Who needs General HIPAA Awareness Training?

Individuals who are assigned to a department or unit within the covered component of our hybrid entity and who meet either of the following criteria must complete general HIPAA awareness training:

  • Serve in a position that allows direct or indirect contact with personal health or health-related financial information – electronic, paper, or verbal, in the lab – for either a clinical or a research purpose, or
  • Is expected to have direct contact with patients

All persons meeting these criteria who are active in these roles at UofL are required to complete the Privacy and Security lessons. New workforce members are required to complete the training within thirty (30) days of their hire date or, if a transfer, their qualifying role assignment. Department heads are responsible for ensuring all applicable faculty and staff have completed the required training.

The general application of the training requirement criteria, from a specific school/department/group perspective, is described as follows:

Schools of Dentistry and Medicine

Both schools are considered part of the healthcare component of our hybrid entity; thus, HIPAA training is required for their faculty, staff, and students whose roles meet the training criteria.

Audit Services
Human Resources Benefits/Get Healthy Now
Information Technology
University Counsel

All individuals in these departments are required to complete HIPAA training.

Controller’s Office
University Advancement/Development
Department of Environmental Health and Safety
University Archives and Records

Individuals in these departments who meet the training requirement criteria are required to complete HIPAA training.


Individuals conducting human subjects research that requires access to or collection of protected health information are required to complete the HIPAA Security and Research Fundamentals courses.  This applies to all individuals conducting UofL research, regardless of which UofL School or Department holds their job/role assignment.

School of Public Health and Information Sciences (SPHIS)

SPHIS is not considered part of the healthcare component of our hybrid entity; thus, HIPAA training is not required unless requested by SPHIS administration.  Traditionally, SPHIS has required its students to complete HIPAA training as a part of their placement activities with affiliated organizations.