HIPAA Compliance Training

FREE course

This course is editable. Yours to re-brand and tailor to your needs!

HIPAA Compliance Training

About the HIPAA Compliance Training course

In conjunction with Improvement Sciences, EdApp has deployed a readily-available HIPAA (Health Insurance Portability and Accountability Act) training course in our editable content library! If you're looking for a fun and engaging way to learn some of the most important and essential healthcare information, look no further than our HIPAA Compliance Training course. We understand that professionals are becoming increasingly busy which is why we provide the option for professioanls to learn in their own time. The skills covered in the course provide applicable skills to learners, meaning that they can instantly perform what they have learnt via the course in their job! The HIPAA training content teaches the most paramount skills for clear communication on regulations, enabling access to skills such as best practices in HIPAA compliance scenarios, threats and remedies, and privacy, breach and security rules.

4.3(22)

What you will learn

  • Protected Information
  • Best Practices
  • Threats and Remedies
  • Privacy, Breach and Security Rules
  • Certificate of Completion
  • HIPAA Compliance Scenarios
  • Useful Resources
  • Glossary of HIPAA Terms
  • Knowledge Check

HIPAA Compliance Training course content

How to use this course

Lesson Excerpts

How to Use this Course

About the Course HIPAA is huge, with hundreds of pages in the regulations. There's really no "one size fits all" - The best HIPAA training is tailored to a role. "What It's About" isn't as important as "How Do I Do It". This course includes the "highlights" as we see them. We have generalized as much as is reasonable - practical HIPAA training is about a mindset, not about the minutiae of the regulations.

The newest feature offers a new level of feedback for the user.

How to use this course

HIPAA Overview

Lesson Excerpts

HIPAA Overview

What does HIPAA provide? Select all that apply

HIPAA was intended to... improve portability and continuity of health insurance coverage combat waste, fraud, and abuse in health insurance and health care delivery promote the use of medical savings accounts improve access to long-term care services and coverage simplify the administration of health insurance Source: PUBLIC LAW 104–191—AUG. 21, 1996

So what does HIPAA protect? Any data in a patient's medical record that can be used to personally identify them - in HIPAA terms, protected health information (PHI).

HIPAA Overview

Who must comply with HIPAA? Select all that apply

What Information is Protected?

Lesson Excerpts

What Information is Protected?

Which of the following are personal health identifiers? Select all that apply

When in doubt, treat every piece of patient data as if it is protected information.

Every HIPAA violation is treated the same.

The Privacy Rule

Lesson Excerpts

The Privacy Rule of 2000

The Privacy Rule applies to both print and electronic medical records.

HIPAA establishes only criminal penalties for unauthorized disclosure of personal health information.

The Privacy Rule requires patients to receive plain language notice of:

Health Plans An entity, including private insurers and payers; and, national and state government payers (Medicare, Medicaid), that provides or pays for medical care.

The Privacy Rule

Healthcare Clearinghouses Any entity, including healthcare data exchanges, that processes healthcare data or transactions received from another entity.

The Privacy Rule

Healthcare Providers Any person or organization - including physicians, hospitals and clinics - that delivers healthcare services.

The Privacy Rule

Which of the following are considered Covered Entities? Select all that apply

The Security Rule

Lesson Excerpts

The Security Rule

Security is not a one-time project

The Security Rule

It's an attitude, an ethos, laser-focused on protecting each patient's data.

The Security Rule

Although the Security Rule is discusses ePHI (PHI in an electronic format)...

The Security Rule

The restrictions and practices apply to "hard copies", too.

The Security Rule

Security policies and procedures, if well-designed, do not need to be reviewed and updated.

Covered Entities (CE) must... Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. Ensure compliance with the rule by its workforce. Source: 45 C.F.R. § 164.306(a) - Security standards: General rules

To determine appropriate safeguards, CE's should conduct two analyses: Risk Analysis to discover potential unauthorized access and disclosure of PHI Security Analysis to identify security measures that can be reasonably implemented to address risks identified in the risk analysis

The HIPAA Security Rule safeguards include: Select all that apply

Administrative Safeguards include: Select all that apply

The Breach Rule

Lesson Excerpts

Breach and Enforcement

So, what's a breach look like? Records may be... stolen intentionally lost from improper IT procedures destroyed when a pipe bursts and destroys equipment (environmental) - compounded when there is no backup (human error) viewed by an unauthorized person (e.g., another patient “shoulder surfing” and viewing someone else's PHI (misuse) security credentials stolen through phishing or social engineering (more about these in the next lesson)

Is Sam posting a picture of a patient's unique tattoo to a social media site a breach?

Despite safeguards, a breach may occur.

The Breach Rule

A CE must, regardless of size...

The Breach Rule

report a breach to HHS through the OCR portal AND...

The Breach Rule

notify, without unreasonable delay, each affected individual in writing by first-class mail e-mail if the affected individual has agreed to receive such notices electronically

The Breach Rule

Under the Breach Rule, patients may be notified of a breach by:

Which of the following is an example of a "Social" breach?

