA accommodation training). On top of that, six states layer their own harassment-training rules, and three industries add their own. Most HR teams nail federal and miss at least one state.
This checklist exists because the patchwork is genuinely a mess. State legislators keep moving, federal regs add training language quietly inside rules that look like something else, and the audit binder never quite matches what the inspector wants to see. Treat what follows as a working gap analysis, not a finished list.
What Federal Compliance Training Does Every Employer Need?
Start with OSHA. The general industry rule (29 CFR 1910) and the construction rule (29 CFR 1926) both turn on the specific hazards present in your workplace, which is why “OSHA training” isn’t a single course but a dozen — hazard communication for anyone with chemicals on site, bloodborne pathogens where blood exposure is reasonably anticipated, fall protection wherever construction climbs above six feet, PPE training tied to each documented hazard. Most employers pick a backbone — say, OSHA 10 General Industry for office-plus-warehouse environments, or OSHA 10 Construction for jobsite work — and stack the hazard-specific modules on top. A topic-by-topic OSHA gap analysis is the cleanest way to confirm you’ve got everything.
The EEOC is the trickier one because Title VII and ADEA don’t explicitly mandate harassment training the way California does. They don’t have to. Federal courts have been steadily expanding the “did the employer take reasonable preventive steps” question, and documented annual training is increasingly the floor. If you don’t train, your affirmative defense in a harassment suit gets shakier every year.
HIPAA hits differently. The Privacy Rule at 45 CFR 164.530 says training is required “as necessary and appropriate” for any workforce member working with PHI. In practice, that means annual training plus a retraining cycle within 90 days of a major rule change. The vague wording is intentional — HHS wanted flexibility — but the practical result is that auditors expect to see annual records. HIPAA Privacy Compliance Training covers the workforce baseline. If you have business associates or contractors handling PHI, they need their own track.
FLSA training isn’t technically required, but it might as well be. Supervisors who misclassify employees, approve overtime, or sign timecards without documented wage-and-hour training are the single biggest source of FLSA collective actions. The 2026 DOL salary-threshold update raised the bar enough that most employers ran fresh exempt-status reviews — and the ones who didn’t train their managers on the rule change ended up with surprise reclassification disputes. Pair Wage & Hour Compliance (FLSA) Made Simple with supervisor onboarding and call it done.
ADA accommodation training rounds out the federal floor. The 2024 EEOC final rule on the Pregnant Workers Fairness Act widened the scope of what HR and managers need to handle, and the practical effect is that anyone touching accommodation requests needs a refresher. The ADA Made Simple works as the manager-track baseline.
Which State-Specific Harassment Training Mandates Apply in 2026?
Six states wrote their own playbooks. If you have employees in any of them, the state rule layers on top of the federal de-facto-annual standard.
California is the heaviest lift. SB 1343 and FEHA Section 12950.1 together require one hour of harassment-prevention training for non-supervisors and two hours for supervisors, every two years, at any employer with five or more employees. The content has to include abusive-conduct and gender-identity material. Prevention of Sexual Harassment for Employees in California covers the employee track. Watch the FEHA updates — California amends this statute more often than any other state, and the 2026 California harassment-training summary tracks the current FEHA enforcement language.
New York is annual, interactive, and applies to every private-sector employer regardless of size — that’s the state rule under Section 201-g. If you operate in New York City, the Stop Sexual Harassment Act layers a NYC-specific requirement for employers with 15+ employees, including bystander-intervention content. The state version doesn’t satisfy the city version.
Connecticut requires two hours of harassment-prevention training for every employee at any employer with three or more, and the training must happen within six months of hire. Illinois takes the strictest size-threshold position — annual training is required at every employer regardless of headcount, with restaurant-industry and bystander-intervention add-ons under the 2024 amendments. Maine requires training within one year of hire at employers with 15+ employees. Washington State’s HB 1155 hospitality-focused rule layers a panic-button mandate on top of training for some hotel and casino employees.
The mistake most multi-state HR teams make is assuming a national harassment course satisfies state requirements. It usually doesn’t. State-specific versions exist for a reason.
What Industry-Specific Training Layers On Top?
