HIPAA Privacy and Information Security Training

The Trustees of Columbia University in the City of New York is committed to complying with all regulatory requirements, including assuring that the Columbia University Healthcare Component (CUHC) workforce members receive educational information related to the regulatory requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) . All CUHC workforce members will complete HIPAA training including information about CUHC Privacy and Information Security programs.

Reason(s) for the Policy

The HIPAA Rules require that healthcare organizations provide training and information about the regulatory requirements of HIPAA to their workforce members, including the organization’s related policies and procedures with respect to Protected Health Information (PHI).

Primary Guidance To Which This Policy Responds

HIPAA Rules § 164.308 Administrative safeguards (a) (5) (i) and §164.530 Administrative requirements (2) (b) (1)

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

  1. CUHC workforce members complete HIPAA training requirements when hired, in addition to annual HIPAA training.
  2. Training includes information about the HIPAA Privacy and Information Security program.
  3. CUHC workforce members that fail to complete training within the required timeframe may be sanctioned.
  4. CUHC workforce members engaged in research activities must also complete a research-specific HIPAA training course in RASCAL Training Center (TC0019 for HIPAA: Health Insurance Portability and Accountability Act Training Course).
  5. Refresher, remedial, departmental and other training is provided as needed.
  6. Periodic awareness reminders, information bulletins, briefings and other mechanisms are also utilized to communicate HIPAA related information.

 

Responsibilities
  • The Chief Privacy Officer and Chief Information Security Officer will review and update training material as needed and communicate training requirements and HIPAA related information to workforce members.
  • Workforce members will complete all assigned training within the required time frame.
  • Business Unit Leadership (Department Administrators) must assure that all CUHC workforce members comply with HIPAA Privacy and Information Security training requirements.
 
Definitions

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.