Don't put your organization at risk!

This advanced HIPAA awareness program was created with the goal of giving healthcare workers something useful to take away from the instruction - fundamental skills necessary to comply with HIPAA rules and protect their organization and patients from threats to protected health information.

Most HIPAA courses put your organization at significant risk - they are simply pay to play, where you watch a few videos, take a short quiz, print a certificate, and then move on without really understanding what HIPAA is and how to be compliant in your day-to-day activities.

Course curriculum

  • 1


    • HIPAA Fundamentals and Awareness Introduction

  • 2

    HIPAA Overview & Timeline

    • HIPAA Overview & Timeline

    • Quiz - HIPAA Overview & Timeline

  • 3

    HIPAA Definitions and Lexicon

    • HIPAA Definitions and Lexicon

    • Quiz - HIPAA Definitions and Lexicon

  • 4

    The HITECH Act

    • The HITECH Act

    • Quiz - HITECH Act

  • 5

    HIPAA Regulatory Rules

    • HIPAA Regulatory Rules

    • Quiz - HIPAA Regulatory Rules

    • The Omnibus Final Rule

    • Quiz - HIPAA Omnibus Rule

    • The Privacy Rule

    • Quiz - The Privacy Rule

    • The Security Rule

    • Quiz - HIPAA Security Rule

    • The Enforcement Rule

    • HIPAA Patient Rights

    • Quiz - HIPAA Patient Rights

    • The Breach Rule

    • Quiz - HIPAA Breach Rule

    • Disclosure Rules

    • Quiz - Disclosure Rules

  • 6

    Threats to Patient Data

    • Threats to Patient Data

    • Quiz - Threats to Patient Data

  • 7

    IT Security Principles and Strategies

    • IT Security Principles and Strategies

  • 8

    Computer Safety Rules

    • Computer Safety Rules

    • Quiz - Computer Safety Rules

  • 9

    HIPAA Violation Consequences

    • HIPAA Violation Consequences

    • Quiz - HIPAA Violation Consequences

  • 10

    Preventing HIPAA Violations

    • Preventing HIPAA Violations

    • Quiz - Preventing HIPAA Violations

  • 11

    HIPAA and Social Media

    • HIPAA and Social Media

    • Quiz - HIPAA and Social Media

  • 12

    HIPAA and Emergency Situations

    • HIPAA and Emergency Situations

    • Quiz - HIPAA and Emergency Situations

  • 13

    PHI and Public Health

    • PHI and Public Health

  • 14

    HIPAA Officer

    • HIPAA Officer

    • Quiz - HIPAA Officer

  • 15

    Being a HIPAA Compliant Employee

    • Being a HIPAA Compliant Employee

    • Quiz - Being a HIPAA Compliant Employee

  • 16

    HIPAA Compliance Checklist

    • HIPAA Compliance Checklist

  • 17

    Recent HIPAA Updates

    • Recent HIPAA Updates

    • Quiz - Recent HIPAA Updates

  • 18

    Best Practices

    • HIPAA Best Practices

  • 19


    • Scenario 1

    • Quiz - Scenario 1

    • Scenario 2

    • Quiz - Scenario 2

  • 20


    • HIPAA Knowledge Check

    • Congratulations!


  • What makes this course different?

    This course differs from the typical HIPAA certificate program where you just pay the fee, print the certificate, and move on. This advanced HIPAA awareness program was created with the goal of giving healthcare workers something useful to take away from the instruction. In this course, HIPAA is introduced, each HIPAA regulation is explained in detail, and healthcare professionals can leave with useful information about how HIPAA affects their daily workflows. Additionally, the HIPAA Awareness and Virtual Communication Awareness training bundle will give medical professionals the fundamental skills necessary to comply with HIPAA rules and protect their organizations' healthcare facilities from outside threats to protected health information.

  • What is the ROI on HIPAA Awareness and Security Training?

    Security awareness training can lower the overall risk of a company experiencing breaches since human error is a major factor in the majority of HIPAA and data security breaches. If your staff members have not received enough training on HIPAA and how to manage PHI in their daily tasks, then each one of them represents a potential risk. A 2015 SecurityIntelligence report ( states that the average data breach costs over $150. As a result, the cost of any data security breach, let alone one involving PHI, is very high for healthcare organizations. per record, not including potential fines for HIPAA violations which can be as high as $50,000 per incident. Security awareness training is relatively inexpensive compared to the cost of data breaches and has the potential to greatly lower the risk of breaches ever occurring.

  • Is HIPAA Security and Awareness required by law?

