Training and Awareness
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Training and Awareness
Policy Number: IS-04 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
This Policy describes the requirements for the training of all Drexel University (DU) Workforce Members to ensure compliance with the HIPAA Privacy and Security Program. It also describes the training for Affected Employees, who are those Workforce Members who are involved in areas of DU which are subject to HIPAA laws, rules and regulations.
DU requires periodic HIPAA security and awareness training for all Workforce Members with the twin goals that all will receive training on how to perform their jobs in compliance with the Security Policies of DU and that each employee will understand that HIPAA Security Rule compliance is a condition of continued employment.
- All Workforce Members are required to participate in at least one (1) HIPAA Security Rule awareness/training program per year as well as additional training as policies and procedures are changed, to the extent that the changes affect their jobs. These programs are likely to be in-house web-based programs. New Workforce Members will receive training as part of orientation to their jobs within a reasonable time of joining the workforce. Workforce Members who are acting as Business Associates will receive Business Associate training within a reasonable time after beginning to provide Business Associate services for a covered entity or another Business Associate, as well as additional training as policies and procedures are changed, to the extent that such changes affect their jobs.
- Affected Employees include the following:
- Physician extenders (i.e., registered nurse, limited DU nurses, medical assistants, nurse practitioners, physician assistants, and anyone responsible for medical record documentation);
- Technicians, scribes, or anyone responsible for documenting the medical record;
- DU Administrator;
- Office Manager/Business Manager;
- Billing/Collections and Accounts Receivable Personnel;
- Front Desk Personnel (check-in, check-out);
- Authorization Specialist;
- Students in Healthcare Professions; and
- Any employee providing services under a Business Associate agreement with a covered entity or another Business Associate.
- Each Affected Employee is required to be trained in the initial HIPAA Security Program information and special topics relative to the position or role of the Affected Member.
- Attendance at training sessions is documented to demonstrate that each Affected Member has received training in accordance with this policy. This information will be used as DU monitors, audits and maintains its compliance with policies and procedures.
- Training participation records will be maintained electronically for web-based training; and
- Manual classroom education records will be posted to the electronic record.
- Training sessions shall include at least the following:
- Awareness training regarding threats to the privacy and security of electronic protected health information (e-PHI) and how the failure to protect against these threats can harm Workforce Members and the importance of each Affected Member in the privacy and security posture of DU;
- Protection from malicious software;
- Login attempt monitoring;
- Password management;
- Details of applicable policies and procedures; and
- Periodic reminders.
- The Human Resources Department and the Privacy Officer will maintain documentation of training for six years.
- All policies and procedures will be made available for Workforce Members to review or reference as needed.
- The HIPAA Security Officer will distribute periodic Security Reminders, which are intended to serve as updates or reminders about security-related issues. Knowledge of each Security Reminder and completion of any required action is the responsibility of every Workforce Member.
- Master copies of all educational and training materials received by an Affected Employee are the property of DU, and are maintained in a designated location for review.
45 CFR §§ 164.308(a)(5); 164.530(b)
Back to Top