Title
The University of North Carolina at Chapel Hill Policy and Procedure on HIPAA Training
Policy
The University of North Carolina at Chapel Hill ("UNC-Chapel Hill") provides an education program ("HIPAA training") relating to the requirements of the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HIPAA"). This HIPAA training is updated annually to reflect changes any changes in the law, and/or changes in UNC-Chapel Hill policies and procedures as these relate to HIPAA compliance. Each Covered Component works with the University's Chief Privacy Officer and Chief Information Security Officer to ensure that all employees, students, and volunteers in Covered Components, and Business Associates complete HIPAA training in accordance with this Policy. The University's Chief Privacy Officer and Chief Information Security Officer may consider and recommend training for additional individuals. Completion of HIPAA training is documented and maintained by the Research Compliance Program and UNC-Chapel Hill.
Procedure
1. Initial Training
New UNC-Chapel Hill employees, students, and volunteers who work or train with Covered Components must complete HIPAA training within thirty (30) days of initial employment, enrollment, or placement.
- Business Associates who participate on site in UNC-Chapel Hill sponsored work are required to complete HIPAA training.
2. Annual Training
- UNC-Chapel Hill employees, students, and volunteers in Covered Components must complete HIPAA training annually. Additional training may be required as necessary for some or all listed individuals, as determined by the University's Chief Privacy Officer and/or Chief Information Security Officer.
- Business Associates who participate on site in UNC-Chapel Hill sponsored work are required to complete HIPAA training.
3. Ongoing Awareness Training
- UNC-Chapel Hill employees, students, and volunteers will receive periodic awareness privacy/security training. This training may include any/all of the following:
- Overall privacy/security awareness
- Periodic HIPAA regulation reminders
- Virus awareness
- Password management
- Security Incident Reporting
- User-specific topics necessary for individual workstation security
- Ongoing training may include (without limitation) meetings, University or departmental newsletters or memoranda, e-mail communications, and posters.