CUHC workforce members complete HIPAA training requirements when hired.
- Training includes information about the HIPAA Privacy and Information Security program. CUHC workforce members must complete training to receive and maintain access to PHI including ePHI.
- Periodic awareness reminders, information bulletins, briefings, department specific training, in addition to other mechanisms are also utilized to communicate HIPAA related information.
- CUHC workforce members engaged in research activities must also complete a research-specific HIPAA training course in RASCAL Training Center training module TC0019 (HIPAA: Health Insurance Portability and Accountability Act Training Course).
- Refresher and, remedial training is provided as needed.
Responsibilities
- The Chief Privacy Officer will review and update training material as needed and communicate training requirements and HIPAA related information to workforce members.
- Workforce members will complete all assigned training within the required time frame.
- Business Unit Leadership (Department Administrators) must assure that all CUHC workforce members comply with HIPAA training requirements.
Definitions
Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.
Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.
Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.
Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.