Policy No.

8-27-2019

Revised Date:

Introduction:

The following describes WSU Employee Wellness’s policy workforce training. 

Definitions:

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media, but excludes individually identifiable health information in: (a) Education covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (c) employment records held by WSU Employee Wellness in its role as employer.

Protected Health Information (“PHI”): means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Policy:

WSU Employee Wellness will train all workforce members on WSU Employee Wellness’s HIPAA Policies and Procedures as necessary and appropriate for each workforce members to perform their duties within WSU Employee Wellness.  Any formal training undertaken as part of the compliance program shall be documented.

 

A. Orientation – New Workforce Members

As part of new workforce orientation, all new workforce members shall be instructed in any specific standards of conduct that affect their positions.  New workforce members shall receive compliance training within thirty (30) days of hiring. Workforce members shall undergo refresher training at least annually.  

 

 

B. General Training

General training for all workforce members shall emphasize the commitment of WSU Employee Wellness to comply with HIPAA and a workforce member’s duty to report noncompliance.  General training shall include:

1.  an overview of the applicable laws;

2.  the operational importance of the compliance program and how it works;

3.  the consequences of violating the policies that are part of the compliance program; and

4.  the role of each workforce members in the compliance program and how to report noncompliance.

C. Security Awareness and Training

Workforce members will be trained on HIPAA security policies and procedures with respect to safeguarding electronic protected health information (“PHI”) as reasonable and appropriate to carry out their functions.

 

1. Security Reminders: WSU Employee Wellness shall ensure that security updates are provided to workforce members periodically.  WSU Employee Wellness shall ensure that methods for delivering security updates that address environmental and operational changes that affect the security of electronic PHI are developed. Such methods could include:

(a) distributing pamphlets, letters, posters or news articles;

(b) e-mailing security updates;

(c) conducting security presentations;

(d) information system sign-on messages; or

(e) posting information on a website.

 

2. Protection from Malicious Software: Workforce members will be trained on guarding against, protecting from, and reporting of, malicious software.  Such training will include the following topics:

(a) how to discover malicious software;

(b) how to report malicious software;

(c) how to discover malicious software fraud;

(d) how not to download or receive malicious software; and

(e) how to use anti-virus software appropriately. 

 

3. Log-in Monitoring: Workforce members will be trained on monitoring log-in attempts and reporting discrepancies regarding their log-in attempts.  The log-in monitoring training and awareness shall include the following topics:

(a) how to detect a log-in discrepancy;

(b) how to report a log-in discrepancy; and

(c) how to successfully WSU Employee Wellness’s secure log-in process 

 

4. Password Management: Workforce members will be trained on creating, changing and safeguarding Passwords used to verify users’ identities and to obtain access to electronic PHI.  Password management training and awareness shall include the following requirements for access to WSU Employee Wellness’s information system: 

(a) Weber State University’s password standards and guidelines;

(b) the process for changing temporary passwords when assigned for new log-in;

(c) the importance of keeping passwords confidential;

(d) the significance of changing passwords and avoiding reusing passwords;

(e) the importance of changing passwords when there is an indication of password or information system compromise;

(f) the importance of logging off before leaving a workstation; and

(i) the importance of selecting a strong password. 

D. Training Attendance

Attendance and participation in compliance training shall be a condition of continued employment or engagement of workforce members subject to training requirements.  Failure to comply with training requirements will result in discipline and may result in termination.

E. Contractors

WSU Employee Wellness shall communicate this compliance plan and applicable standards of conduct to contractors doing business with [WSU Employee Wellness] as appropriate, and shall require, as appropriate, as a condition of contracting with WSU Employee Wellness, that such contractors abide by this compliance plan and applicable standards of conduct.  

F. Compliance Policy Clarification

The Privacy Officer shall establish a procedure for workforce members to submit questions about, or request clarification of, any compliance issues.  If appropriate, the Privacy Officer shall share the questions and answers with workforce members.