Education and Training for HIPAA Privacy and Security Awareness
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
This policy applies to all personnel, regardless of affiliation, who work in an IU HIPAA Affected Area or who create, access or store Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) or at Indiana University, in accordance with the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Please refer to the IU HIPAA Affected Areas document for a full list of departments impacted within Indiana University.
A. Workforce members of the IU HIPAA Affected Areas shall be trained on policies and procedures required by the HIPAA Privacy and Security Rules so that each person is able to carry out his or her duties in compliance with IU’s policies, HIPAA and changes promulgated under the HITECH Act.
B. Training shall include information about applicable federal and state regulations regarding the privacy, security and confidentiality of individually identifiable health information.
C.Training shall be provided for workforce members of each IU HIPAA Affected Area upon initial employment, volunteer work, student orientation, or third party contract; and annually thereafter or upon material changes to any university or areas’ policies and procedures regarding the privacy, security and confidentiality of individually identifiable health information. Training may also be required as part of a corrective action plan.
D.The University HIPAA Privacy and Security Officers will develop and provide basic HIPAA Privacy and Security training for workforce members of the designated IU HIPAA Affected Areas.
E.The University HIPAA Privacy Officer will ensure training materials are updated to reflect changes in University policies and procedures and regulatory changes as necessary.
F.The HIPAA Liaisons will compile and maintain a list of new and current workforce members who require HIPAA training.
G.The HIPAA Liaisons are responsible for documenting training compliance for workforce members in a manner and frequency established by the University HIPAA Privacy Officer. Written documentation of training must be retained for a period of six years from the date of its creation.
Reason for Policy
Indiana University has responsibility under the HIPAA Privacy and Security Rules for providing and documenting training for University workforce members who access protected health information. This policy describes the training requirements for workforce members in the IU HIPAA Affected Areas.