HIPS Series > Overview and Recommended Content

Welcome to the Health Information Privacy and Security (HIPS) course series. If you are reading this, it's probably because you have access to sensitive health information as part of your work duties (or have supervisory responsibilities for persons that do).

HIPS on-line training is designed to help you (or them) learn how to use and protect that information appropriately.

Workforce training is generally required by both federal and state laws, as well as by private certification organizations like JCAHO. The specific training you need depends on the kind of work you do, and how you do it.

Privacy Series

  • Health Privacy: Overview of Federal and State Requirements
  • Health Privacy: Special Issues for Clinicians
  • Health Privacy: Special Issues for Fundraisers
  • Health Privacy: Special Issues for Marketers
  • Health Privacy: Special Issues for Researchers
  • Health Privacy: Special Issues for Students and Instructors

Security series

  • Basics of Being Secure, part 1
  • Basics of Being Secure, part 2
  • Information Security: Overview of Federal and State Requirements
  • Picking and Protecting Passwords
  • Protecting Your Computer
  • Protecting Your Portables
  • Protecting Your Identity
  • Safer Emailing and IMing, part 1
  • Safer Emailing and IMing, part 2
  • Safer Web Surfing
  • Security Issues for Work/Workers Off-Site
  • Telephone Etiquette and Safety

This overview provides information about the recommended audience for each of these courses. If your supervisor or your organization’s privacy/security officials have different advice, follow that instead.

Copyright and disclaimer

These materials are copyrighted by the authors, but may be freely used for non-commercial purposes with appropriate attribution to the source. For details, see the site Copyright Notice. These materials are offered for educational purposes only. For details, see the site Disclaimer Notice.

Course reading and quizzes

The full HIPS series includes more than 20 different courses, each focused on particular privacy and information security topics.

The good news is that almost no one needs to take all of these (and no one ever needs them all at the same time). For most persons, just a few courses will be enough.

Each course has reading materials, similar to what you are viewing now, which require from 5 to 30 minutes each to complete. This time is for an average reader. Your experience will vary, especially depending on how much linked material you elect to read.

Each course has a multiple-choice quiz of 5 to 15 questions. The bad news is that completion of the quiz will usually be required for training "credit." Check with your organization's privacy/security official about what is required for your situation.

Basic information systems use

If you have regular access to any of your organization's computer systems or use its computer networks, you should take the two-part introductory information security course. It's called "Basics of Being Secure."

"Basics" is recommended even for persons who do not have regular access to sensitive, legally-protected information. Computers are increasingly interconnected. What you do on your own computer can affect everybody on the organization's network, and compromise critical systems.

Such inter-dependence is true of non-computer behavior as well -- something as simple as leaving an office door unlocked can compromise security broadly. Accordingly, the "Basics" course covers more than just computer security issues.

Advanced information systems use: personal computers, portable computers, etc.

"Basics of Being Secure" is enough to get you started. After that, as time and interest permit, you will probably need to take other information security courses related to the kinds of things you do on your computer.

While much of secure computer use comes from just exercising common sense, not all of it does. Activities such as emailing and Web surfing can get you into trouble if you don't know what you’re doing, and that requires understanding some complexities.

Without training on how to do your computer-related tasks safely, it's just a matter of time before you make a mistake. Perhaps a big mistake.

That's true not only for personal computer (PC) use, but for any shared, multi-user information systems to which you may have access, such as an organization-wide medical records application. Hence you may also need specialized training for that.

Health information security laws and regulations

For most of us, information security is a practical matter of knowing how to use the information devices and storage media that are a daily part of our work and personal lives. our work setting. In contrast to the requirements for privacy, very few persons need to know the details of federal and state information security regulations.

However, for persons whose responsibilities include information security administration, or who work as systems administrators or data custodians, the "Information Security: Overview of Federal and State Requirements" course is recommended.

Health information users

Persons with regular access to patients' health information as a part of their work duties should take "Basics of Being Secure," and the introductory privacy course "Overview of Federal and State Privacy Requirements."

This latter course provides an overview of the legal requirements of HIPAA as well as state statutes. (It does not cover JCAHO, NCQA, or other private certification requirements, but those are similar in spirit if not in the details.)

The introductory privacy course is particularly important for persons who are responsible for making decisions about non-routine uses and disclosures of health information. It is also critical for persons who must answer patients’ day-to-day questions about legal protections for privacy.

Clinicians and privacy

Clinical care providers should take the security basics, privacy overview and "Privacy Issues for Clinicians" courses. If involved in research, marketing or fundraising, clinicians should also take the special privacy courses for those activities.

Federal and state statutes give clinicians broad latitude to use and disclose information for treatment purposes. There is an attendant obligation to use this freedom appropriately. Clinicians typically exercise a leadership role in health settings, so it is particularly critical that they set an example of what good practices should be.

Perhaps most important, patients often ask clinicians about privacy issues -- questions which cannot be answered without some training.

Fundraisers and privacy

Persons engaged in fundraising activities should take security basics, privacy overview and "Privacy Issues for Fundraisers."

The last of these covers the federal restrictions on fundraising activities under HIPAA, which can be strict. (State statutes may also be restrictive, but we can cover only the specifics of HIPAA in these courses.)

HIPAA rules for fundraising and marketing are closely related, so the "Privacy Issues for Marketers" course is also recommended for fundraisers. Even if you’re reasonably sure you’re not doing marketing, it may turn out that you are.

Marketing and privacy

Persons engaged in marketing activities should take security basics, privacy overview and "Privacy Issues for Marketers."

The last of these covers the federal restrictions on marketing activities under HIPAA. Though the marketing rules appear strict on first inspection, they contain many exemptions. (State statutes may be more restrictive.)

As noted, the rules for marketing and fundraising are closely related. "Privacy Issues for Fundraisers" is recommended for marketers -- even those who are sure they’re not engaged in fundraising.

Researchers and privacy

Persons engaged in human subjects research should take security basics, privacy overview and "Privacy Issues for Researchers."

HIPAA regulations for research are detailed and, in some cases, make for much stricter controls on information use than existed before. While an organization's Institutional Review Board (IRB) or Privacy Board can be counted upon to review compliance, investigators need to know the rules too.

(HIPAA's requirements do not generally represent a large additional burden, at least compared to those already in place under the Common Rule and FDA regulations. Don’t get discouraged.)

Students, instructors and privacy

Students in health care training programs must often access health information as part of their educational activities. When that's the case, they should take security basics, privacy overview and "Privacy Issues for Students and Instructors."

Such students should also take any privacy courses relevant to their training activities. (For example, clinical program students should take "Privacy Issues for Clinicians.")

Instructors for training programs should also take this course, to understand the rules that apply to training programs. Instructors must appropriately supervise students' information access -- and also set a good example themselves by knowing and following the rules.

How often is enough?

Only your organization's privacy/security official can tell you how often you should repeat these materials. The is currently no legal or regulatory standard for the frequency of "refresher" courses.

We recommend varying the privacy/security educational material to which you or those you supervise are exposed. We see little value in repeating the same course content year after year -- even if it's ours.

Your evaluation of the series

You can help us make these courses better. If you have two minutes to spare, take the online course evaluation whenever you complete a course.

•  •  •  •  •

More information

Last modified: 17-Apr-2006 [RC]

  
 

   © 2002-2006 Contributing authors and University of Miami School of Medicine