HIPAA Privacy and Security Training

Layout for printing

Policy Number:

UW-137

Old Policy Number:

9.1

Responsible Office:

Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:

Covered employees and agents

UW–Madison Employees/Appointees (of all classifications, paid or unpaid) and volunteers employed in or assigned to a defined unit of the UW-Madison Health Care Component, as well as employees/appointees throughout the entire School of Medicine and Public Health, the entire School of Pharmacy, and the entire Waisman Center facility located at 1500 Highland Avenue, Madison, Wisconsin. But individuals with appointments solely for the purpose of providing clinical education for UW-Madison students at non-UW-Madison facilities (commonly referred to as “preceptors” or “clinical adjunct faculty”) are not considered covered employees or agents for the purposes of this policy.

For purposes of this policy, the term “employee” as described above includes students in their roles as employees (e.g., student hourly, student assistant). For example, a student who is employed as a student hourly to answer phones in a clinical department of the School of Medicine and Public Health would be considered an employee for purposes of this policy.

Covered entity

A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Covered external research personnel

Non-UW–Madison employees who participate in UW–Madison research under a protocol in which a UW–Madison researcher in the health care component (HCC) serves as the principal investigator (PI) or co-investigator.

Covered students

Students who have access to protected health information (PHI) in their role as participants in a clinical health professional training program within a unit of the UW–Madison health care component (UW HCC), or students in other non-clinical training programs which involve observation of patient or research subject interactions or interactions with protected health information in connection with their course-work. For example, Nursing students who are assigned to a clinical experience in University Health Services as part of their educational program, or Industrial Systems Engineering students observing patient interactions at University Hospital or the Waisman Center as part of their educational programs are considered covered students for purposes of this policy.

Protected health information (PHI)

Health information, or healthcare payment information, including demographic information, which identifies the individual or can be used to identify the individual. Protected health information does not include student records held by educational institutions or employment records held by employers.

UW–Madison health care component (UW HCC)

Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units.

Scope:

Applies to all members of the UW–Madison health care component (HCC).

Policy:

Policy Summary

UW–Madison is committed to maintaining the privacy, confidentiality, and security of patients’ and research subjects’ protected health information in accordance with HIPAA. To that end, UW-Madison requires that all “covered” employees, agents, and students, as described in this document, complete HIPAA training once before accessing PHI and thereafter when UW-Madison requires training on approximately an annual basis. This policy also describes when covered external research personnel must take UW–Madison’s HIPAA training.

This policy describes the HIPAA Privacy and Security Rule training requirements at UW–Madison.

Policy Detail

1. HIPAA Privacy and Security Training of Covered Employees and Agents and Covered Students
   1. HIPAA training is required prior to provisioning access to protected health information for covered employees and agents and covered students. This training is required by federal HIPAA regulations. Covered employees and agents and covered students who do not need access to protected health information are still required to complete training on an approximately-annual basis as required by UW–Madison, despite their lack of need to access protected health information. The training completed must be the most current version of the training, and it must be completed by the deadline established when it is made available.

   2. Retraining shall occur annually. Retraining may occur more frequently if material changes are made to HIPAA regulations and UW–Madison’s HIPAA privacy and/or security officer determines retraining is necessary to ensure compliance with HIPAA regulations.

      Retraining may also be required by the leadership of an individual UW–Madison health care component (HCC) unit. Such retraining may be required, for example, as a corrective action in the event of HIPAA breaches or to address performance concerns and/or HIPAA policy violations.

   3. HIPAA training must be provided in a format that is accessible to persons with disabilities and those who are not fluent in English.
   4. Records of successful completion of training (and retraining) must be retained by UW–Madison as specified below.
   5. Web-based will be provided by UW–Madison as the primary form of training when and to the extent possible.
   6. Additional, specific training for any unit or department within the UW HCC may be developed if the unit determines a need for such training exists; if so, such training will be the responsibility of the HCC unit’s privacy and/or security coordinator(s). Further, retention of records of such training will also be the responsibility of the HCC unit’s privacy and/or security coordinator(s). Any such training must be developed in consultation with the UW–Madison HIPAA privacy and security officers.
   7. With respect to students participating in a clinical health professional training program within the UW HCC, the UW HCC unit privacy and security coordinators must ensure completion of UW–Madison HIPAA training even if the student’s academic department includes education regarding HIPAA in its academic curriculum.

2. HIPAA Privacy and Security Training for Students Participating in a Clinical Health Professional Training Program at a non-UW–Madison Health Care Facility

   The training of students who have access to protected health information at health care facilities outside UW–Madison as part of their academic program is the responsibility of each health care facility unless there is a contractual agreement between a facility and UW–Madison requiring otherwise.

3. HIPAA Privacy and Security Training for Covered External Research Personnel

   Covered external research personnel are required to take UW–Madison’s HIPAA training (or equivalent privacy-related training for internationally-based researchers) if they have not already completed HIPAA training as required by their institution or employer and either III.1 or III.2, below, applies.

   1. They are a covered entity (i.e., a covered health care provider) who creates or obtains protected health information through intervention or interaction with research subjects; or
   2. They access protected health information of research subjects from a covered entity (including from covered individuals and from covered sources that maintain protected health information such as health records, databases, registries, etc.).
4. PHI Access for Covered Employees and Agents and Covered Students
   1. Covered employees and agents and covered students cannot have access to protected health information unless they have successfully completed UW–Madison HIPAA training. Upon successful completion of training, access to protected health information may be granted (and must be changed or terminated, as appropriate) in accordance with UW-132 HIPAA Security System Access.
   2. Access to protected health information shall be terminated for any individual covered employee or agent or covered student who fails to complete UW–Madison HIPAA Privacy and Security Training by the deadline established when the training is made available.
   3. Each UW HCC unit’s privacy and/or security coordinator(s) is responsible for ensuring termination of access as provided above in Subsections IV.1 and IV.2.

5. Compliance

   Because UW–Madison is required to ensure compliance with HIPAA regulations, periodic audits will be conducted to ensure completion of training and termination of access for failures to complete training in accordance with this policy.

6. Academic Curriculum Content

   While this policy requires training covered students who will have access to protected health information in their facility, it is not the intent of this policy to mandate the inclusion of HIPAA requirements in the curriculum of academic departments. That is solely an academic decision.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:

UW-100 Designation of UW-Madison Health Care Component

UW-132 HIPAA Security System Access

Related UW–Madison Documents, Web Pages, or Other Resources:

Additional information may be found at www.compliance.wisc.edu/hipaa

External References:

45 C.F.R. § 164.530(b)

45 C.F.R. § 164.530(j)

Policy Administration

Approval Authority:

Vice Chancellor for Legal Affairs

Policy Manager:

HIPAA Privacy Officer

Contact:

HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077

Effective Date:

03-15-2004

Revised Dates:

08-21-2014: Effective date of the revised policy: 08-21-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
07-14-2020: Effective date of the revised policy: 07-14-2020.
08-07-2023: Effective date of the revised policy: 08-07-2023.
12-07-2023: Effective date of the revised policy: 12-07-2023.

Retrieved:

12-30-2024 08:42:50