UNC HIPAA Training: What’s Required, Who Must Train, and How Often

HIPAA Training Requirements

UNC HIPAA training ensures Workforce HIPAA Compliance for anyone who may create, access, transmit, or store Protected Health Information (PHI). “Workforce” includes faculty, staff, student employees, residents, volunteers, temporary workers, and certain contractors or affiliates working under UNC’s control.

Before you handle PHI, you must complete role-appropriate training that explains privacy rules, security standards, minimum necessary use, breach reporting, and safeguards for verbal, paper, and electronic information. Supervisors assign modules based on your duties so you learn the right controls for clinical, research, billing, or administrative contexts.

Core competencies you should demonstrate

• Identify PHI and apply the minimum necessary standard in daily tasks.
• Use secure tools for storage, transmission, and disposal of PHI.
• Report suspected incidents or breaches immediately through approved channels.
• Follow workstation, password, and physical security practices to prevent unauthorized access.

Initial education occurs prior to PHI access, followed by Mandatory Annual Training to reinforce policies, highlight changes, and close gaps revealed by audits or incidents.

Training Platforms and Procedures

UNC delivers content through its Learning Management System (LMS). Employees and most affiliates complete assignments in the Cornerstone Training Platform, while many courses for students and certain programs run in the Canvas Training Platform. Your onboarding materials specify which system you will use.

How your training typically proceeds

• Receive assignment in the designated LMS with due dates and required modules.
• Complete interactive lessons, pass knowledge checks, and sign policy attestations.
• Document completion; certificates or LMS records serve as proof for audits.
• Retain access to reference materials and micro-learnings for just-in-time refreshers.
• Return for Mandatory Annual Training and any role-change or policy-update modules.

If you encounter access or completion issues, notify your supervisor or departmental training contact so deadlines are adjusted and your access to PHI is not delayed.

BYOD Policy Compliance

UNC’s Bring Your Own Device (BYOD) Policy sets conditions for using personal laptops, tablets, or phones with PHI. You may only access institutional email, EHRs, research systems, or cloud services on devices that meet security standards and are used in accordance with HIPAA.

Minimum BYOD safeguards

• Enable strong authentication, automatic locking, encryption at rest, and remote wipe.
• Use approved apps, secure messaging, and institutional email; never auto-forward PHI to personal email or unapproved services.
• Prohibit unencrypted local storage, consumer cloud backups, and unauthorized screen captures of clinical systems.
• Maintain physical control of devices; report loss, theft, or compromise immediately.
• Follow secure Wi‑Fi practices, avoid public printers, and properly dispose of data when decommissioning a device.

Your HIPAA modules explain how these controls apply to your role and what evidence of compliance (for example, attestations) you must keep.

Training for Student Employees

Student employees who access PHI—such as clinic assistants, research aides, or teaching support staff—must complete UNC HIPAA training before any PHI access. Supervisors assign the correct modules in the Cornerstone Training Platform or the Canvas Training Platform based on the employment arrangement.

Students learn how HIPAA intersects with FERPA, research protocols, shadowing limitations, and social media boundaries. Supervisors verify completion, set expectations for secure workflows, and ensure students understand escalation paths for questions or incident reporting.

Training Deadlines and Scheduling

You must complete initial HIPAA training prior to receiving system credentials or performing tasks that involve PHI. UNC also requires Mandatory Annual Training to refresh key rules and address policy updates. Departments may impose shorter internal deadlines for onboarding or role changes.

LMS reminders help you track due dates. If your role changes, you may receive additional modules to cover new responsibilities (for example, moving from a non-PHI role to one with system access). Failure to complete training on time can lead to access delays or other corrective actions.

Contracted Entities Training Obligations

Vendors, agency staff, and other contracted entities that handle PHI under UNC direction must demonstrate HIPAA readiness. Depending on contract terms, they either complete UNC-provided modules or provide acceptable proof of equivalent training for their workforce, along with required agreements.

What contractors should provide

• Verification of current HIPAA education aligned to UNC standards and scope of services.
• Signed confidentiality and security attestations for individuals assigned to UNC work.
• Agreement to follow UNC policies, including BYOD requirements when applicable.
• Timely updates if staff change, with training records available for audit.

UNC departments remain responsible for validating completion before granting access to systems, facilities, or PHI.

Non-Employed Learners Training Protocols

Non-employed learners—such as visiting students, observers, interns, or fellows sponsored by a UNC school or department—must complete HIPAA modules and sign confidentiality acknowledgments before any clinical observation, research activity, or system access that could involve PHI.

Program coordinators or preceptors ensure learners use the correct LMS, understand BYOD limits, and work only within approved scopes. Photography, recording, and independent downloads of PHI are prohibited unless expressly authorized and compliant with policy.

Conclusion

UNC HIPAA training equips you to protect PHI, comply with policy, and use technology safely. Complete your assigned modules in the designated LMS, keep your BYOD settings compliant, and return for Mandatory Annual Training so your access and responsibilities remain in good standing.

FAQs.

Who is required to complete UNC HIPAA training?

All workforce members who may encounter PHI—faculty, staff, residents, student employees, volunteers, temporary workers, and covered contractors or affiliates—must complete UNC HIPAA training before accessing PHI and maintain current certification thereafter.

How often must HIPAA training be completed at UNC?

You complete training before any PHI access and then participate in Mandatory Annual Training. Additional modules may be required when your role changes or when policies and systems are updated.

What training platforms are used for HIPAA training at UNC?

UNC delivers training through its Learning Management System. Employees typically use the Cornerstone Training Platform, while many student or program-specific courses run in the Canvas Training Platform. Your assignment will specify the correct system.

How do contracted entities comply with UNC HIPAA training requirements?

Contracted entities must either complete UNC’s assigned HIPAA modules or provide acceptable proof of equivalent HIPAA education for their workforce, plus required confidentiality attestations. UNC departments verify completion before granting access to systems or PHI.