Threats and Remedies

Lesson Excerpts

Threats and Remedies

Healthcare information (PHI) is particularly ripe for abuse because it contains so many important personal identifiers (e.g., Social Security Numbers, bank account information).

Threats and Remedies

There’s a common thread to all cybersecurity threats - except natural disasters - there’s a human behind them.

Threats and Remedies

Now, let's take a closer look at external and internal threats.

PHI is valuable to hackers because...

Well-executed analyses; robust, layered safeguards; and, frequent reviews of safeguards are usually adequate to protect against external threats.

With internal threats, we have already let the person inside our perimeter.

Threats and Remedies

They’re in the building, perhaps the office, and maybe even sitting next to us.

Threats and Remedies

They have access and some level of trust already...

Threats and Remedies

...meaning these threats typically take longer to detect.

Threats and Remedies

Which of the following are true of internal threats?

Examples of internal threats affecting PHI include...

Best Practices

Lesson Excerpts

Best Practices

Only practices with more than 5,000 patients need Privacy and Security Officers.

In a small practice, one person can fulfill all of the roles required to implement, maintain, and monitor security safeguards.

Office Practices Be neat - do not let records lay about. Have policies and procedures. Meet frequently, even informally, to discuss privacy and security. Reward people who demonstrate good practices. Build a robust “social firewall” - make your people suspicious of any request for PHI. Control personal smartphone and device use - well, we can hope. Banish gossip - make it the office ethic. Create a collaborative atmosphere, a community of practice, in which all employees are encouraged to participate in building robust security practices.

Scenario #1

Lesson Excerpts

Scenario #1

Dakota, a practice administrator, receives an email, Subject: Urgent: Payment Delayed from a consultant the practice uses.

Scenario #1

The email states that "to receive your payment, the practice needs to immediately update its profile" and gives a link named "Business Associate Profile." It's signed with "Madison Sotillle," Accounts Payable Manager.

Scenario #1

After clicking the link, a form appears, requesting standard BA information, like name, address, phone number, tax identifier, bank electronic transfer information, adherence to HIPAA standards. Dakota completes the form, clicks submit.

Scenario #1

Three days later, the practice is notified by the bank that money had been withdrawn from their account and a line of credit has been requested.

Scenario #1

A few days after that, a patient reported that their credit monitoring service reported a new mortgage application - that they did not make.

Scenario #1

What happened? Select all that apply

What should Dakota have done? Select all that apply

Your office receives an unexpected email from a known consultant with a link to provide practice information, bank account information, and access credentials for the practice management system. What do you do?

Why do phishing attempts frequently include a link to an external site?

The Dakota and Premera Blue Cross cases were both adversely affected by phishing attacks.

Phishing attempts frequently appear as legitimate emails from known sources.

Scenario #2

Lesson Excerpts

Scenario #2

On a Friday, Alex, the Senior Practice Manager for a large multi-specialty group, stopped for coffee while going home.

Scenario #2

While paying, Alex did not notice that "homework" - an unencrypted thumb drive with information on 15 patients - had fallen to the floor.

Scenario #2

Arriving home, Alex had dinner with friends, shopped for groceries, and went home and watched a movie.

Scenario #2

On Sunday, Alex wanted to work using the thumb drive, and realized that it had been lost.

Scenario #2

Despite calling the coffee shop, the grocery store, the restaurant and friends, the thumb drive could not be located.

Scenario #2

What should Alex do? Select all that apply

When should the Office of Civil Rights be notified following a breach? Select all that apply

Which of the following practices can mitigate against losing unencrypted PHI? Select all that apply

HIPAA Knowledge Check

Lesson Excerpts

HIPAA Knowledge Check

Certificate of Completion

Lesson Excerpts

Certificate of Completion

Congrats on completing the HIPAA compliance training! You may now access your certificate in the briefcase.

Certificate of Completion

Glossary of HIPAA Terms

Lesson Excerpts

Glossary of HIPAA Terms

Go to the Briefcase and download a copy of the Glossary of HIPAA Terms pdf. Modify, edit, and reuse as needed.

Glossary of HIPAA Terms

References

Lesson Excerpts

References

HIPAA Compliance Training Course Author

Improvement SciencesImSci, a global leader in creating mobile first microlearning, applies learning science, consumer experience and contemporary design to its content. ImSci has created award-winning content as well as courses for Educate All that have been utilized by dozens of organizations around the world.

my computer is not allowing me to do some of the interactive quizzes properly so I am getting answers wrong

A few grammatical errors and slides that did not work but otherwise great- interactive and exciting way to educate

Very good knowledge to be familiar with

Pretty informative, but there were some typos and many glitches that prevented me from getting the right answer. Also, the certificate is just a template (without your name)

Other courses by Improvement Sciences

EdApp is easy to use and free for you and your team. No credit card required.

or book a demo with us today!