Frequently Asked Questions - HIPAA Training

General Information on HIPAA Privacy and Information Security Training

• Who must be educated on UW Medicine Privacy policies and Information Security policies?

Institutional policies require all members of the UW Medicine workforce to be educated about privacy, confidentiality, and security of protected health information.

This is accomplished by having the workforce member read and sign the form entitled, “UW Medicine Privacy, Confidentiality, and Information Security Agreement,” and complete general awareness training within 30 days of hire. Depending on job function, an individual may be required to complete online privacy and information security training within 60 days of hire. Additional training may also be required when job responsibilities or job functions change.

A workforce member with a duration of employment or study less than 30 calendar days is required to complete privacy training entitled, “UW Medicine HIPAA Temporary Workforce Member/Student Self Study,” or attest to proof of training of comparable quality at another institution by signing the form entitled, “HIPAA Training Certification.”

Refer to Privacy Policy PP-04 for additional information and copies of the forms.

• Who is considered a UW Medicine “workforce member”?

The term “workforce member” refers to faculty, employees, trainees (e.g. students, residents, and fellows), volunteers, and other persons who perform work for UW Medicine, and whose work conduct is under UW Medicine’s direct control regardless of whether or not the workforce member is paid by UW Medicine.

• What entities are considered “UW Medicine”?

The term “UW Medicine” includes the University of Washington Medical Center and Clinics, Harborview Medical Center and Clinics, UW Medicine Neighborhood Clinics (University of Washington Physicians Network), UW Physicians Sports Medicine Clinic, UW Medicine Eastside Specialty Center, Hall Health Primary Care Center, and, University of Washington Physicians

Additionally, certain support activities requiring the use or disclosure of protected health information for or on behalf of UW Medicine are also deemed to be health care components and included in UW Medicine. These support functions include: Administrative Support relating to treatment, payment, or healthcare operations, Compliance, Development, Document Retention Services, Environmental and Workplace Safety, Information Systems Management, Investigations involving clinical care or scholarly integrity, Medical Staff Peer Review, Planning, Personnel Services, Risk Management, and, Telemedicine Support Services.

Individuals who perform these functions must also be educated about privacy, confidentiality, and security of protected health information and comply with UW Medicine policy on privacy and information security and the training requirements.

Refer to Privacy Policy PP-01 for additional information.

• Is the UW School of Medicine subject to the UW Medicine Privacy policies and Information Security policies?

Yes. School of Medicine workforce members involved in certain support activities requiring the use or disclosure of protected health information comply with UW Medicine policy on privacy and information security.

These support functions include:  Administrative Support relating to treatment, payment, or healthcare operations, Compliance, Development, Document Retention Services, Environmental and Workplace Safety, Information Systems Management, Investigations involving clinical care or scholarly integrity, Medical Staff Peer Review, Planning, Personnel Services, Risk Management, and, Telemedicine Support Services.

Refer to Privacy Policy PP-01 for additional information.

• Where can I find the UW Medicine Privacy policies and Information Security policies?

The privacy policies and information security policies, as well as related forms, are available on this website.

Training for Newly Hired Workforce Members

• What must a person do to be compliant with policy?

At the time of hire and at each performance evaluation or credentialing, the workforce member signs the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement." The signed form is retained in the department personnel or academic record.

At the time of hire, the workforce member completes general privacy awareness training within 30 days of hire. If required by job function, the workforce member also completes online privacy training within 60 days of hire. Additional training may also be required when job responsibilities or job functions change.

A workforce member with a duration of employment or study less than 30 calendar days signs the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement," and completes privacy training entitled, "UW Medicine HIPAA Temporary Workforce Member/Student Self Study," or attests to proof of training at another institution by signing the form entitled, "HIPAA Training Certification."

Documentation of training is kept as part of the department personnel or academic record.

• Where can I find the forms that a workforce member needs to sign?

The privacy policies and information security policies, as well as related forms, are available on this website.

• How does a person sign up for online privacy training?

Each UW Medicine entity has a procedure to register individuals for online privacy training. The hiring department administrator, or designee, submits a request to their entity’s compliance office to register a workforce member for online HIPAA privacy training.  The hiring administrator, or designee, also determines, based on job function, which training curriculum track should be completed and provides this information to the workforce member.

The entity compliance office will register the individual for training, and provide a password and user instructions to the department contact. Check for entity contacts.

• What’s a “curriculum track” and where can I find this information?

There are currently 28 different curriculum tracks available in the online HIPAA privacy and information security training program. Based on job function, the hiring department administrator, or designee, determines which curriculum track an individual should select when logging into the online training program. View the available Curriculum Tracks.

