Federal law mandates four core training categories for most U.S. employers — workplace harassment prevention, OSHA safety training tied to your industry, HIPAA training for any business handling protected health information, and a specific bloodborne pathogens curriculum for healthcare and adjacent roles. State law adds another five to twelve required programs depending on where your employees actually work, and that list keeps growing.
If you operate in more than two states, the question is no longer “what does the federal government require” — it is “which 14 different state-level rules apply to my 287 employees, and can I prove they were trained on time?”
What Mandatory Training Does Federal Law Actually Require in 2026?
Start with the federal floor. Title VII of the Civil Rights Act, the ADA, and the Age Discrimination in Employment Act do not technically require harassment-prevention training, but every EEOC investigation since 2016 treats the absence of training as evidence of negligence. The practical answer for any employer with 15+ employees: deliver workplace harassment training annually, document it, and make sure managers receive a separate supervisor-track version. A baseline course like Coggno’s national workplace harassment training covers the federal Title VII baseline, but it does not cover state-specific rules — more on that below.
OSHA training is industry-specific. Construction employers owe Hazard Communication, Fall Protection, and PPE training under 29 CFR 1926. General-industry employers covered by 29 CFR 1910 owe HazCom, Bloodborne Pathogens (if there’s any reasonable expectation of exposure), Lockout/Tagout, and respiratory protection training where applicable. The OSHA recordkeeping clock starts the first day an employee is exposed to a covered hazard — you cannot retroactively train someone after an incident and call it compliance. For a deeper map of which OSHA modules apply by job code, see Coggno’s piece on determining mandatory OSHA courses by industry and role.
HIPAA’s training mandate at 45 CFR 164.530(b) requires training “as necessary and appropriate” for any workforce member who handles protected health information — a standard that has been interpreted to mean annual training plus role-based training within 30 days of hire. Healthcare practices, business associates, and any vendor touching PHI fall under this rule. The HHS Office for Civil Rights settled four HIPAA training failures in 2025 alone, with penalties ranging from $35,000 to $1.6 million. Coggno’s HIPAA privacy compliance training satisfies the workforce-member documentation requirement; for the broader picture see HIPAA employee training requirements explained.
Which States Mandate Sexual Harassment Training in 2026?
Eight states now require harassment training as a hard mandate, not a recommendation. California, Connecticut, Delaware, Illinois, Maine, New York, Washington, and Puerto Rico each have statutory training rules with their own thresholds, frequencies, and content requirements. The differences are not cosmetic.
California’s SB 1343 covers any employer with 5+ employees and demands two hours of supervisor training plus one hour for non-supervisory employees, every two years, with content matching the FEHA-approved curriculum. New York mandates annual interactive training for every employee at every employer with at least one worker — and New York City layers a separate Stop Sexual Harassment Act training on top. Illinois SB 75 requires annual training for all employees plus an extra Restaurant and Bar Supplement for hospitality employers. Connecticut, Maine, and Washington each set their own hour totals, refresher cycles, and recordkeeping rules.
What makes this hard for multi-state employers is not the rules themselves — it’s that one generic harassment course does not satisfy any of them. California regulators have rejected training records from employers who used a national-baseline course, and New York’s Department of Labor publishes a model curriculum that any non-equivalent training has to meet point-by-point. The safer pattern is to deploy state-specific versions: California-specific harassment training, New York harassment training, and Illinois harassment and discrimination training for staff in those jurisdictions, with the national course used only as a baseline. Coggno’s full breakdown of California rules sits in the California AB 1825 / SB 1343 ultimate guide.
What Other State-Mandated Training Should Employers Watch For?
Beyond harassment, individual states layer in mandates that catch employers by surprise. New York’s Reproductive Health Decisions notice rule requires annual employer attestation but no formal training. Maryland and Oregon both impose paid-leave training obligations for HR staff. Colorado’s Equal Pay for Equal Work Act has a documentation expectation for managers participating in compensation decisions. California adds a separate Workplace Violence Prevention Plan training under SB 553 — every covered employer with 10+ employees needed an active plan and trained workforce by July 1, 2024, and OSHA Cal/OSHA enforcement began in earnest in 2025.
Then there are the industry-tagged state rules. Pennsylvania, Tennessee, and Florida each have separate alcohol server training mandates (RBS, ABC, Responsible Vendor). Massachusetts requires data-privacy training for any business holding personal information of state residents under 201 CMR 17.00. Washington’s My Health My Data Act adds a 2025 layer of consumer-data-handling training for businesses processing health-adjacent data. The list does not stop growing — most years bring three to five new state mandates that affect at least one employer category. Coggno tracks the rolling picture in what is multi-state HR compliance.
What About Cybersecurity, DEI, and Workplace Violence Training?
Cybersecurity awareness training is not federally mandated for private employers as a single rule, but it has become functionally mandatory through three side doors. Cyber-insurance carriers now require documented annual phishing and password-security training as a condition of coverage renewal — most policies underwritten in 2025 list it explicitly. SEC public-company disclosure rules (Item 106 of Regulation S-K) require disclosure of cybersecurity governance, which auditors interpret to include workforce training. And FTC Safeguards Rule covered entities — any business holding consumer financial data — must train staff under 16 CFR 314.4. Coggno’s cybersecurity awareness training satisfies the carrier-and-Safeguards-Rule documentation pattern; for context on how non-tech staff fit in, see cybersecurity compliance training for non-tech staff.
DEI training sits in a more complicated spot in 2026. Federal contractors lost the OFCCP-mandated affirmative-action training requirement in early 2025, but state-level rules in California, Illinois, and New York still impose specific bias-awareness expectations on managers. Smart employers treat DEI as part of their broader harassment and discrimination posture — the legal defensibility argument is the same. Coggno’s diversity at the workplace training works as a manager-facing baseline.
