HIPAA Training Background

Note: After reviewing this training information, if you are having technical difficulties with the HIPAA Privacy or Research training contact:

     Marti Arvin, Privacy Officer, UofL Privacy Office, m0arvi01@louisville.edu, 852-3803

After reviewing this training information, if you are having technical difficulties with the HIPAA Security Fundamentals training contact:

     Bruce Edwards, Information Security Officer, UofL Information Security Office, bwedwa02@louisville.edu, 852-4363.

Background on HIPAA Privacy, HIPAA Security and HIPAA Privacy and Research training and who should take it.

Training lessons covering information on the HIPAA Privacy Rule, the HIPAA Security Rule as well as HIPAA Privacy and Research are now on-line. The HIPAA Security rule went into effect on April 20, 2005 while the Privacy Rule went into effect on April 14, 2003.

• The HIPAA Privacy Course provides an introduction to the Privacy Rule requirements and how the Privacy Rule may impact faculty, staff, students and other personnel who work with protected health information at the University. This course is required training for all personnel within the University of Louisville Hybrid Covered Entity (a recap of the covered entity is at the bottom of this article).

• The HIPAA Security Fundamentals Course provides an introduction to the Security Rule requirements and how the Security Rule may impact faculty, staff, students and other personnel who work with electronic protected health information at the University. This course is required training for all personnel within the University of Louisville Hybrid Covered Entity (a recap of the covered entity is at the bottom of this article).
  
  The HIPAA security rule has 42 different security specifications under administrative, physical and technical safeguards. These 42 different specifications are an outline of what an organization should do to strive for best practice and cover topics including information access authorization; malicious software (the ability for a hacker to get into a computer system); password management; virus protection; data backup; disaster recovery; emergency mode operation plan; facility access control; work station use; and media re-use and disposal (floppy disks, CDs or other storage devices that might have HIPAA controlled information) and more.
  

• Researchers who are Human Subjects principal investigators, co-investigators, sub-investigators, key personnel or other research staff should complete the HIPAA and Research Fundamentals Training Course in addition to the above described training lessons on HIPAA Privacy and Security.

Should you take this training? If you are in the Hybrid Covered Entity you are required to take the HIPAA Privacy and Security courses.

All persons active at the University as of April 18, 2005 are required to complete these lessons. New personnel are required to complete the training within sixty (60) days of their hire date. Department heads are responsible for ensuring all applicable faculty and staff have completed the training. This training or updated versions is required on-going training every three years.

If you or your department is not within the covered entity you may want to proactively take the training. Even though it is HIPAA oriented, the training covers the basics for computer information security. Anyone who would like to get a head start on the university's information security awareness program is encouraged to take the training; contact the Information Security Officer so you and/or your department is setup to sign-into the training when it is available.

How do you log-on and take the training?

Instructions on how to access the HIPAA training courses is available by clicking here.

Questions or comments?

See the training frequently asked questions (FAQ) page here.

Faculty and staff who have suggestions on data security policy implementation or have questions regarding HIPAA security compliance should contact Bruce Edwards, the University Information Security Officer at bwedwa02@gwise.louisville.edu.

Faculty and staff who have suggestions on HIPAA privacy and/or research or have questions regarding HIPAA Privacy compliance should contact Marti Arvin, the University Privacy Officer at m0arvi01@gwise.louisville.edu.

Hybrid Covered Entity Recap
[back to top]

If a department or organization is not listed below, its personnel are not considered to be part of the U of L hybrid covered entity at this time. See note regarding students at the bottom of this list.

Schools of Nursing, Dentistry and Medicine, and affiliated Institutes and Centers
All three schools are considered part of the covered entity. This designation includes Student Health on both campuses.

School of Public Health and Information Sciences
Personnel involved in human subjects research are required to take the HIPAA Privacy and Research Fundamentals Training Course which includes HIPAA Security training. At this time, other personnel within SPHIS are not required to take HIPAA training.

Information Technology (IT), Audit Services, Human Resources
All of Information Technology (proactively elected to require training, not all within the hybrid covered entity), all of Audit Services, and the subdivisions of Human Resources (e.g. Benefits) which process protected health information associated with the employee benefits plans are included within the covered entity.

Urban Studies Institute
The activities of the Urban Studies Institute related to the conversion of non-standard data to a standard format for the purposes of submitting billing information to the State of Kentucky Medicaid offices on behalf of the Cabinet of Health.

University Archives and Records
The portion of this department that houses medical records is included within the covered entity.

Controller's Office and Bursar's Office
All staff (proactively elected to require training, not all within the hybrid covered entity)

Students
As with the HIPAA Privacy training, students are required to complete the HIPAA Security training as follows - Medical and Dental School students are required to complete the training. Nursing School students who are performing clinical activities are required to complete the training.