Under HB300, mandatory customized employee training regarding state and federal patient privacy and security laws is required. Training must cover federal and state regulatory requirements as well as include the covered entity’s course of business and employees’ scope of employment as it relates to PHI use and disclosure.
Employees of covered entities must complete training at least once every two years and not later than 60 days after their hire date. A covered entity shall require an employee of the entity who attends a training program described above to sign, electronically or in writing, a statement verifying the employee's attendance at the training program. The covered entity shall maintain the signed or electronic training record.