1.090 Mandatory HIPAA Privacy and Security Training

Op10.04-14 Mandatory Training

Purpose

Describes mandatory training as required by the Health Insurance Portability and Accountability Act (HIPAA). 45 CFR Section 164.500, et seq.

Application

The University’s HCC

  1. Definitions. Terms are defined as follows:
    1. Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191 enacted on August 21, 1996.
    2. Code of Federal Regulations (CFR), refers to 45 CFR Parts 160, 164 and 142, for Privacy and Security rules.
    3. Privacy training rule: 45 CFR § 164.530(b)(1) states "a covered entity must train all members of its workforce on policies and procedures with respect to health information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity."
    4. Proposed Security Training rule: at 45 CFR § 142.308(a)(12) requires "education concerning the vulnerabilities of the health information in an entity’s possession and ways to ensure the protection of that information."
    5. Protected Health Information (PHI) means individually identifiable health information that is (1) transmitted by electronic media, or (2) transmitted or maintained in any form or medium. See HIPAA Procedure 1.005, 1.b. and c.
    6. Mandatory Training refers to the requirements as noted in 1.c. privacy and 1.d. proposed security as defined above, plus any additional training requirements adopted in the final Privacy and/or Security rules. Initial HIPAA training, defined as occurring between October 1, 2002, and April 14, 2003, shall only be conducted by or as approved by the University’s Human Resources Training and Development Manager (TDM).
  2. Mandatory Training for all Missouri State health care component employees
    1. All health care components, as well as volunteers, students and contract employees in an Missouri State HCC on a regular course of business, shall attend training on the privacy and security provisions of HIPAA. This training shall follow a specific curriculum established by the Missouri State HIPAA Management Team, an outline of which is attached to this procedure as Appendix A.
    2. HIPAA training curriculum should remain consistent system-wide to assure appropriate implementation of the HIPAA Privacy and Security regulations. Local HCC customization should obtain the approval of the Unit Privacy Officer or the TDM.
    3. HCC employees, as well as volunteers, students and contract employees in an Missouri State facility on a regular course of business, hired or engaged prior to April 14, 2003, shall receive HIPAA privacy and security training prior to April 14, 2003.
      1. Trainings shall be available at all HCC operated facilities.
      2. Additional mandatory privacy training shall be scheduled whenever there is a material change in the privacy policies or procedures as determined by the University or Unit Privacy Officer.
      3. Periodic mandatory security training shall be scheduled as determined by the University or Unit Security Officer.
    4. Missouri State HCC employees hired after April 14, 2003, shall receive training as part of their initial employee orientation. The content for the HIPAA new employee orientation shall be the same as listed in Appendix A to this policy. However, any interactive exercises, or supplemental videos, may not be required content for new employee orientation. New HCC employee orientation must take place within thirty (30) days of the date of hire.
    5. Volunteers, students and contract employees in an Missouri State HCC facility on a regular course of business who are hired, or accepted after April 14, 2003, shall receive training as a part of their initial HCC orientation (also known as the new employee orientation course). The content for the HIPAA initial HCC orientation shall be the same as listed in Appendix A to this policy. However, any interactive exercises, or supplemental videos, may not be required content for initial facility orientation. Such training must be done within thirty (30) days of the initial date that the person presents for service.
    6. Each Unit Privacy Officer shall identify group(s) or individuals who, due to the nature of their job function within the unit, will require in-depth training related to HIPAA, and then provide that specialized training prior to April 14, 2003.
  3. Documentation of Mandatory Training. Documentation of Mandatory HIPAA Training shall be recorded in the office of TDM computer system. Specific codes have been established for use in recording HIPAA initial training, HIPAA new employee orientation, and HIPAA periodic updates.
  4. Sanctions. Employees who do not complete the respective Mandatory HIPAA Training(s) are subject to disciplinary action that may include, but is not limited to, suspension without pay, demotion or dismissal.
  5. Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.

HISTORY: Effective March 21, 2003

Appendix A

HIPAA Privacy Training Outline

  1. Goals of Training
  2. What is HIPAA?
  3. What is "Protected Health Information (PHI)"?
    1. Examples of PHI
  4. Who is Subject to HIPAA?
  5. What is a Covered Entity?
    1. Is Missouri State Itself a Covered Entity?
    2. Missouri State’s Responsibility as a Hybrid Entity
  6. What is a Business Associate? (1.160)
    1. Examples of Business Associates
    2. Contract with Business Associates Must:
  7. Privacy: Why is it important?
  8. HIPAA Enforcement
  9. What HIPAA Requires Missouri State to do
    1. Where do we find PHI?
    2. How can you Safeguard PHI?
    3. How does "Need to Know" Translate into HIPAA?
  10. HIPAA Regulations for Missouri State
    1. Notice of Privacy Practices (1.005)
    2. Amendment (1.010)
    3. Restrictions (1.020)
    4. Access (1.030)
    5. Confidentiality Agreement (1.040)
    6. Authorization to Disclose (1.050)
  11. When no Authorization is Needed
  12. HIPAA Consumer Protections
    1. Accounting of Disclosures (1.060)
    2. Verification (1.070)
    3. Complaint Procedure (1.140)
    4. Preemption of State and Federal Law
    5. Research Provisions (1.055)
  13. Key Things to Remember about Privacy
  14. Security: Integration with HIPAA Privacy
    1. Required Training Areas
    2. Purpose of Security
    3. General Security Awareness (1.330)
    4. Things to Know about System Access (1.300)
    5. Password Management
    6. PC and System Protection
  15. Key Things to Remember about Security
  16. Questions?
  17. Required Missouri State HIPAA Training Registration and Verification