🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Compliance Coming Soon

CT HIPAA Compliance

The HIPAA Compliance Training course teaches employees the fundamentals of HIPAA, including privacy, security, breach response, and enforcement, enabling them to protect PHI and avoid violations.

Who Should Take This

Front‑line staff, administrators, and support personnel who work with protected health information in hospitals, clinics, or health‑tech firms should take this course. It is designed for employees with basic healthcare exposure who need practical guidance on daily HIPAA obligations and incident reporting.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

65 learning goals
1 HIPAA Foundations and Key Definitions
3 topics

HIPAA legislative overview

  • Identify the purpose and scope of the Health Insurance Portability and Accountability Act including its five titles and the regulatory goals of protecting health information.
  • Describe the relationship between HIPAA and the HITECH Act including how HITECH strengthened enforcement, expanded breach notification, and increased civil and criminal penalties.
  • Identify the roles and enforcement authority of the HHS Office for Civil Rights (OCR) and state attorneys general in investigating HIPAA complaints and imposing penalties.

Protected Health Information definitions

  • Recognize the 18 HIPAA identifiers that constitute protected health information (PHI) including names, dates, Social Security numbers, medical record numbers, and biometric identifiers.
  • Distinguish between PHI, electronic PHI (ePHI), and de-identified data and explain the conditions under which health information is no longer considered protected.
  • Analyze workplace examples to determine whether specific data elements constitute PHI, ePHI, or de-identified information requiring different handling procedures.

Covered entities and business associates

  • Identify the three categories of HIPAA covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
  • Describe the definition and obligations of business associates including subcontractors and explain when a Business Associate Agreement (BAA) is required.
  • Analyze organizational relationships to determine which parties qualify as covered entities, business associates, or workforce members and their respective compliance obligations.
2 HIPAA Privacy Rule
3 topics

Permitted uses and disclosures

  • Identify the permitted uses and disclosures of PHI for treatment, payment, and healthcare operations (TPO) without requiring patient authorization.
  • Describe situations requiring written patient authorization before PHI disclosure including marketing, sale of PHI, psychotherapy notes, and most research uses.
  • Recognize permitted disclosures without authorization for public health activities, judicial proceedings, law enforcement purposes, and to avert serious threats to health or safety.
  • Analyze workplace scenarios to determine whether a proposed use or disclosure of PHI is permitted, requires authorization, or violates the Privacy Rule.

Minimum necessary standard

  • Describe the minimum necessary standard requiring covered entities to limit PHI use, disclosure, and requests to the minimum amount needed for the intended purpose.
  • Identify the exceptions to the minimum necessary standard including disclosures to the individual, disclosures for treatment, and disclosures required by law.
  • Analyze requests for PHI to apply the minimum necessary standard by determining what information is reasonably needed and what should be withheld.

Patient rights under the Privacy Rule

  • Identify patient rights under HIPAA including the right to access records, request amendments, receive an accounting of disclosures, and request restrictions on use.
  • Describe the requirements and timelines for responding to patient access requests including the 30-day response period and permitted fees.
  • Explain the purpose and required content of the Notice of Privacy Practices (NPP) including when it must be provided to patients.
  • Synthesize a response plan for handling a patient request to access, amend, or restrict their PHI including documentation requirements and appeal procedures.
3 HIPAA Security Rule
3 topics

Administrative safeguards

  • Identify required administrative safeguards including security management processes, assigned security responsibility, workforce security, and security awareness training.
  • Describe the risk analysis and risk management requirements under the Security Rule including identifying threats, assessing vulnerabilities, and implementing reasonable safeguards.
  • Explain workforce security requirements including authorization procedures, clearance processes, and termination procedures for access to ePHI.
  • Describe contingency planning requirements including data backup plans, disaster recovery plans, and emergency mode operation plans for ePHI systems.

Physical safeguards

  • Identify physical safeguard requirements including facility access controls, workstation use policies, workstation security, and device and media controls.
  • Describe proper procedures for disposing of devices and media containing ePHI including sanitization, degaussing, and physical destruction methods.
  • Analyze a workplace environment to identify physical security gaps that could compromise ePHI including unsecured workstations, unlocked server rooms, and visible screens.

Technical safeguards

  • Identify technical safeguard requirements including access controls, audit controls, integrity controls, and person or entity authentication for ePHI systems.
  • Describe transmission security requirements including encryption and integrity controls for ePHI sent over electronic networks.
  • Explain the difference between required and addressable implementation specifications and describe the decision process for addressable specifications.
  • Analyze an organization's technical controls to evaluate compliance with Security Rule requirements and identify gaps in access control, audit logging, or encryption.
4 Breach Notification and Incident Response
3 topics

Breach definition and risk assessment

  • Recognize the HIPAA definition of a breach as an impermissible use or disclosure of PHI that compromises its security or privacy.
  • Describe the four-factor risk assessment for determining whether a breach has occurred: nature of PHI, unauthorized recipient, whether PHI was acquired or viewed, and mitigation extent.
  • Identify the three exceptions to the breach definition: unintentional access by authorized workforce member, inadvertent disclosure between authorized persons, and good-faith belief of non-retention.
  • Analyze incident scenarios to determine whether a reportable breach has occurred by applying the four-factor risk assessment and evaluating applicable exceptions.

Notification requirements and timelines

  • Describe individual notification requirements for breaches including content of notification, 60-day timeline, and substitute notification procedures for insufficient contact information.
  • Identify when breaches require notification to the HHS Secretary and prominent media outlets based on the 500-individual threshold and annual reporting requirements.
  • Describe business associate breach notification obligations to the covered entity including the requirement to identify affected individuals.

