UNC HIPAA Training Requirements and Annual Compliance Guide for Workforce Members

HIPAA Training Requirements for Employees

Who must complete training

If you create, receive, maintain, or transmit Protected Health Information (PHI) for a UNC covered component, you must complete HIPAA training. This includes faculty, staff, residents, postdocs, temps, contractors under a Business Associate relationship, and anyone with access to Electronic Protected Health Information (ePHI).

Timing and frequency

Complete baseline training before you are granted access to PHI or ePHI, and take a refresher at least annually. Repeat training whenever your role changes materially or when policies, systems, or risks change in ways that affect your duties.

What the curriculum covers

• Privacy Rule fundamentals: permitted uses and disclosures, minimum necessary, authorizations.
• Security Rule basics: safeguards for ePHI, passwords, encryption, and secure configuration.
• Identity verification, release of information, and handling patient rights requests.
• Incident recognition and immediate reporting of suspected breaches or ransomware.
• Practical safeguards: secure messaging, clean desk, secure printing, and disposal.

Documentation and accountability

Your unit tracks completion and may condition system access on current training. Keep attestations and completion records; HIPAA requires related documentation to be retained for at least six years. Supervisors should monitor compliance and address lapses promptly.

HIPAA Training Requirements for Student Employees

Who is included

If you are a student employee, graduate assistant, research assistant, intern, or volunteer performing work for a UNC covered component, you are part of the HIPAA workforce and must complete training before accessing PHI. Your status as a student does not exempt you when acting in an employee role.

How training is assigned and completed

Your hiring unit or privacy liaison enrolls you in the required modules and confirms completion before day-one access. Expect annual refreshers and additional role-based modules if you handle specialty data (e.g., behavioral health or substance use disorder records).

Special considerations for students

Understand the interaction between HIPAA and FERPA in your role. When your assignment ends or changes, stop using systems immediately and return or securely delete any PHI following unit procedures. Keep training proof accessible if you transfer between covered components.

HIPAA Training for Personal Device Users

Before you use a personal device

Do not store or access ePHI on a personal device unless your unit authorizes it and required protections are in place. You may be asked to enroll in mobile device management, enable full‑disk encryption, and agree to remote wipe if the device is lost or stolen.

Required safeguards

• Strong passcode/biometrics, auto‑lock, and encryption enabled.
• No syncing of ePHI to consumer cloud backups or personal email accounts.
• Use only approved apps, VPN, and secure messaging for PHI transmissions.
• Disable device sharing; separate work and personal data where supported.
• Report loss, theft, or compromise immediately to your unit and the Security Officer.

Everyday practices

Limit local storage of ePHI, avoid screenshots, and use secure document viewers. When feasible, access PHI via virtual desktops or approved portals so data stays within UNC systems.

Administrative Requirements for HIPAA Compliance

Program governance

UNC covered components designate a HIPAA Privacy Official and a HIPAA Security Officer to oversee the Privacy Rule and Security Rule, respectively. A HIPAA Committee coordinates policies, standards, and monitoring across the Hybrid Entity.

Policies and procedures

• Minimum necessary access, role‑based permissions, and user provisioning/deprovisioning.
• Risk analysis and risk management plans for systems handling ePHI.
• Vendor management: Business Associate Agreements and data flow inventories.
• Sanctions for violations and a non‑retaliation policy for good‑faith reporting.
• Documentation retention for at least six years from creation or last effective date.

Training, audits, and continuous improvement

Maintain initial and annual training, periodic phishing and security awareness, and targeted refreshers after incidents. Conduct audits of access logs, minimum necessary, and release workflows, and remediate findings with clear deadlines and owners.

Incident response and breach notification

Follow a written incident response plan that includes triage, containment, forensic analysis, and notification workflows. HIPAA requires notifications to affected individuals without unreasonable delay and no later than 60 days after discovery; prompt internal reporting enables compliance.

HIPAA Compliance at UNC

UNC as a Hybrid Entity

UNC operates as a Hybrid Entity by designating specific schools, departments, clinics, and service units as HIPAA covered components. If you work within a covered component or support it, HIPAA applies to your duties even if your broader organization is not a healthcare provider.

Your responsibilities day to day

• Access only the PHI you need to perform your job; verify identity before disclosure.
• Secure workspaces, screens, and printed materials; use approved storage and transmission methods.
• Escalate questions to your Privacy Official or Security Officer before taking action.
• Report incidents immediately; do not investigate on your own or delete evidence.

Coordination and oversight

The HIPAA Committee reviews policies, major system changes affecting ePHI, and training metrics. Units align local procedures to institutional standards while addressing unique clinical, research, or operational needs.

Breach of Confidentiality Definition

What counts as a breach

A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. UNC assesses incidents using HIPAA’s four factors: the nature of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

Common examples

• Misdirected emails or faxes containing PHI to the wrong recipient.
• Lost or stolen laptops or phones with unencrypted ePHI.
• Unauthorized snooping in patient records without a work‑related need.
• Improper social media posts, photos, or screenshots revealing PHI.
• Malware or ransomware that compromises systems holding ePHI.

Exceptions and immediate actions

Limited exceptions include certain unintentional, good‑faith accesses by authorized workforce members and incidental disclosures that cannot be reasonably prevented. Regardless, stop the exposure, secure the data, and report immediately so the Privacy Official can determine if a breach occurred.

HIPAA Compliance Officer Roles

HIPAA Privacy Official

• Oversees Privacy Rule compliance, privacy policies, and minimum necessary standards.
• Manages privacy complaints, breach risk assessments, and required notifications.
• Leads privacy training content and approves unit‑specific procedures.
• Advises on de‑identification, authorizations, and disclosures to third parties.

HIPAA Security Officer

• Leads risk analysis, security architecture, and safeguards for ePHI.
• Oversees access controls, encryption, auditing, and vulnerability management.
• Coordinates incident response, forensics, and corrective action plans.
• Guides secure configurations for endpoints, servers, and cloud solutions.

HIPAA Committee

• Aligns policies across covered components and reviews high‑impact changes.
• Monitors training completion and key risk indicators, escalating trends to leadership.
• Facilitates communication among compliance, IT, legal, research, and operations.

Conclusion

To meet UNC HIPAA training requirements, complete onboarding training before accessing PHI, refresh annually, and follow unit procedures that safeguard ePHI. Know your Hybrid Entity responsibilities, report issues fast, and partner with the HIPAA Privacy Official, Security Officer, and HIPAA Committee to sustain compliant, patient‑centered operations.

FAQs

What are the annual HIPAA training requirements at UNC?

You must complete baseline training before PHI access and an annual refresher that reinforces Privacy Rule and Security Rule obligations, practical safeguards for ePHI, and breach reporting steps. Your unit tracks completion, and related documentation should be retained for at least six years.

How do student employees complete HIPAA training?

Your hiring unit or privacy liaison enrolls you in required modules. Finish training before you start work that involves PHI, repeat it annually, and complete any role‑specific content tied to your assignment. Keep your completion record if you change units or roles.

What roles do HIPAA Compliance Officers have at UNC?

The HIPAA Privacy Official manages privacy policies, training, and breach assessments, while the HIPAA Security Officer leads risk analysis, technical safeguards, and incident response for ePHI. A HIPAA Committee coordinates standards and oversight across the Hybrid Entity.

What defines a breach of confidentiality under HIPAA?

It is an impermissible use or disclosure of PHI that compromises security or privacy, assessed using HIPAA’s four‑factor test. Examples include misdirected disclosures, lost unencrypted devices, or unauthorized record access. Report suspected incidents immediately so trained officials can evaluate and respond.