Augmented penalties, audits, and required breach notifications under the Health Information Technology for Economic and Clinical Health (HITECH) Act's amendments to HIPAA have raised the stakes for healthcare organizations' compliance. IPS is designed to help ensure HIPAA compliance, quality assurance, and risk reduction.
IPS consists of three courses on Health Privacy (focusing on HIPAA), Information Security, and the Family Educational Rights and Privacy Act (FERPA), which can be utilized based on organizational needs. Each course includes content for individuals who only need basic information, as well as content tailored to specific roles, applications, devices, and settings. It is suitable for anyone who works with individually identifiable health data (HIPAA-defined "PHI"), or FERPA-covered educational records and data, or has responsibilities for setting policies and procedures with respect to these types data.
The Health Privacy and Information Security courses were authored by Reid Cushman, PhD, of CITI Program and peer-reviewed by experts.
The Family Education Rights and Privacy Act (FERPA) course was authored by Thomas W. Gold, PhD, of Network for Teaching Entrepreneurship and peer-reviewed by experts.
Language Availability: English, Korean
Suggested Audiences: Administrators, Educators, Individuals Working with Identifiable Health Data (HIPAA-defined “PHI”), Instructors, IRB Administrators, IRB Members, Researchers, Students, Teachers
What subject areas does IPS training cover?
The Health Privacy course addresses legal-regulatory requirements for data protection by subject area. Currently, the focus is on HIPAA-related requirements for health data. FERPA-related content focused on education records is also available. The Information Security track discusses protection of information in any context, regardless of the subject matter.
What privacy topics are addressed?
The Health Privacy course includes content on the basics of the federal HIPAA requirements, and touches on state and local requirements. This foundation is supplemented by content that focuses on healthcare roles and types of activities, because HIPAA’s requirements are largely conditioned by the purpose behind a use or disclosure of health information. Learn more.
The Family Educational Rights and Privacy Act (FERPA) course includes content on the basics of federal FERPA requirements, which also touches on state and local requirements. An introductory module is complemented by audience-specific modules.
What information security topics are addressed?
The Information Security track is organized to provide a basic foundation of data and device security techniques, supplemented by more detailed information relevant to the particular activities and context of the learner. Learn more.
What is the recommended course setup?
For a basic course in Health Privacy, we recommend that the “Basics” module be required as a foundation, along with at least one of the role-specific modules, depending on the type of learner.
For a basic Information Security course, we recommend that the two “Basics” modules be required as a foundation. A subset of the remaining modules could be used as electives, or as purely supplemental (optional) modules.
For a basic course in Family Educational Rights and Privacy Act (FERPA), we recommend that the “FERPA: An Introduction” module be required as a foundation, along with at least one of the role-specific modules, depending on the type of learner.
What is the recommended training frequency?
Neither HIPAA or FERPA regulations nor the federal agencies administering them offer specific guidance on the frequency of HIPAA-related or FERPA-related training. It is up to each organization to determine when a “refresher” is appropriate. Sometimes state laws or organizational policies may provide a standard. Absent other considerations, we recommend retraining of some kind at least every three to four years.
Standards for the frequency of information security training are also elusive. Generally, it is up to each organization to determine when a “refresher” is appropriate, except where a controlling law or regulation provides a standard. Absent such a standard, or a requirement from the organization’s own policies, we recommend some kind of retraining at least every three to four years.