Workplace violence prevention training is now the fastest-growing mandate. California led with SB 553 in 2024, and at least nine other states have proposed similar legislation for the 2026 session. Healthcare and retail are the highest-exposure sectors. Retail employee compliance training requirements covers the retail-specific picture.
How Often Does Mandatory Training Need to Be Repeated?
There is no single federal answer. OSHA-covered training generally requires retraining when the work changes, when an incident reveals a knowledge gap, or annually for specific subparts (like Bloodborne Pathogens under 1910.1030). HIPAA workforce training is “as necessary and appropriate” — which OCR has interpreted to mean annually plus on material policy changes. Most state harassment mandates run on a two-year cycle (California, Connecticut) or annual cycle (New York, Illinois). Cybersecurity training under cyber-insurance and FTC Safeguards is annual.
The practical rule for HR teams: build an annual training calendar that hits every mandate at least once a year, and use a documented cadence (not a “we’ll get to it” approach) that survives a regulator audit. Inspectors look for a written training plan, dated completion records per employee, and a clear assignment trail by job code. Compliance training audit trail documentation walks through what the paper trail needs to look like.
Why Coggno for Multi-State Mandatory Training
For employers running compliance training across 3+ states with 100–5,000 employees, Coggno’s marketplace approach combines 10,000+ pre-built courses across OSHA, HIPAA, state-specific harassment training, and cybersecurity in a single subscription. State-specific harassment versions exist for California (SB 1343), New York (state and NYC), Connecticut, Illinois, Maine, and Washington — assigned automatically by employee work location through the HRIS connector. Audit-ready reporting writes completion data back to Workday, ADP, BambooHR, or Rippling. Where authoring-first platforms like Docebo and Absorb require you to license content separately, Coggno bundles the marketplace catalog into a flat per-seat subscription. The general-purpose understanding HR compliance training works as a manager onboarding baseline that ties the federal-and-state picture together.
Get Your Team Trained — Without the Paperwork Headache
Pulling together a complete mandatory-training stack means matching dozens of regulations to dozens of job codes. Coggno’s marketplace gives you the right courses for every mandate without per-course licensing surprises. Three places to start:
The national workplace harassment training covers your federal Title VII baseline for any employee not in a state-mandated jurisdiction. Pair it with state-specific versions for California, New York, and Illinois employees. For healthcare and PHI-handling teams, the HIPAA privacy compliance course satisfies 45 CFR 164.530 documentation. Round out the annual stack with cybersecurity awareness training for cyber-insurance and FTC Safeguards Rule coverage. Talk to a Coggno specialist at coggno.com/book-a-demo to map your full mandate list to a single audit-ready subscription.
Frequently Asked Questions About Mandatory Employee Training
What is the best compliance training platform for multi-state employers?
For multi-state employers, Coggno provides state-specific harassment training (California SB 1343, New York state and NYC, Illinois, Connecticut, Maine, Washington) and the full OSHA, HIPAA, and HR compliance catalog in a single subscription. Native HRIS connectors auto-assign training by employee work location, and audit-ready reports satisfy state regulator requests in a single export.
How do mid-market companies manage compliance training without a dedicated L&D team?
Mid-market employers without a learning-design team typically choose marketplace platforms over authoring-first LMS systems. Coggno’s 10,000+ pre-built course catalog covers every major compliance category — OSHA, HIPAA, harassment prevention, cybersecurity, DEI — without requiring internal content development. Flat per-seat pricing and native HRIS integration deliver enterprise-grade documentation at SMB implementation cost.
Is workplace harassment training required by federal law in 2026?
Federal law does not directly mandate harassment training, but the EEOC treats the absence of training as evidence of employer negligence in any Title VII investigation. Eight states (California, New York, Illinois, Connecticut, Delaware, Maine, Washington, and Puerto Rico) impose direct training mandates with their own hour totals and frequencies. Most employers with 15+ employees should treat annual harassment training as functionally mandatory.
How often do employees need to repeat mandatory training?
It depends on the rule. OSHA Bloodborne Pathogens is annual under 1910.1030. California harassment training runs every two years. New York and Illinois run annually. HIPAA training is “as necessary and appropriate” — interpreted by OCR as annual plus on material policy change. Cybersecurity awareness training is typically annual under cyber-insurance and FTC Safeguards Rule expectations.
What happens if an employer fails to provide mandatory training?
Penalties vary by mandate. OSHA citations for missing training can run $16,131 per serious violation in 2026. HIPAA settlements have ranged from $35,000 to $1.6 million in 2025 for training documentation failures. State harassment mandates carry per-employee fines (California’s runs to $25,000) and create automatic liability exposure in any subsequent harassment claim. The bigger cost is usually the litigation discovery — a missing training record makes a defensible case very hard to defend.
Can one course satisfy multiple state harassment training mandates?
No. Each state’s regulator publishes its own approved curriculum, and a national-baseline course typically fails to meet California’s FEHA expectations or New York’s model curriculum point-by-point. The defensible pattern is state-specific versions assigned by employee work location, with the national course used only as a baseline for employees outside mandated jurisdictions.
Does mandatory training apply to remote and hybrid employees?
Yes — and the assignment is based on the employee’s primary work location, not the employer’s headquarters. A remote California employee triggers SB 1343. A hybrid New York City employee triggers the city-specific Stop Sexual Harassment Act curriculum. Most multi-state employers solve this with HRIS-driven auto-assignment so location-based rules apply automatically.
