EdApp by SafetyCulture

HIPAA Compliance Training

By Improvement Sciences
15 Lessons
Deploy to my team

This course is free and editable. Yours to re-brand and tailor to your needs!

About this course

This HIPAA training content teaches the most paramount skills for clear communication on regulations, enabling access to skills such as best practices in HIPAA compliance scenarios, threats and remedies, as well as privacy, breach and security rules. (Please note this course is often misspelled as HIPPA)

From the author

Revised 23 January 2021 In conjunction with Improvement Sciences, EdApp has deployed a readily-available HIPAA (Health Insurance Portability and Accountability Act) training course in our editable content library! If you're looking for a fun and engaging way to learn some of the most important and essential healthcare information, look no further than our HIPAA Compliance Training course. We understand that professionals are becoming increasingly busy which is why we provide the option for professionals to learn in their own time. The skills covered in the course provide applicable skills to learners, meaning that they can instantly perform what they have learnt via the course in their job!

What you will learn

  • Protected Information
  • Glossary of HIPAA Terms
  • Knowledge Check
  • HIPAA Compliance Scenarios
  • Threats and Remedies
  • Privacy, Breach and Security Rules
  • Best Practices
  • Certificate of Completion
  • Useful Resources

HIPAA Compliance Training Lessons

Click through the microlessons below to preview this course. Each lesson is designed to deliver engaging and effective learning to your team in only minutes.

  1. How to use this course
  2. HIPAA Overview
  3. What Information is Protected?
  4. The Privacy Rule
  5. The Security Rule
  6. The Breach Rule
  7. Threats and Remedies
  8. Best Practices
  9. Scenario #1
  10. Scenario #2
  11. HIPAA Knowledge Check
  12. Certificate of Completion
  13. Glossary of HIPAA Terms
  14. Useful Resources
  15. References

Like what you see?

This course is free and completely editable. Update the text, add your own slides or re-brand the entire course — with our no-code authoring tool, the sky’s the limit!

Follow the interactions on each screen or click the arrows to navigate between lesson slides.

HIPAA Compliance Training course excerpts

How to use this course

HIPAA Compliance Training Course - Lesson Excerpt

How to Use this Course

About the Course HIPAA is huge, with hundreds of pages in the regulations. There's really no "one size fits all" - The best HIPAA training is tailored to a role. "What It's About" isn't as important as "How Do I Do It". This course includes the "highlights" as we see them. We have generalized as much as is reasonable - practical HIPAA training is about a mindset, not about the minutiae of the regulations.

HIPAA Overview

HIPAA Compliance Training Course - Lesson Excerpt

HIPAA Overview

What does HIPAA provide? Select all that apply

HIPAA was intended to... improve portability and continuity of health insurance coverage combat waste, fraud, and abuse in health insurance and health care delivery promote the use of medical savings accounts improve access to long-term care services and coverage simplify the administration of health insurance Source: PUBLIC LAW 104–191—AUG. 21, 1996

So what does HIPAA protect? Any data in a patient's medical record that can be used to personally identify them - in HIPAA terms, protected health information (PHI).

Who must comply with HIPAA? Select all that apply

What Information is Protected?

HIPAA Compliance Training Course - Lesson Excerpt

What Information is Protected?

Which of the following are personal health identifiers? Select all that apply

When in doubt, treat every piece of patient data as if it is protected information.

Every HIPAA violation is treated the same.

The Privacy Rule

HIPAA Compliance Training Course - Lesson Excerpt

The Privacy Rule of 2000

The Privacy Rule applies to both print and electronic medical records.

HIPAA establishes only criminal penalties for unauthorized disclosure of personal health information.

The Privacy Rule requires patients to receive plain language notice of:

Health Plans An entity, including private insurers and payers; and, national and state government payers (Medicare, Medicaid), that provides or pays for medical care.

Healthcare Clearinghouses Any entity, including healthcare data exchanges, that processes healthcare data or transactions received from another entity.

Healthcare Providers Any person or organization - including physicians, hospitals and clinics - that delivers healthcare services.

Which of the following are considered Covered Entities? Select all that apply

The Security Rule

HIPAA Compliance Training Course - Lesson Excerpt

The Security Rule

Security is not a one-time project.

It's an attitude, an ethos, laser-focused on protecting each patient's data.

Although the Security Rule is discusses ePHI (PHI in an electronic format)...

The restrictions and practices apply to "hard copies", too.

Security policies and procedures, if well-designed, do not need to be reviewed and updated.

Covered Entities (CE) must... Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. Ensure compliance with the rule by its workforce. Source: 45 C.F.R. § 164.306(a) - Security standards: General rules

To determine appropriate safeguards, CE's should conduct two analyses: Risk Analysis to discover potential unauthorized access and disclosure of PHI Security Analysis to identify security measures that can be reasonably implemented to address risks identified in the risk analysis

The HIPAA Security Rule safeguards include: Select all that apply

Administrative Safeguards include: Select all that apply

The Breach Rule

HIPAA Compliance Training Course - Lesson Excerpt

Breach and Enforcement

So, what's a breach look like? Records may be... stolen intentionally lost from improper IT procedures destroyed when a pipe bursts and destroys equipment (environmental) - compounded when there is no backup (human error) viewed by an unauthorized person (e.g., another patient “shoulder surfing” and viewing someone else's PHI (misuse) security credentials stolen through phishing or social engineering (more about these in the next lesson)

Is Sam posting a picture of a patient's unique tattoo to a social media site a breach?

