HIPAA Privacy Rule: Education of Covered Workforce

Applies to: Faculty (including part-time, visiting, certain volunteer faculty, postdoctoral scholars, staff and students (including graduate/undergraduate student workers and graduate assistants) employed by University of Southern California and its subsidiaries including Keck Medicine of USC (“USC employees”).

1. POLICY

Issued: 11/30/2016
Last Revised: March 17, 2023
Last Reviewed: March 17, 2023

2. Policy Purpose

The purpose of this policy is to detail requirements for completing the University of Southern California HIPAA Education Program (“Education Program”) for individuals who collect, use, disclose, or access Protected Health Information subject to HIPAA and other personal health information subject to FERPA and CMIA.

3. Scope and Application

This policy applies to USC’s faculty, staff, students and other employees or volunteers of the institution who use, disclose, or access Protected Health Information as part of their job responsibilities at USC. This policy applies to all USC providers of healthcare, including the Keck Medicine of USC, as well as the units that support clinical and clinical research functions, including but not limited to OGC, OCEC, EEO-TIX and OPE.

4. Definitions

Protected Health Information (PHI)Any health information created or received by a health care provider that:Identifies an individual; andRelates to that individual’s past, present or future physical or mental health condition or to payment for health care; orRelates to the past, present, or future payment for the provision of health care to the individual.
Covered Workforce Individuals affiliated with USC who collect, use, process, access, or disclose PHI, including but not limited to faculty, staff, and volunteer faculty who provide clinical-related services at USC sites or to USC patients.  See below for specific categories. 
Treatment“Treatment” means the provision, coordination, or management of health care and related services, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Treatment examples include consultations between health care providers who are treating a common patient; referrals to other health care providers; coordination of health care.
Payment“Payment” means the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment examples include but are not limited to: disclosures to collection agencies; disclosures for utilization review requests; disclosures for claims management.
Health care operations“Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Health care operations examples include the many administrative tasks required to operate a health care provider, such as: Quality assessment and improvement, peer review, legal, auditing and compliance, business management, general administrative functions, and customer service. Operations also include clinical training of students and residents.

5. Policy Details

USC is required to provide certain HIPAA education to its faculty, staff, employees, students, volunteers and trainees who:

  1. Perform treatment, payment, or health care operations at the direction ofUSC (see USC HIPAA Policy CLIN -201); and
  2. Access Protected Health Information belonging to and maintained by USC in the course of performing such functions (“Covered Workforce”).

All individuals who are members of the Covered Workforce must complete the USC HIPAA Education Program. All new members of the Covered Workforce must complete the Education Program within thirty days of beginning their employment with USC or, if they are already USC employees, within thirty days of beginning a new role that is part of the Covered Workforce.

Categories of Covered Workforce

At minimum, the following categories of individuals who are employed, engaged by or who work at the direction of USC, and who access Protected Health Information maintained by USC are considered to be members of USC’s Covered Workforce, and will be required to complete the Education Program:

  1. Licensed Practitioners (paid or unpaid), including physicians, dentists, pharmacists, independent health professionals, social workers, counselors, and other clinical personnel, medical personnel, technicians and supporting clinical, clerical, billing and administrative staff;
  2. Researchers who conduct research that involves treatment (e.g., clinical trials);
  3. Researchers who de-identify research information or create limited data sets in accordance with the HIPAA Privacy Rule;
  4. Individuals who use or receive PHI to conduct fundraising activities on behalf of USC;
  5. Individuals who use or receive PHI to conduct marketing activities on behalf of USC;
  6. Individuals who provide health care operations functions, including clinical administrators, billing services and other back office functions, legal, compliance and information systems support;
  7. Any other individual who performs a treatment, payment or health care operation function on behalf of USC and under the direction and control of USC, and who is not otherwise a business associate (see USC HIPAA Policy BUS – 701 for a description of business associates).

Non-Workforce Members Required to Complete Education Program or Alternative HIPAA Training

Individuals who do not qualify as members of the Covered Workforce as defined above may also be required to complete the Education Program or alternative HIPAA training at USC’s discretion, which could include attending a live HIPAA training, reviewing written HIPAA materials, or providing certification of the completion of third-party HIPAA training.

These individuals include, but are not limited to the following:

  1. USC students, residents or fellows who do not provide treatment, payment or health care operations activities, but may participate in clinical training or other health care related educational activities.
  2. USC researchers and their staff who are involved or engaged in research participant research and use or receive USC protected health information and whose research does not involve treatment.
  3. USC volunteers, observers and other individuals who are not employed, engaged by or who work at the direction of USC for more than a brief, temporary period of time, except that volunteer clinical faculty shall be members of the Covered Workforce (see definition above).
  4. Certain USC third parties, such as industry representatives, who have access to USC patient health information as part of their business relationship with USC.

Development of Additional Training Modules or other Programs

USC may periodically:

  • Add specialized mandatory or voluntary chapters to the Education Program to educate particular members of USC’s workforce, individual schools, departments or entities or others; and/or
  • Update the existing Education Program and/or chapters contained therein to educate individuals about changes in California privacy laws, federal privacy laws or in the HIPAA Privacy Rule, and/or of changes to USC privacy policies and practices.

USC, at its discretion, may require designated individuals to complete training on all such additional and/or revised chapters as it deems necessary.

Maintenance of Training Records

USC’s Office of Culture, Ethics and Compliance shall maintain records, either directly or through the USC learning management system, of the date of completion of the Education Program by the Covered Workforce, except for members of the Covered Workforce employed by or acting at the direction of Keck Medicine of USC, for whom training records shall be maintained by USC’s Office of Healthcare Compliance, either directly or through the Keck Medicine learning management system. Alternative forms of HIPAA training for non-Covered Workforce members should be tracked by the appropriate supervisor, or in the case of industry representatives, in the Intellicentrics database.

6. Procedures

N/A

7. Forms

N/A

8. Responsibilities

POSITION or OFFICERESPONSIBILITIES
Faculty PhysiciansMust complete the HIPAA education in order to be appointed or reappointed to USC Care and the medical staff of Keck Medical Center. Clinical faculty in the Herman Ostrow School of Dentistry must complete the education in accordance with its credentialing practices.
Hospital Employees and KSOM Clinical StaffMust complete the education in connection with their job responsibilities.
Researchers and Research StaffResearchers and research staff who conduct human subjects research and access Protected Health Information are required to complete the Education Program in order to obtain review and approval of their respective research from the applicable USC Institutional Review Board (“IRB”).
StudentsStudents who access Protected Health Information as part of their education will be required to be educated about the HIPAA Privacy Rule as part of their training and education. Students may be required to complete the Education Program to satisfy this obligation.
Departments and/or other unitsDepartments and/or other units that employ or engage Covered Workforce members such as clinical personnel, medical personnel, technicians and supporting clinical, clerical, billing and administrative staff, are responsible for ensuring that all such Covered Workforce members complete the Education Program by the appropriate deadlines.

9. Related Information

HIPAA CLIN-201 Use of Protected Health Information for Treatment Payment and Health Care Operations

HIPAA PAT-607 Mitigations and Sanctions

Policy on Staff Disciplinary Practices

10. Contacts

Please direct any questions regarding this policy to:

Office of Culture, Ethics and Compliance(213) 740-8258compliance@usc.edu