For a Covered Entity to be HIPAA-compliant, it is essential all members of the workforce are trained on the Covered Entities policies and procedures for safeguarding PHI. The training should be tailored “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”, and must be provided within a reasonable period of time after a new employee, joins the Covered Entities workforce (see 45 CFR § 164.530).
Further HIPAA training must also be provided whenever a material change in the Covered Entity´s policies and procedures affect an employee´s role. If the material change only affects a small group of the workforce, only those who the material affects need to undergo HIPAA training. However, if the material change affects all the workforce (i.e., there is a change in breach notification procedures), all employees will have to undergo refresher training.