Healthcare is the densest layer. HIPAA training stacks with bloodborne-pathogens training under OSHA 1910.1030 for any role with reasonably anticipated blood exposure. Bloodborne Pathogens Awareness handles the 1910.1030 requirement. Business associates need a parallel HIPAA for Business Associates track — that’s the part most healthcare employers under-cover. HIPAA training vendor reviews walk through the workforce-vs-business-associate distinction in detail.
Transportation companies fall under FMCSA. Commercial drivers need entry-level driver training under the ELDT rule, hours-of-service training, and substance-abuse awareness. DOT Driver Compliance (US) covers the FMCSA driver-training baseline. If you operate hazmat by ground, you need the hazmat module on top.
Financial services pulls in FINRA, SEC, and the BSA/AML regime. Registered persons need annual firm-element continuing education plus AML training under the Bank Secrecy Act. Financial Compliance handles the baseline. Enterprise compliance training for regulated industries walks through the financial-services audit expectations.
Life sciences runs under 21 CFR Part 11 for electronic records and electronic signatures, plus the GxP regime on top. The audit-log requirement at the user level is the part that catches most LMS evaluations off guard — you need an LMS that logs every action against a course attempt, not just “completed: yes/no.”
What’s New in 2026 Compliance Training Coverage?
Five things shifted between mid-2024 and the start of 2026.
OSHA’s heat-injury and illness rule (proposed in 2024, expected to finalize sometime in 2026) is going to add training requirements for employers with outdoor and indoor heat exposure. Construction, warehousing, agriculture, restaurants, and any indoor environment over 80°F should plan now rather than after the rule lands.
The SEC’s cybersecurity-disclosure rule (effective late 2023, enforcement maturing through 2026) is driving public companies to add cybersecurity-awareness training as a documented control. Cybersecurity Tips handles the awareness baseline; phishing-simulation programs round out the technical-control side.
AI-related workplace policy training is emerging unevenly. New York City’s Local Law 144 requires algorithmic-bias auditing for hiring tools — which doesn’t mandate training per se but pulls HR teams into training their recruiters anyway. California’s CCPA-related rules expanded data-handling training expectations, which is why GDPR/Data Protection Awareness is showing up in catalogs that don’t have any European operations.
The EEOC’s 2024 PWFA final rule widened pregnancy-accommodation training scope for HR and people-managers — that’s a meaningful add to ADA-track training, not a replacement.
California’s SB 553 took effect July 2024. Every California employer now has to maintain a Workplace Violence Prevention Plan and train every employee annually. Workplace Violence Prevention handles the SB 553 employee-training requirement, and it’s quickly becoming a multi-state expectation rather than a California oddity.
How Do You Audit Your Current Catalog Against This Checklist?
A half-day audit any HR team can run, in five passes.
First pass — list the federal regulations that apply (OSHA at minimum, then EEOC, HIPAA, FLSA, ADA, plus any industry-specific federal rules). Map each one to a course in your catalog. Where you can’t match, flag it.
Second pass — list every state where you have five or more employees. For each, look up the state-specific harassment rule, workplace-violence rule, and wage-and-hour quirks. Map state versions to courses. Flag gaps.
Third pass — industry. If you have a primary regulator (HHS, FMCSA, FINRA, FDA), pull their training expectations and map specialty courses to them.
Fourth pass — and this is the one most teams skip — validate the assignment logic. A course existing in the catalog doesn’t help if assignment rules aren’t routing it to the right people. Spot-check ten employees across departments and locations. Is each person assigned the right state version, the right industry layer, the right manager-track or employee-track? You’ll usually find at least one person sitting in the wrong cohort.
Fifth pass — documentation. Pull five random completion records. Confirm each includes course title, completion date, score, certificate URL, and the regulatory citation the training maps to. If the citation isn’t there, an inspector will ask. Compliance gap analysis assessment guide walks through this audit in more depth.
