Provide HIPAA training for employees and subcontractors

Under the Omnibus Rule, business associate employees must undergo initial and annual HIPAA training, just as practice employees do. And if the company utilizes subcontractors, they must also complete training – as well as sign their own BAA with the vendor, indicating their agreement to privacy, security, and other policies. All employees of the Business Associate should be trained on their responsibilities for protecting electronic PHI (or “ePHI”) in possession of the Business Associate.

Source :