Most compliance training should be conducted annually for the bulk of your workforce, with key exceptions: harassment training in California is biennial for non-supervisors, OSHA 10 and 30 don’t expire but should be refreshed every three years, and HIPAA expects retraining “within a reasonable time” after any policy change. The right cadence depends on the topic, the state, and the role.
Skipping the wrong refresher can erase an affirmative defense or trigger automatic violations during an audit. Here’s a topic-by-topic schedule that holds up under inspection.
Why Does Frequency Matter So Much for Compliance?
Frequency matters because regulators evaluate “currency” of training, not just whether it ever happened. The EEOC and federal courts both treat training older than 24 months as functionally outdated for harassment claims. OSHA inspectors expect to see retraining whenever workplace conditions, equipment, or procedures change. HIPAA enforcement under HHS-OCR explicitly weighs training currency in penalty calculations.
There’s also a behavioral half. The forgetting curve — Hermann Ebbinghaus’s classic research, replicated in hundreds of studies since — shows that without reinforcement, learners lose roughly 70% of new information within a week and 90% within a month. Annual reinforcement isn’t ideal, but it’s the floor that most compliance programs settle on as a tradeoff between effectiveness and cost. The complete 2026 onboarding compliance training guide covers the day-one piece, where the highest behavioral payoff happens.
What’s the Required Cadence for Sexual Harassment Training?
Federal law doesn’t mandate sexual harassment training — but state law does in at least seven jurisdictions, with different cadences. California (SB 1343, AB 1825) requires harassment training every two years: 2 hours for supervisors, 1 hour for non-supervisors, at employers with 5+ employees. New York requires annual training for all employees at every employer in the state, and New York City layers on additional bystander content for employers with 15+ employees. The NY harassment training frequency guide covers the calendar mechanics.
Illinois requires annual training under SB 75 (2020). Connecticut requires every two years. Maine, Delaware, and Washington each have their own variants. The California recertification tracking piece explains how multi-state employers handle the calendar without overtraining or undertraining anyone — a real headache for HR teams managing 6+ states.
Practical advice: train annually for everyone, regardless of state minimum. Annual training satisfies every state requirement and dodges the “stale training” problem in litigation. The national sexual harassment course is one of the courses we point clients to as a baseline they can deploy across all states. The annual harassment training NY checklist walks through the documentation each completion needs.
How Often Is OSHA Training Required?
OSHA’s training rules are scattered across dozens of standards, but the pattern is consistent: initial training, retraining when conditions change, and topic-specific refresh schedules. Hazard Communication (1910.1200) requires retraining whenever a new chemical hazard is introduced. Lockout/Tagout (1910.147) requires periodic inspections at least annually with retraining as needed. Powered industrial trucks (forklifts, 1910.178) require retraining at least every three years and after any incident.
OSHA 10 and OSHA 30 cards don’t formally expire under federal law, but most states and many GCs require renewal every three to five years. The OSHA 10 frequency guide covers the state-by-state variation, and the OSHA 30 update guide covers the longer course. The OSHA 10 General Industry course is what most general-industry employers use for the foundational round.
Bloodborne Pathogens (1910.1030), Respiratory Protection (1910.134), and Confined Space (1910.146) all explicitly require annual retraining. PPE training (1910.132) requires retraining when the assessment changes or when an employee fails to demonstrate understanding. The administrative rule of thumb: annual baseline, with topic-specific refreshers when something changes.
How Often Should HIPAA Training Be Conducted?
HIPAA, under 45 CFR 164.530(b), requires the covered entity to train all workforce members “within a reasonable period of time after the person joins the workforce” and “to each member of the workforce whose functions are affected by a material change in the policies or procedures.” The regulation doesn’t say “annual” — but enforcement practice does.
HHS-OCR routinely cites organizations whose training is older than 12–18 months as deficient under the workforce training standard. Most healthcare employers settle on annual training plus event-driven refreshers (after a breach, after a policy change, after major Privacy Rule or Security Rule guidance updates). The HIPAA Privacy Compliance course is what most clinics, hospitals, and business associates use to satisfy the workforce-training requirement.
One overlooked requirement: HIPAA training applies to volunteers, students, and contractors who handle PHI — not just W-2 employees. The annual cadence applies to anyone “whose functions are affected” by the policies. Audit trails for these populations are where HIPAA training programs most often fall short.
What About Cybersecurity and Data Privacy Training?