Internal reporting and incident procedures

  • Identify the steps an employee should follow when discovering a potential HIPAA violation or breach including immediate containment, documentation, and reporting to the privacy officer.
  • Describe the role of the HIPAA Privacy Officer and Security Officer in managing incidents, conducting investigations, and coordinating breach notifications.
  • Synthesize an incident response workflow for a suspected PHI breach incorporating containment, investigation, risk assessment, notification decisions, and documentation requirements.
5 HIPAA Penalties and Enforcement
3 topics

Civil and criminal penalties

  • Identify the four tiers of HIPAA civil monetary penalties ranging from unknowing violations ($100-$50,000 per violation) to willful neglect not corrected ($50,000+ per violation, up to $1.5M annually).
  • Describe criminal penalty provisions including fines up to $250,000 and imprisonment up to 10 years for knowingly obtaining or disclosing PHI with intent to sell or cause harm.
  • Analyze violation scenarios to classify the severity tier and explain why individual employees can face personal criminal liability for unauthorized PHI access.

Corrective action and resolution agreements

  • Describe the OCR enforcement process including complaint investigation, compliance review, resolution agreements, and corrective action plans.
  • Identify common findings in OCR enforcement actions including lack of risk analysis, insufficient access controls, failure to encrypt portable devices, and inadequate training.

State law interaction and preemption

  • Describe the HIPAA preemption principle where federal HIPAA requirements preempt contrary state laws except when state law provides stronger privacy protections.
  • Analyze a scenario involving conflicting state and federal privacy requirements to determine which standard applies based on the more stringent protection principle.
6 Workplace Scenarios and Practical Compliance
5 topics

Communication and disclosure scenarios

  • Recognize common verbal disclosure violations including discussing patient information in public areas, elevators, cafeterias, and within earshot of unauthorized persons.
  • Identify risks of transmitting PHI via email, fax, and text message and describe organizational safeguards such as encryption, cover sheets, and verification procedures.
  • Analyze social media scenarios to determine whether posting about patients, sharing workplace photos, or discussing cases online violates HIPAA even without naming the patient.
  • Describe proper procedures for responding to phone and in-person inquiries about patients including verifying identity and confirming the patient has not restricted information.

Unauthorized access and snooping

  • Recognize that accessing patient records without a legitimate work-related reason constitutes a HIPAA violation regardless of whether information is shared with others.
  • Identify common snooping scenarios including looking up records of celebrities, coworkers, family members, or patients not under the employee's direct care.
  • Describe how audit trail monitoring and access log reviews detect unauthorized access to patient records and the consequences employees face for snooping.

Mobile devices and remote work

  • Identify risks to ePHI on mobile devices including lost or stolen laptops, unencrypted USB drives, personal smartphones, and unsecured Wi-Fi connections.
  • Describe best practices for protecting ePHI when working remotely including VPN use, screen lock policies, secure printing, and physical document handling.
  • Synthesize a mobile device security policy for a healthcare organization addressing encryption requirements, remote wipe capabilities, BYOD restrictions, and acceptable use guidelines.

Document and record handling

  • Identify proper handling procedures for paper records containing PHI including secure storage, controlled access, and shredding or crosscut destruction for disposal.
  • Describe HIPAA record retention requirements including maintaining documentation of policies, procedures, and compliance activities for a minimum of six years.
  • Analyze a department's document handling practices to identify compliance gaps and recommend corrective actions for secure storage, transmission, and disposal of PHI.

Research and marketing restrictions

  • Identify the authorization requirements for using PHI in research studies and describe the role of Institutional Review Boards (IRBs) in granting waivers of authorization.
  • Describe the prohibition on using PHI for marketing without patient authorization and identify the narrow exceptions for treatment-related communications and face-to-face encounters.
  • Explain the prohibition on the sale of PHI without patient authorization and identify the limited exceptions including payment for treatment, payment activities, and public health purposes.
  • Synthesize a decision framework for determining whether a proposed use of PHI for fundraising, marketing, or research requires prior patient authorization or qualifies for an exception.

Scope

Included Topics

  • Health Insurance Portability and Accountability Act (HIPAA) compliance training for employees in healthcare organizations, business associates, and covered entities handling protected health information.
  • Privacy Rule requirements including minimum necessary standard, patient rights to access and amend records, Notice of Privacy Practices (NPP), and permitted uses and disclosures of PHI.
  • Security Rule administrative safeguards (risk analysis, workforce training, access management, contingency planning), physical safeguards (facility access, workstation security, device disposal), and technical safeguards (access control, audit controls, integrity controls, transmission security).
  • Breach notification requirements under HIPAA and HITECH Act including individual notification, HHS notification, media notification thresholds, and 60-day reporting timeline.
  • Business associate agreements (BAAs), covered entity obligations, workforce member responsibilities, and organizational compliance structure.
  • HITECH Act provisions including increased penalties, expanded breach notification, and strengthened enforcement.
  • Practical workplace scenarios including accidental disclosure, unauthorized access (snooping), social media violations, verbal disclosures, faxing and emailing PHI, and mobile device risks.

Not Covered

  • HIPAA transaction and code set standards (Title II administrative simplification beyond Privacy and Security Rules).
  • Detailed technical implementation of encryption algorithms, firewall configurations, or network security architectures.
  • State-specific health privacy laws that exceed HIPAA requirements unless referenced for preemption analysis.
  • Clinical workflow design, electronic health record (EHR) system administration, or health IT certification requirements.
  • Legal defense strategies, litigation procedures, or attorney-client privilege considerations in HIPAA enforcement actions.

CT HIPAA Compliance is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified