ITS HIPAA Training
UCSC's Information Technology Services HIPAA Security Rule Training Requirements
By law, we are required to train and periodically update ITS employees who are involved in, or support systems involved in, the creation, transmission, or storage of electronic protected health information (ePHI), also known as "HIPAA data". Currently this includes individuals (and their back-ups) who support the following units and systems on campus or have access to their data, servers, workstations, backups, transmissions, logs, test/dev/bug systems, etc.: Benefits Office, Health Center, Counseling and Psychological Services (CAPS), Campus AD, Virtual Infrastructure, Campus voicemail, TEM, Data Center and Health Center firewalls and VPNs, Data Center backups and backup server.
The ITS HIPAA training includes the four components listed below. Supervisors are responsible for ensuring and documenting that employees receive and complete appropriate HIPAA training. These items are all available online and are to be completed before an ITS employee gains access to HIPAA systems or data. Send copies of certificates of completion for #1 & 2 to Julie Goldstein, contact info below. Please note that some units/departments may require that ITS employees complete additional local training prior to accessing their systems or data.
- Required: Take UCSC's two online HIPAA trainings.
- Description: This two-part, online training provides general information for all employees who have responsibilities relating to HIPAA data, plus information specific to the HIPAA Security Rule. There is a certificate to print out for each module.
- Instructions: Log into learningcenter.ucsc.edu with your CruzID and Gold password. Enter "hipaa" in the search box on the left and click "go". You need to complete both modules that come up: "HIPAA Training" and "HIPAA Security Rule Overview," preferably in that order. To take a training, click on it, then click "Start". After you complete a course, go back to your home page (click on "Learner" or breadcrumbs at the top of the page), click on your "Transcript," select the course, and click on the "diploma" icon to print the certificate of completion. Detailed instructions are available from "Help" on your home page (don't use the help link in LearningCenter's top nav).
- Required: Read ITS' "HIPAA SECURITY RULE POLICIES AND PROCEDURES" (first item on the linked page).
Description: This is the current set of ITS-specific policies and procedures for HIPAA Security Rule compliance. It is available in Google to all ITS staff (CruzID Blue login required). Employees are to read this document and work with their supervisor or contact me (info below) to address any questions. A downloadable certificate of completion for this reading is available at the end of the document; email verification of completion is also acceptable.
- For your reference (not required reading): "What this means for you" training handout, distilled from the full Policies and Procedures document (available to all ITS staff, CruzID Blue login required)
- Required: Read and sign the University Administrative Information System Access to Information Statement.
Submit the signed form to your supervisor. Copies of signed forms are to be sent to the Accounts Team in the ITS Support Center. The supervisor may also retain a copy. If you already read and signed this when you were hired, you don't need to do it again. If you're not sure, do it again just to be safe.
- Also recommended for reference:
- UCSC Password Strength and Security Standards (referenced in the above Policies and Procedures document.
- The complete set of practices for HIPAA Security Rule compliance: This is the complete list of UCSC practices for compliance with each of the 42 HIPAA Security Rule requirements. For HIPAA training purposes, this document would be in the "skim-through-and-focus-on-what's-relevant-to-you" category.
Please contact Julie Goldstein, firstname.lastname@example.org, 459-2779, mailstop: ITS-Delaware, with any questions, concerns, or requests for materials regarding HIPAA training or HIPAA Security Rule compliance.