Despite safeguards, a breach may occur.

A CE must, regardless of size...

report a breach to HHS through the OCR portal AND...

notify, without unreasonable delay, each affected individual in writing by first-class mail e-mail if the affected individual has agreed to receive such notices electronically

Under the Breach Rule, patients may be notified of a breach by:

Which of the following is an example of a "Social" breach?

Threats and Remedies

HIPAA Compliance Training Course - Lesson Excerpt

Threats and Remedies

Healthcare information (PHI) is particularly ripe for abuse because it contains so many important personal identifiers (e.g., Social Security Numbers, bank account information).

There’s a common thread to all cybersecurity threats - except natural disasters - there’s a human behind them.

Now, let's take a closer look at external and internal threats.

PHI is valuable to hackers because...

Well-executed analyses; robust, layered safeguards; and, frequent reviews of safeguards are usually adequate to protect against external threats.

With internal threats, we have already let the person inside our perimeter.

They’re in the building, perhaps the office, and maybe even sitting next to us.

They have access and some level of trust already...

...meaning these threats typically take longer to detect.

Which of the following are true of internal threats?

Examples of internal threats affecting PHI include...

Best Practices

HIPAA Compliance Training Course - Lesson Excerpt

Best Practices

Only practices with more than 5,000 patients need Privacy and Security Officers.

In a small practice, one person can fulfill all of the roles required to implement, maintain, and monitor security safeguards.

Office Practices Be neat - do not let records lay about. Have policies and procedures. Meet frequently, even informally, to discuss privacy and security. Reward people who demonstrate good practices. Build a robust “social firewall” - make your people suspicious of any request for PHI. Control personal smartphone and device use - well, we can hope. Banish gossip - make it the office ethic. Create a collaborative atmosphere, a community of practice, in which all employees are encouraged to participate in building robust security practices.

Scenario #1

HIPAA Compliance Training Course - Lesson Excerpt

Scenario #1

Dakota, a practice administrator, receives an email, Subject: Urgent: Payment Delayed from a consultant the practice uses.

The email states that "to receive your payment, the practice needs to immediately update its profile" and gives a link named "Business Associate Profile." It's signed with "Madison Sotillle," Accounts Payable Manager.

After clicking the link, a form appears, requesting standard BA information, like name, address, phone number, tax identifier, bank electronic transfer information, adherence to HIPAA standards. Dakota completes the form, clicks submit.

Three days later, the practice is notified by the bank that money had been withdrawn from their account and a line of credit has been requested.

A few days after that, a patient reported that their credit monitoring service reported a new mortgage application - that they did not make.

What happened? Select all that apply

What should Dakota have done? Select all that apply

Your office receives an unexpected email from a known consultant with a link to provide practice information, bank account information, and access credentials for the practice management system. What do you do?

Why do phishing attempts frequently include a link to an external site?

The Dakota and Premera Blue Cross cases were both adversely affected by phishing attacks.

Phishing attempts frequently appear as legitimate emails from known sources.

Scenario #2

HIPAA Compliance Training Course - Lesson Excerpt

Scenario #2

On a Friday, Alex, the Senior Practice Manager for a large multi-specialty group, stopped for coffee while going home.

While paying, Alex did not notice that "homework" - an unencrypted thumb drive with information on 15 patients - had fallen to the floor.

Alex had dinner with friends, shopped for groceries, and went home and watched a movie.

On Sunday, Alex wanted to work using the thumb drive, and realized that it had been lost.

Despite calling the coffee shop, the grocery store, the restaurant and friends, the thumb drive could not be located.

What should Alex do? Select all that apply

When should the Office of Civil Rights be notified following a breach? Select all that apply

Which of the following practices can mitigate against losing unencrypted PHI? Select all that apply

HIPAA Knowledge Check

HIPAA Compliance Training Course - Lesson Excerpt

HIPAA Knowledge Check

Certificate of Completion

This lesson is meant as an example of what your organization's administrators can do when using this course for compliance training. This course does not certify that you or your organization are HIPAA compliant.

HIPAA Compliance Training Course - Lesson Excerpt

Certificate of Completion

This certificate is only an example for your organization to see how they can use their own certificates within EdApp. Please DO NOT contact EdApp Chat Support regarding this certificate. It is only an example.

This course does include a badge that you can earn when you have successfully completed all lessons.

Glossary of HIPAA Terms

HIPAA Compliance Training Course - Lesson Excerpt

Glossary of HIPAA Terms

Go to the Briefcase and download a copy of the Glossary of HIPAA Terms pdf. Modify, edit, and reuse as needed.


HIPAA Compliance Training Course - Lesson Excerpt


Course media gallery

HIPAA Compliance Training

Improvement Sciences

ImSci, a global leader in creating mobile first microlearning, applies learning science, consumer experience and contemporary design to its content. ImSci has created award-winning content as well as courses for Educate All that have been utilized by dozens of organizations around the world.

Course rating


very informal and the side tension very creative

As a introduction, it was explained well. With levity. Im very interested to move forward.

I am so hip to HIPAA now it hurts.

EdApp is easy to use and free for you and your team. No credit card required.

or book a demo with us today