    Yes, both the HIPAA Privacy Rule and the HIPAA Security Rule impose requirements on security awareness training. The HIPAA Privacy Rule training requirement is listed in 45 C.F.R. 164.530 and is regarded as an administrative requirement. The HIPAA Security Rule training requirement is considered to be an Administrative Safeguard and may be found in 45 C.F.R. § 164.538. All covered entities (CEs) are required by HIPAA to train their employees on the law's PHI-related policies and procedures. Within a reasonable time after being hired, all new employees must receive training. Employees must also receive training whenever there is a significant change to policies or practices. Under HIPAA, both Business Associates (BAs) and Covered Entities (CEs) are required to offer a program to employees on security awareness. With the exception of the HIPAA Security Rule, which mandates that employee training for protection against malware and password best practices be incorporated into any training program, HIPAA does not specify security topics or best practices that training must cover. The HIPAA awareness and training programs provided here go above and beyond the HIPAA requirements by incorporating industry standards and best practices. Organizations that are covered entities or business associates typically need HIPAA training. HIPAA training is only necessary to be given to staff members who have access to PHI/ePHI if your company is not a covered entity or business associate but engages in HIPAA-related transactions.

  • What are the HIPAA Training Requirements?

    Only covered entities (CEs) are required to adhere to the Privacy Rule training standard in terms of HIPAA training requirements. Regardless of whether they have access to PHI or not, all employees of an organization are subject to the Security Rule training standard, which is applicable to both covered entities (CEs) and business associates (BAs).

  • Privacy Rule Training Standard

    The Privacy Rule Administrative Requirement standard states that: “A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart [the HIPAA Privacy Rule] and subpart D of this part [the Breach Notification Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance.” According to this standard, covered entities (CEs) must create and put into practice policies and procedures for every aspect of their operations that could involve the use or disclosure of PHI. Furthermore, the training standard of the Administrative Requirements states that: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” In these standards, “workforce” is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.” (45 CFR § 160.103)

  • Security Rule Training Standard

    Compared to the Privacy Rule training standard, the Security Rule training standard is more straight forward - requiring that both covered entities (CEs) and business associates (BAs) “Implement a security awareness and training program for all members of its workforce (including management).” The Security Rule standard has four addressable implementation specifications: Periodic security updates Procedures for guarding against, detecting, and reporting malware Procedures fro monitoring login attempts and reporting discrepancies Procedures for creating, changing, and safeguarding passwords In addition, according to the Administrative Requirements, covered entities and business partners must "implement policies and procedures to prevent, detect, contain, and correct security violations" and "apply appropriate sanctions against workforce members who fail to comply with the covered entity or business partner's security policies and procedures." The absence of HIPAA-specific training requirements in these standards is significant because it is generally covered in the General Rules of the Security Rule (45 CFR 164.306), which mandates that covered entities and business partners must safeguard against any reasonably anticipated uses or disclosures that are prohibited by the Privacy Rule. This mandate implies that organizations should incorporate Privacy Rule training into HIPAA security awareness training programs, but leaves it to the discretion of the organizations.

  • How often must HIPAA awareness trainings be given?

    While laws on training frequency vary, the majority of organizations strive to train all new hires at the time of hiring as well as all employees at least once a year. All employees must complete a security awareness training program in accordance with the HIPAA Security Rule. Although the industry standard practice is to train employees at least once a year, the Security Rule does not specify how frequently this should occur (for example, after policy changes, data breaches, or whenever a risk assessment indicates that additional training is necessary). In accordance with the Administrative Requirements, HIPAA training is necessary for every new employee within a reasonable amount of time after they join the workforce of a covered entity as well as when functions are affected by material changes in policies or procedures. The HIPAA Privacy Rule is more explicit about when policy and procedure training should be provided.

  • Are there penalties for inadequate awareness training?

    Yes, under HIPAA regulations, regulators may impose penalties for failure to comply with the Security Rule's requirements for employee awareness and security training. If your organization experiences a breach and the Office of Civil Rights (OCR) conducts an investigation, your organization may be held liable for willful neglect. Humans are always the greatest risk to information security, and training is a way to reduce that risk as well as the related financial costs and penalties. Second, insufficient awareness and security training may put your organization at higher risks for breaches in the future. Since every person is a potential risk conduit, there is no such thing as "zero risk," but the more people who receive HIPAA awareness and security training, the lower the overall risk will be.

  • Why use this HIPAA security and awareness training program?

    The best way to avoid problems with the HIPAA training requirements as outlined in the HIPAA Privacy and Security rules is to give your company's staff a foundational understanding of HIPAA. If necessary, additional organizational policy and procedure training can be added to this training. Using this HIPAA training program, you can give every employee in your workforce a foundational understanding of HIPAA and security awareness that they can use regardless of their organizational role or function. This training can be easily repeated as often as necessary to reduce the likelihood of noncompliant practices and culture developing, and it reduces the administrative burden for organizations to provide different training courses based on roles within the workforce. Employees can receive HIPAA awareness and security training at any time without interfering with regular business operations because this course is designed to be completed independently and does not need to be delivered in a classroom setting, which can disrupt workflows in your organization.


Senior Instructor

Spencer Ash

As a leader in healthcare technology, Spencer specializes in healthcare informatics and product management. Having worked in many areas of the healthcare industry—from full-risk value-based primary care to post-acute care—he recognizes the importance of protecting health information and the key role that security awareness plays in protecting that information. Currently serving as the Director of Product Design at AbarcaHealth, where is he is passionate about driving change in healthcare that leads to radical transformation and improved patient outcomes. Spencer is also a Certified HIPAA Officer.