HIPAA Policy Section 8.2: Training
All staff of any office identified as part of the System Health Care Component shall receive training on Systems privacy policies and procedures with respect to PHI as necessary and appropriate to carry out their duties as System employees.
8.2(1) Responsibility for Training.
The Privacy Officer shall have the responsibility for training or arranging for training of all staff and any other Workforce Members of the offices within the System Health Care Component regarding System’s privacy policies and procedures, which responsibility involves discretion concerning the following:
- the policies and procedures to be addressed for each category of Staff and the frequency;
- the appropriate personnel who may be assigned responsibility for conducting or overseeing privacy training;
- the methods and materials used to provide privacy training (tailored to the nature of the trainee’s contact with PHI), such as traditional classroom lectures, video presentations, interactive software, role-playing, case studies, seminars and discussions; and
- the use of competency tests to evaluate training effectiveness.
8.2(2) Initial Training.
Initial training for all staff under this revised Manual shall take place prior to September 23, 2013, except that staff unable to attend the initial training shall have until October 1, 2013 to complete the training. Any new staff or other Workforce Member shall receive training within a reasonable period of time after the person is hired but before the person shall be allowed to Use or Disclose PHI without direct supervision.
8.2(3) Additional Training.
In the event of a material change in System’s privacy policies and procedures or the HIPAA Privacy Rule, the Privacy Officer shall ensure that those Staff members whose functions are affected by the material change receive additional training concerning the change within a reasonable period of time after the change becomes effective.
8.2(4) Documentation of Training.
System shall document the training of each member of its Workforce. Upon completing the initial privacy training or any training otherwise required by the Privacy Officer, all Workforce Members must sign a form “Health Information Confidentiality Agreement” by which such Staff shall attest that he or she is aware of and agrees to System’s privacy policies and procedures and that he or she has completed privacy training. System may at its option, develop an electronic method for documenting this information. All such documentation shall be retained in accordance with Section 9.2 of this Manual.
45 C.F.R. § 164.530(b)
65 Fed. Reg. at 82,561, 82,745 (Dec. 28, 2000); 67 Fed. Reg. at 53,253 (Aug. 14, 2002)