Frequently Asked Training and Education Questions
UCSF is committed to ensure that every person in the campus community receives
sufficient opportunity to understand HIPAA as the law pertains to his or her activity
at UCSF. A variety of educational and training materials were developed for the
workforce in general as well as targeted to specific audiences as determined by
individual responsibilities at UCSF.
Who needs to take the HIPAA training?
Members of the UCSF workforce, whether salaried or non-salaried, are required to
complete HIPAA privacy and information security training. This includes faculty, staff,
students, postdocs, volunteers, as well as visitors who may have either direct or indirect access
to patients or their health information.
Which training do I need to take?
There are several levels of training depending upon the level of access to patients and
patient information. Basic privacy and security training (HIPAA 101) as well as advanced
role-based training can be viewed on-line or printed for training as follows:
- None or minimal access to patients or patient information? Yes. Take HIPAA 101
Privacy and Security module.
- Medical Center new employees complete this training by attending
the mandatory new employee orientation.
- Medical Center volunteers complete this training at the Medical
Center Volunteer Services orientation.
- Access to patients or patient information? Yes. Take advanced HIPAA module.
There are several versions depending upon an individualís responsibilities including
PHI Module, Provider Module and Development Module.
- Human Subjects Research? Yes. Take Research module.
- Access to UCSF clinical systems? There may additional training and approval required for access to UCSF clinical systems, such as APeX. Contact system owners for any requirements.
- Access to UCSF computing systems which transmit, receive, create or store confidential
or financial data or patient information? Yes. Take Advanced Security training module.
Who should take the PHI Module?
- Individuals who access protected health information (PHI) and/or respond to
patient requests related to PHI: For example, this includes individuals who deal
with patient registration, scheduling, medical records or billing functions.
- In addition this could include, but is not limited to, individuals with associated
responsibilities within Clinics; Pharmacy & Home Services; Hospital Patient Care
Units; Information Technology Services; Case and Social Services Management; and, Business
Who should take the Provider Module?
- School of Dentistry, School of Nursing, School of Pharmacy, and students, residents
- Non Medical Center Department with clinical activity: academics with health
professions degrees or responsibilities.
- Medical Center Department: health professions with direct patient care responsibilities.
- New Employees and faculty in the above functions and units.
Who should take the Communications and Public Relations Module?
- Staff, including volunteers, who are engaged in institutional advancement functions.
- This includes medical center and non-medical center departments with or without clinical
activity or clinical related research.
Who should take the Research Module?
- Research Investigators and their research support staff who submit new, modified,
exempt protocols or work with patients or patient information.
- Research support staff is any person who has direct contact with the research subject
or with the subject's PHI. This includes graduate students, post-doctoral fellows, UCSF
Fellows, clinical research coordinators and associates, data entry and data base specialists,
statisticians, and some laboratory personnel (audio, video, research).
- Human subjects research involves more that just clinical trials as any researcher
who utilizes PHI associated with biological specimens, biometric specimens, data sets and
medical records is involving human subjects.
How do I access the HIPAA training module?
The HIPAA training modules are available through the UC Learning Center, posted to this website and presented during new employee orientation, house officer training or other training workshop. Consult with HR or your department to determine how to complete the training.
Is there a certificate of training to prove I took the training?
At this time there is no certificate of training. However, some departments may require additional
information security training for access to their electronic information resources, and as such, they
may require or provide a security training certificate.
How often do I need to take HIPAA training?
UCSF workforce members receive HIPAA training upon hire. In addition, workforce members will be expected to complete an updated Privacy training as the Federal Regulations or State Privacy Laws change. As of October 1, 2010, training is available in the Learning Management System (LMS). If you have any questions, please contact your supervisor/manager.
What is the Privacy and Confidentiality Handbook?
The HIPAA Handbook meets current HIPAA regulatory requirements to inform the UCSF workforce
regarding this important patient privacy and security initiative. It supplements the HIPAA
training. The UCSF Confidentiality Statement can be found at the back of the handbook.