The hiring department administrator, or designee, provides the workforce member with the curriculum track, and with logon instructions received from the compliance office.

• When does a UW Medicine workforce member complete online privacy training?

At the time of hire, the workforce member completes general privacy awareness training within 30 days of hire. If required by job function, the workforce member also completes online privacy training within 60 days of hire. Additional training may also be required when job responsibilities or job functions change.

Training for Residents and Clinical Fellows

• What are the requirements for residents and clinical fellows who "match” through/with UW Medicine graduate medical education programs?

Like other members of the UW Medicine workforce, residents and clinical fellows are required to comply with policy on privacy and information security.

The resident signs the form entitled, “UW Medicine Privacy, Confidentiality, and Information Security Agreement,” and completes online privacy training under the “Medical Students/Residents/Fellows” curriculum track. Residents who "match" through UW School of Medicine graduate medical education programs are required to complete privacy training by July 31st of their entering year.

Departments are responsible for ensuring that residents and clinical fellows comply with UW Medicine privacy and information security policies. Departments should follow guidance provided by the Office of Graduate Medical Education in carrying out their responsibilities.

• What are the requirements for “visiting” residents and clinical fellows from Madigan, Swedish, Virginia Mason, or the VA?

A resident or clinical fellow who becomes a UW Medicine workforce member is required to comply with policy on privacy and information security.

UW Medicine will accept training in a resident curriculum track completed at the following institutions as meeting the UW Medicine privacy training requirement:

• Madigan Army Medicine Center
• Swedish Medical Center
• Veterans Administration Health Care System (VA)
• Virginia Mason Medical Center

To be in compliance with UW Medicine policy, the resident or clinical fellow signs the form entitled, “UW Medicine Privacy, Confidentiality, and Information Security Agreement,” and attests to completing the required privacy training by completing and signing the form entitled, "HIPAA Training Certification." Both signed forms are kept as part of the department personnel or academic record.

The Office of Graduate Medical Education requires both signed documents be on file at least 4 weeks prior to the start date.

• What are the requirements for “visiting” residents and clinical fellows from other non-UW Medicine institutions?

A resident or clinical fellow who becomes a UW Medicine workforce member for 30 calendar days or more is required to comply with policy on privacy and information security.

The resident or clinical fellow signs the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement," and completes the online privacy training under the "Medical Students/Residents/Fellows" curriculum track within 30 calendar days.

A resident or clinical fellow who becomes a workforce member for less than 30 calendar days signs the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement," and completes privacy training entitled, "UW Medicine HIPAA Temporary Workforce Member/Student Self Study," or attests to proof of training at another academic medical center by signing the form entitled, "HIPAA Training Certification." The Office of Graduate Medical Education requires both signed documents be on file at least 4 weeks prior to the start date.

Documentation is kept as part of the department personnel or academic record.

Training for New Workforce Members Working Elsewhere

• I hired a new staff member but they’ll be working only at the VA. How do they comply with UW Medicine policy?

On occasion, an individual may become a UW Medicine workforce member but carry out his/her work or employment obligations entirely at the VA Puget Sound.

At the time of hire and at each performance evaluation or credentialing, the workforce member signs the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement." The signed form is retained in the department personnel or academic record.

Generally, a workforce member is registered for training at the "institution of hire." However, an individual who carries out his/her work responsibilities solely at the VA may meet the UW Medicine privacy training requirements by completing training offered through the VA.

Under these circumstances, the hiring department administrator determines which institutional privacy training the individual is required to complete.  An individual who completes privacy training at the VA would not be registered for online privacy training at UW.

Documentation of privacy training completed at the VA should be kept in the UW personnel or academic record.

Note: If an individual’s job function changes to require that they also carry out duties at a UW Medicine entity, he/she would be required to comply with UW Medicine privacy and information security policies. This includes signing the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement," and completing the required privacy training based on job function at UW Medicine.

• I hired a new staff member and they’ll be working at UW and at HMC, or another UW Medicine entity. How do they comply with UW Medicine policy?

On occasion, an individual may become a workforce member through UW and carry out his/her work or employment obligations, in full or in part, at another UW Medicine entity such as HMC.

Generally, a workforce member is registered for training at the "institution of hire."  However, based on the requirements of the job, the hiring department administrator may determine which institutional privacy training the individual will be registered for and required to complete.

An individual who carries out his/her work at several UW Medicine entities is not required to complete privacy training at each entity. Documentation of privacy training completed at another UW Medicine entity must be kept in the UW personnel or academic record.

