In connection with my privacy and data security training business, TeachPrivacy, I was recently asked whether I had a list of the various laws, regulations, and industry codes that require privacy and/or data security training. I know about a number of training requirements, but didn’t have a formal list. I realized that such a list would be useful, so I created one with the help of Joe Newman, a former student who now does some work for my company.
It provides information about each requirement, citations, and quotations of the relevant provisions. Below is a summary. If there are any training requirements we missed, please let me know.
HIPAA Privacy and Security Rules
HIPAA requires a covered entity to train all workforce members on its policies and procedures with respect to PHI. Each new workforce member must be trained within a reasonable period of time after hiring. Thereafter, training must be given whenever there is a material change in policies or procedures. See 45 CFR § 164.530(b)(1).