What are my obligations for training?

While most people do an annual training on general HIPAA requirements, the regulations require that you train on specific policies and procedures relative to each workforce member to do their job. Training needs to be on your own policies and procedures, not just general knowledge of HIPAA. Every workforce member needs to be trained within a reasonable period of time when they start your organization; for sensitive information such a psychotherapy information, training should occur before access to PHI. You also need to train anytime that you have a breach.