Training for a New Workforce Member with Prior Training

• I hired a new staff member who will carry out their employment obligations at UW. They can show evidence of completing privacy training at another institution. How do they comply with UW Medicine policy?  Can they get “credit” for privacy training taken at another institution?

If the individual is a "new hire" for your department, they must comply with UW Medicine privacy and information security policies. This is accomplished by having the workforce member read and sign the form entitled, "UW Medicine Privacy, Confidentiality, and Information Security Agreement," and complete general awareness training within 30 days of hire. Depending on job function, they may also be required to complete online privacy training within 60 days of hire.

If required by job function, you should register the new workforce member for online privacy training, determine which curriculum track they are required to take, and contact your entity’s compliance office for additional guidance.

A newly hired workforce member who, in the past, completed online privacy training at a UW Medicine entity such as UW, HMC, or UWP may be able to meet some or all of the online training required by their new job at UW. Privacy training taken at the Seattle Cancer Care Alliance may also meet the requirement.

UW Medicine does not accept privacy training taken at other non-UW Medicine institutions.

• What information does a UW Medicine Compliance office need in order to give a new workforce member “credit” for privacy training taken at another UW entity?

A new workforce member who previously completed privacy training at a UW Medicine entity can get "credit" for modules completed if those modules are required in their new curriculum track.

If required by their job function, you should register the new workforce member for privacy training and determine which curriculum track, based on job function, the individual must complete. You can then:

Provide the UW Medicine entity compliance office with a copy of the training completion certificate or other evidence of training, and tell the UW Medicine entity compliance office which curriculum track the person is required to complete.

This will allow the compliance office to compare the completed training modules with the ones they are now required to take. The UW Medicine entity compliance office will confirm which training modules will “transfer” and which, if any, the individual must complete.

• Bogus Training Question?

Yes, this is the answer.

Enforcement of Privacy and Information Security Training Requirements

• How does UW Medicine enforce the privacy and information security training requirement?

UW Medicine policy requires that appropriate sanctions be applied, without regard to role or position, to workforce members who fail to comply with institutional polices and established procedures related to privacy, confidentiality, and information security.

Non-compliance with training and educational requirements is considered a failure to comply with institutional policy, which constitutes a Level 3 violation, subject to sanctions up to and including termination.

The policy, a general description of policy violations and possible corrective actions are set forth in privacy policy, PP-06 Sanctions for the Failure to Follow Applicable Privacy and/or Information Security Policy or for a Breach of Patient Confidentiality or Information Security.

Refer to PP-06 for additional information.

• What types of sanctions are available to department leadership to encourage compliance with privacy and information security training policy?

Individuals who have not signed the Privacy, Confidentiality and Information Security agreement, and /or completed the required HIPAA privacy training within 30 days of hire or registration in the training database are subject to corrective actions. Corrective actions for a Level 3 policy violation may include denial of access to information, retraining, and a range of personnel actions up to and including termination of employment or professional services.

The policy, a general description of policy violations and possible sanctions are set forth in privacy policy, PP-06 Sanctions for the Failure to Follow Applicable Privacy and/or Information Security Policy or for a Breach of Patient Confidentiality or Information Security.

Refer to PP-06 for additional information.

• Who initiates sanctions for non-compliance with the privacy and information security training policy?

The person responsible for initiating corrective actions for non-compliance is based on the workforce member's constituency and reportage within the organization. UW Medicine officials vested with authority to determine corrective actions for non-compliance include, but are not limited to, department chairs and directors, medical center directors and administrators, and GME program directors.

The following individuals would initiate corrective actions, if appropriate, when a workforce member has not completed the required training within the designated timeframe:

• Department Chair and/or Medical Director when a faculty member is involved
• Department Chair, Medical Director, and/or Program Director when a student, resident, or fellow is involved
• Department Administrator, director, manager, or supervisor if a staff or other workforce member is involved
• Despite several reminders, a workforce member has not completed the required training. What steps can be taken?

The department official should contact the workforce member to outline a timeframe/plan for completing the training. If training is not completed, the following individuals would determine what corrective actions may be taken:

• Department Chair and/or Medical Director in consultation with SOM Human Resources when a faculty member is involved
• Department Chair, Medical Director, and/or Program Director, in consultation with the GME Office or with the Vice Dean for Academic Affairs, when a resident, fellow, or student is involved
• Department Administrator, director, manager, or supervisor in consultation with Human Resources if a staff or other workforce member is involved

The HIPAA program office also provides guidance to departments on questions of policy and procedures. Additional guidance on HIPAA training policies, roles and responsibilities is available on our HIPAA Privacy and Information Security Training page.