Cybersecurity training has shifted from “nice to have” to functionally required. Sarbanes-Oxley, HIPAA, GLBA, PCI-DSS, NYDFS Part 500, and the new SEC cybersecurity disclosure rules all expect documented workforce training on phishing, social engineering, and data handling. Most frameworks expect annual training plus quarterly micro-modules or simulated phishing exercises.
The annual baseline isn’t enough on its own. Threat patterns change faster than annual training cycles. Mature programs run a 30-minute annual module on policies plus monthly 5-minute reinforcement on specific tactics — a recent vendor scam, a new ransomware vector, a notable breach in the same industry. The general cybersecurity course is the kind of foundational baseline that pairs well with monthly micro-content.
For employers handling EU residents’ data under GDPR, training is mandatory under Article 39, with no specific frequency — but supervisory authorities expect annual at minimum, with role-based depth for IT, HR, and customer support staff who handle subject access requests. New York’s mandatory annual compliance rules cover financial-services employers under NYDFS Part 500. The NY mandatory annual rules piece walks through the New York stack.
How Should Onboarding Training Differ From Annual Refreshers?
Onboarding training is the highest-ROI moment in the entire compliance program. New hires expect heavy training, they’re paying attention, and the topics map directly to behavior they’re about to start performing. Use the first 30 days to push the most material content — anti-harassment, code of conduct, safety, data handling, and the company-specific policies that don’t apply at any other employer. The onboarding best practices guide walks through the standard 30-60-90 framework.
Annual refreshers should be lighter, more scenario-driven, and focused on changes since last year. Think 30 minutes per topic instead of 90, with current-year case studies instead of foundational definitions. Employees who’ve been through five anti-harassment trainings shouldn’t sit through the basic definition of “quid pro quo” a sixth time — they should work through realistic scenarios that test edge cases. The Understanding HR Compliance course is a good baseline foundation; deeper modules layer on top.
Get Your Team Trained — Without the Paperwork Headache
The right cadence is different for every topic — but managing six different schedules across hundreds of employees is where most programs break down. Coggno’s marketplace handles assignment cadence and renewal tracking in one place, with audit-ready completion records.
For most employers, three courses cover the highest-frequency requirements: Sexual Harassment in the Workplace (National) on an annual cycle, HIPAA Privacy Compliance annually for healthcare and business associates, and General Cybersecurity Training annually for everyone with a corporate login.
Frequently Asked Questions About Compliance Training Frequency
Is annual compliance training enough?
For most employers in most states, yes — annual is the practical baseline. But certain topics need more: cybersecurity benefits from monthly micro-content, and any topic with a state-specific change (California PAGA, NY workplace violence, Illinois bystander) needs an event-driven refresh whenever the law changes. Annual training plus event-driven refreshers is the cadence that holds up under audit.
Do I have to retrain employees who change roles internally?
Often yes, depending on the new role. An employee moving from accounting to operations needs role-specific OSHA and PPE training within 30 days of the move, even if they had the corporate-wide annual training. HIPAA requires retraining whenever functions change relative to PHI access. Document the role change and assign the appropriate training in the LMS.
What’s the minimum legal training schedule for a small employer?
For a 25-person small employer in a low-regulation state, the minimum is essentially annual harassment training (where required), HIPAA training if you handle PHI, OSHA training proportional to your actual hazards, and a cybersecurity baseline. That’s a $50–150 per employee per year program at marketplace prices, well within reach for almost any small business.
Can I conduct compliance training quarterly instead of annually?
Yes, and many high-performing programs do. Splitting an annual 4-hour curriculum into four 1-hour quarterly sessions improves retention and creates four documented training events per year per employee. The trade-off is administrative overhead — four assignments and four completion windows instead of one. The retention gain usually justifies the extra coordination.
What happens if an employee misses their annual training deadline?
Treat it like any other policy violation: documented reminder, escalation to supervisor, then progressive discipline if non-compliance continues. The risk of letting it slide is two-fold — the employee’s training lapses (creating a Faragher–Ellerth exposure) and the documented pattern of non-enforcement weakens the entire program in litigation. Auto-escalation rules in the LMS are the cleanest fix.
How do I handle training for seasonal or temporary workers?
Same way you handle full-time employees, scaled to the work. A seasonal worker in a warehouse still needs OSHA hazard communication, PPE, and emergency action plan training before stepping onto the floor — the regulatory requirement doesn’t care about W-2 vs 1099. Streamline by pre-assigning the training as a hire-step in the LMS so completion is automatic before access is granted.