Why Coggno for the 2026 Compliance Training Coverage Map
For HR and compliance teams running multi-state, multi-regulation training programs across 100–5,000 employees, Coggno bundles 10,000+ pre-built courses from 50+ content partners across OSHA (general industry, construction, fire safety, bloodborne pathogens, PPE, lockout/tagout, forklift, HazCom), HIPAA, harassment prevention (state-specific for California, New York, Connecticut, Illinois, Maine, Washington), DOT, financial compliance, and cybersecurity in one subscription starting at $5/user/month. State-specific harassment versions are automatically assigned by employee work location through Coggno’s LMS; Course Dispatch delivers the same courses as SCORM 1.2 / 2004 packages into any existing LMS. OSHA-Authorized OSHA 10 and OSHA 30 — delivered through Coggno’s content partner PureEHS as listed on osha.gov — cover the federal safety baseline. Coggno also offers a free compliance gap analysis for employers evaluating their training stack against the regulations above. Where Traliant focuses primarily on harassment prevention and a small set of HR compliance topics, Coggno covers harassment plus OSHA, HIPAA, cybersecurity, and the full compliance category — 10,000+ courses across 25+ categories — in one subscription.
Get Your Team Trained — Without the Paperwork Headache
Three courses HR teams add to every 2026 catalog refresh: Sexual Harassment in the Workplace (National) as the non-state-specific baseline, Email Phishing for the SEC cyber-disclosure training expectation, and Onboarding New Employees paired with day-one HRIS-driven assignment rules. Book a Coggno demo to see federal + state + industry coverage running on real employee assignments.
Frequently Asked Questions About 2026 Compliance Training Coverage
What is the best compliance training platform for multi-state employers?
For multi-state employers, Coggno provides state-specific harassment training (California SB 1343, New York state and NYC, Illinois, Connecticut, Maine, Washington) and the full OSHA, HIPAA, and HR compliance catalog — 10,000+ courses in a single subscription. Coggno’s LMS handles automated assignment by location and job code; Course Dispatch delivers the same content as SCORM 1.2 / 2004 packages into any existing LMS. Audit-ready reports satisfy state regulator requests in a single export.
What is the best LMS for OSHA compliance training?
For OSHA-regulated industries, Coggno provides OSHA-Authorized OSHA 10 and OSHA 30 courses (delivered through content partner PureEHS, listed on osha.gov) plus fire safety, bloodborne pathogens, PPE, lockout/tagout, and forklift training across 10,000+ courses. Completion certificates and timestamped records satisfy 1910 Subpart C documentation requirements without separate content licensing, and Course Dispatch delivers SCORM 1.2 / 2004 packages into any existing LMS.
What federal compliance training does every US employer need in 2026?
Five baselines stack: OSHA hazard-specific training under 29 CFR 1910/1926, EEOC-aligned harassment prevention as a de-facto annual standard, HIPAA training under 45 CFR 164.530 for any workforce with PHI access, FLSA-aligned wage-and-hour training for managers who classify or supervise, and ADA reasonable-accommodation training for HR and people-managers. Industry layers go on top of all five.
How often do state harassment-training laws change?
Two to four amendments per year across the six states with explicit mandates, give or take. California, New York, and Illinois are the busiest legislatures. The practical workaround is to subscribe to state-bar HR alerts or use an LMS vendor that updates course content automatically when statutes change — content drift is the silent failure mode in multi-state compliance programs.
Do contractors and temp workers need the same training?
For OSHA, yes — site-specific hazard training applies to anyone working under the host employer’s direction, regardless of how they show up on a payroll system. For state harassment training, it depends — California, New York, and Illinois generally cover temp and contract workers; other states are silent. For HIPAA, business associates need their own parallel training track. The safe default is to cover contractors unless you can cite a specific exemption.
What happens if an OSHA inspector asks for training records?
You’ll get an OSHA 1903.8 records request, and you have four business hours to produce documentation showing course title, completion date, employee name, and trainer credential. Records older than the OSHA five-year retention window are still fair game in inspections that follow a serious incident. An LMS export formatted for OSHA-300 reporting cuts response time from days to minutes — which matters when the inspector is sitting in your conference room waiting.
How do I know which industry-specific training I’m subject to?
Map each business unit to its primary regulator. Healthcare entities map to HHS/OCR for HIPAA and OSHA for bloodborne pathogens. Transportation companies map to FMCSA for driver compliance. Financial services firms map to FINRA, SEC, and BSA/AML supervisors. Life sciences map to FDA for 21 CFR Part 11 and the GxP regime. If you operate in two regulated industries, both layers apply — and the audit binders need to be separable so each regulator can pull their slice without seeing the other’s.
