Objective

To provide guidance for the education and training of the UTHSC workforce on Health Information Privacy and the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Regulations).

Scope

All faculty, staff, students, residents, and non-employees of UTHSC are required to complete mandatory training in patient privacy regulations and policies on a periodic basis. In addition, when a material change occurs in policies or guidelines, UTHSC will provide training to the workforce within a reasonable period of time after the material change becomes effective.

Definitions

• Protected health information (PHI) – for purposes of this procedure means individually identifiable health information that relates to the past, present or future health care services provided to an individual. Examples of Protected Health Information include medical and billing records of a patient.
• Workforce – employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Procedures

1. New Employees
   New employees are required to complete HIPAA Privacy training within thirty (30) days of their effective start date at UTHSC.
2. Employees on Leave of Absence
   If an employee is on a leave of absence, they must complete HIPAA Privacy training within 30 days of returning to work.
3. Responsibilities of UTHSC Institutional Compliance Office
   1. To provide education and training regarding HIPAA privacy policies and procedures to all workforce members.
   2. All education and training must be documented and maintained for six years. Documentation may be maintained in written or electronic form from the date of its creation or the date when it was last in effect, whichever is later.
   3. In addition to the general overview education and as part of job specific training, to provide HIPAA privacy education based on the role of the workforce members in the University as necessary and appropriate to carry out their function in the organization.
   4. Along with the UTHSC Human Resources Office, to ensure that HIPAA privacy training and education is incorporated into the initial orientation process for all members of the workforce.
   5. To ensure that information and tools are available to assist departments in presenting HIPAA privacy training.
   6. To ensure that workforce members receive appropriate training as necessary and appropriate to carry out their function at UTHSC.
   7. UTHSC may request that its workforce sign a Confidentiality Agreement.