UF HIPAA Compliance Training Checklist for Employees, Researchers, and Vendors

Use this UF HIPAA compliance training checklist to confirm you complete the right modules, on time, and with the proper documentation. It covers workforce expectations, research-specific requirements, annual refreshers, how to access modules with GatorLink Training Access, and vendor obligations.

UF Workforce Training Requirements

UF defines “workforce” broadly: faculty, staff, residents, students, volunteers, temps, and contractors who work in covered components or handle protected health information (PHI). If you will view, create, transmit, or store PHI—or support systems that do—you must complete baseline training before gaining access and keep it current thereafter.

• PRV800 HIPAA & Privacy – General Awareness: complete prior to PHI access; refresh as assigned.
• Information Security Training (ITT102v): annual security awareness for anyone handling ePHI or connecting to UF systems.
• Compliance and Ethics Program: annual training covering reporting responsibilities and conduct expectations.
• FERPA Basics (PRV802): required if you access student education records in addition to PHI or other data.
• Role- or department-specific add-ons: complete any modules your area assigns during onboarding.

Supervisors should verify assignments, track completions, and ensure no one is granted PHI access until prerequisites appear as “completed” in the training record.

HIPAA Training for Researchers

If your study uses PHI—through medical records, clinics, data warehouses, or sponsored projects—complete HIPAA training and document it in your study files and submissions. Research teams often have added obligations beyond the workforce baseline.

Research training checklist

• PRV800 HIPAA & Privacy – General Awareness for all study personnel with PHI access.
• IRB Mandatory Training per your IRB’s requirements; ensure all listed personnel are current at submission and continuing review.
• HSC Research Billing Risks when your research involves billable clinical services or charge routing.
• Information Security Training (ITT102v) for anyone handling ePHI, data extracts, or using secure storage/transfer tools.
• FERPA Basics (PRV802) if your project includes student education records.

Principal Investigators are responsible for ensuring new team members complete required modules before being added to protocols or receiving system access.

Annual Additional Compliance Trainings

Several trainings recur annually to keep access active and support ongoing compliance. Your training profile will display specific due dates and auto-assign refreshers as needed.

• Information Security Training (ITT102v): complete every year to maintain system access and safeguard ePHI.
• Compliance and Ethics Program: annual refresher on reporting channels, conflicts, and standards of conduct.
• HIPAA & Privacy refresher: an annual update, commonly satisfied via PRV800 or an assigned refresher module.
• FERPA Basics (PRV802): annual if your role involves student data.

Best practice: set calendar reminders 30 days before each due date, run monthly completion checks for your team, and address any lapses immediately to avoid system access interruptions.

Accessing Training Modules

All required modules are available through the UF training portal. Use your GatorLink Training Access to enroll, launch courses, and track completion.

Step-by-step access

1. Activate and secure your GatorLink account with multi-factor authentication.
2. Sign in to the UF training portal and search by code or title: PRV800, ITT102v, PRV802, IRB Mandatory Training, HSC Research Billing Risks.
3. Enroll in the course, complete the content and required assessments, and confirm the status shows “completed.”
4. Download or save the completion confirmation for your records and, when applicable, your study regulatory binder.
5. Review your “Assigned Learning” regularly and monitor automated reminder emails for upcoming due dates.

If a required course is not visible, contact your supervisor or department administrator to ensure the correct assignments appear in your profile.

Compliance Training for Employees

Use these role-based checklists to confirm you have everything covered before requesting system access or beginning work with PHI.

Clinical or covered-component roles

• PRV800 HIPAA & Privacy – General Awareness (pre-access; refresh as assigned).
• Information Security Training (ITT102v) annually.
• Compliance and Ethics Program annually.
• Any department-specific privacy, security, or safety modules.

Administrative and operational roles

• Determine if your duties involve PHI or systems that store PHI; if so, complete PRV800 before access.
• Information Security Training (ITT102v) annually for all system users.
• Compliance and Ethics Program annually.
• FERPA Basics (PRV802) if you work with student records.

Student employees and volunteers

• Complete PRV800 if your assignment involves PHI or covered clinics.
• ITT102v annually if you use UF systems handling sensitive data.
• PRV802 if responsibilities include student education records.

Managers should review rosters regularly, address overdue items promptly, and remove access for individuals who no longer require PHI or system privileges.

Compliance Training for Researchers

Researchers have additional documentation and oversight responsibilities. Build training checks into your startup and continuing review processes.

PI and study team responsibilities

• Map data flows to verify whether PHI or ePHI is involved and assign PRV800 accordingly.
• Ensure IRB Mandatory Training is current for all study personnel at submission and renewal.
• Assign HSC Research Billing Risks to staff who schedule, code, or reconcile clinical charges tied to research.
• Require ITT102v for anyone handling ePHI, data extracts, or secure platforms.
• File completion confirmations in the regulatory binder and maintain a team training log.

Before onboarding new staff, verify and document all required completions to prevent delays in protocol updates or access requests.

Vendor Compliance Training Overview

Vendors and service providers that create, receive, maintain, or transmit UF PHI must meet HIPAA obligations prior to access. Department sponsors are responsible for verifying these conditions before onboarding.

Vendor checklist

• Confirm a Business Associate Agreement or appropriate contractual protections are in place.
• Require proof of HIPAA training for vendor workforce (equivalent to PRV800 HIPAA & Privacy – General Awareness).
• For system access or remote connections, require security awareness training equivalent to Information Security Training (ITT102v).
• Grant least-privilege access, set explicit end dates, and ensure prompt offboarding when work ends.
• Maintain documentation of vendor training attestations and periodic access reviews.

Conclusion

Staying compliant at UF means completing the right modules for your role, keeping annual requirements current, and documenting everything. Use GatorLink Training Access to track PRV800, IRB Mandatory Training, HSC Research Billing Risks, PRV802, ITT102v, and the Compliance and Ethics Program so your access remains uninterrupted and your responsibilities are clear.

FAQs

Who must complete UF HIPAA compliance training?

Anyone in the UF workforce who handles PHI—or supports systems and workflows where PHI resides—must complete HIPAA training. This includes faculty, staff, residents, students, volunteers, temps, contractors, and vendors working within covered components or accessing PHI under UF agreements.

What are the required training modules for UF researchers?

Researchers who access PHI typically complete PRV800 HIPAA & Privacy – General Awareness, IRB Mandatory Training, HSC Research Billing Risks if clinical billing is involved, and Information Security Training (ITT102v) for ePHI and secure systems. PRV802 applies when research includes student education records.

How often must employees complete HIPAA and compliance training?

Complete HIPAA training before PHI access and take assigned refreshers annually. Information Security Training (ITT102v) and the Compliance and Ethics Program recur each year, and FERPA Basics (PRV802) is annual when your role includes student data. Your training profile lists exact due dates.

How can UF workforce members access their training modules?

Sign in to the UF training portal using your GatorLink Training Access, search by course code or title (such as PRV800, ITT102v, PRV802, IRB Mandatory Training, HSC Research Billing Risks), enroll, and complete the assessments. Save your confirmations and monitor your profile for upcoming renewals.