The Administrative requirements of HIPAA (§ 164.530) indicate that a covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
A covered entity must provide training to each member of the covered entity’s workforce no later than the compliance date for the covered entity.
Each new member of the workforce must be trained within a reasonable period of time after the person joins the covered entity’s workforce.
A covered entity must train each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures within a reasonable period of time after the material change becomes effective.
A covered entity must document that the training has been provided.