HIPAA Training

The Trustees of Columbia University in the City of New York is committed to complying with all regulatory requirements, including assuring that the Columbia University Healthcare Component (CUHC) workforce members receive educational information related to the regulatory requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) . All CUHC workforce members will complete HIPAA training including information about CUHC Privacy and Information Security programs.

Reason(s) for the Policy

The HIPAA Rules require that healthcare organizations provide training and information about the regulatory requirements of HIPAA to their workforce members, including the organization’s related policies and procedures with respect to Protected Health Information (PHI).

Primary Guidance To Which This Policy Responds


Privacy Rule §164.530 Administrative requirements (2) (b) (1)
Security Rule § 164.308 Administrative safeguards (a) (5) (i)

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

CUHC workforce members complete HIPAA training requirements when hired.

  1. Training includes information about the HIPAA Privacy and Information Security program.  CUHC workforce members must complete training to receive and maintain access to PHI including ePHI.
  2. Periodic awareness reminders, information bulletins, briefings, department specific training, in addition to other mechanisms are also utilized to communicate HIPAA related information.
  3. CUHC workforce members engaged in research activities must also complete a research-specific HIPAA training course in RASCAL Training Center training module TC0019 (HIPAA: Health Insurance Portability and Accountability Act Training Course).
  4. Refresher and, remedial training is provided as needed.
  • The Chief Privacy Officer will review and update training material as needed and communicate training requirements and HIPAA related information to workforce members.
  • Workforce members will complete all assigned training within the required time frame.
  • Business Unit Leadership (Department Administrators) must assure that all CUHC workforce members comply with HIPAA training requirements.

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.