HIPAA Policy-09
About This Policy
Effective: 07/01/2015
Last Updated: 12/20/2021
Responsible University Office:
Office of the Chief Privacy Officer
Responsible University Administrator:
Chief Privacy Officer
mawerlin@iu.edu
Policy Contact:
HIPAA Privacy Officer
HIPAA Security Officer
hipaa@iu.edu
- Print or view a PDF of this policy
- Many policies are quite lengthy. Please check the page count before deciding whether to print.
Scope
This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and HIPAA Affected Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all of the above will be referred to as workforce members.
Policy Statement
- Workforce members of the IU HIPAA affected areas and covered healthcare components shall be trained on policies and procedures required by the HIPAA Privacy and Security Rules so that each person is able to carry out his or her duties in compliance with IU’s policies, HIPAA and changes promulgated under the HITECH Act.
- Training shall include information about applicable federal and state regulations regarding the privacy, security, and confidentiality of individually identifiable health information.
- Training shall be provided for workforce members of each IU HIPAA affected areas and covered healthcare components upon initial employment, volunteer work, student orientation, or third-party contract, and annually thereafter or upon material changes to any university or areas’ policies and procedures regarding the privacy, security and confidentiality of individually identifiable health information. Training may also be required as part of a corrective action plan.
- The University HIPAA Privacy and Security Officers will develop and provide basic HIPAA Privacy and Security training for workforce members of the designated IU HIPAA Affected Areas.
- The University HIPAA Privacy Officer will ensure training materials are updated to reflect changes in university policies and procedures and regulatory changes as necessary.
- The HIPAA Liaisons will compile and maintain a list of new and current workforce members who require HIPAA training.
- The HIPAA Liaisons are responsible for documenting training compliance for workforce members in a manner and frequency established by the University HIPAA Privacy Officer. Written documentation of training must be retained for a period of six years from the date of its creation.
Reason for the Policy
Indiana University has responsibility under the HIPAA Privacy and Security Rules for providing and documenting training for university workforce members who access protected health information. This policy describes the training requirements for workforce members in the IU HIPAA Affected Areas.
Definitions
See Glossary of HIPAA Related Terms for complete list of terms.
History
07/01/2015 Effective Date
10/13/2015 Updated scope to reflect anyone who works in an IU HIPAA Affected Area
08/01/2016 Added link to Glossary, removed bad links
06/xx/2017 Published on University policy site
12/20/2021 Updated policy contacts
Related Information
HIPAA Privacy Rule
45 CFR 164.530(b)
45 CFR 164.530(j)