- CUHC workforce members complete HIPAA training requirements when hired, in addition to annual HIPAA training.
- Training includes information about the HIPAA Privacy and Information Security program.
- CUHC workforce members that fail to complete training within the required timeframe may be sanctioned.
- CUHC workforce members engaged in research activities must also complete a research-specific HIPAA training course in RASCAL Training Center (TC0019 for HIPAA: Health Insurance Portability and Accountability Act Training Course).
- Refresher, remedial, departmental and other training is provided as needed.
- Periodic awareness reminders, information bulletins, briefings and other mechanisms are also utilized to communicate HIPAA related information.
Responsibilities
- The Chief Privacy Officer and Chief Information Security Officer will review and update training material as needed and communicate training requirements and HIPAA related information to workforce members.
- Workforce members will complete all assigned training within the required time frame.
- Business Unit Leadership (Department Administrators) must assure that all CUHC workforce members comply with HIPAA Privacy and Information Security training requirements.
Definitions
Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.
Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.
Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.
Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.
Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.
