All Courses Training Packages Enterprise Request a Quote
Industries
Construction Manufacturing Municipal & Utilities Oil & Gas Transportation Healthcare Office & Corporate
Course Categories
Safety Training Construction Safety HR Compliance HAZMAT & HAZWOPER Driver & Fleet Safety Workplace Culture & Soft Skills Healthcare & Patient Safety Environmental Compliance
Sign In
1-800-287-5942 Start Today Request a Quote
Create Your Employer Account
HomeCoursesHR ComplianceHIPAA: Protections and Compliance

HIPAA: Protections and Compliance

25 minutesEN / ES / MLCCHR ComplianceHIPAA Privacy Rule (45 CFR Parts 160, 164) and HIPAA Security Rule
Quick Answer

HIPAA: Protections and Compliance is a 25-minute online course that trains employees on the Health Insurance Portability and Accountability Act (HIPAA), including the Privacy Rule, Security Rule, protected health information handling, and breach notification requirements. It is designed for employees of covered entities and business associates who handle protected health information and includes a downloadable certificate of completion.

Course Overview

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has settled or imposed civil money penalties in over 150 cases totaling nearly $145 million in enforcement actions. In the first five months of 2025 alone, OCR announced 10 resolution agreements for HIPAA violations, with penalties ranging from $25,000 to $3,000,000. Violations most commonly stem from failure to conduct security risk analyses, unauthorized disclosures of protected health information, unsecured electronic PHI, and delayed breach notifications. Small practices and large health systems alike face enforcement action.

This course trains your employees on the core requirements of HIPAA and their responsibilities for protecting patient health information. Your team will learn what constitutes protected health information, the minimum necessary standard, permitted uses and disclosures, patient rights under the Privacy Rule, electronic PHI security requirements, and breach notification obligations. The training prepares employees to handle health information correctly in both routine and unusual situations.

What You'll Learn

  • What HIPAA is and which organizations qualify as covered entities and business associates
  • The Privacy Rule: permitted uses, disclosures, minimum necessary standard, and patient rights
  • The Security Rule: administrative, physical, and technical safeguards for electronic PHI
  • What constitutes protected health information (PHI) and the 18 HIPAA identifiers
  • Breach notification requirements including timelines, reporting to HHS, and individual notification
  • Employee responsibilities for safeguarding PHI in daily operations
  • Penalties for HIPAA violations including civil monetary penalties and criminal sanctions

Who Needs This Training

  • Front desk and registration staff at medical, dental, and behavioral health offices
  • Health plan administrators and insurance company employees who process claims
  • IT and security staff responsible for maintaining systems containing electronic PHI
  • Business associates including billing companies, IT vendors, and shredding services
  • Human resources staff at self-insured employers who administer group health plans
  • Supervisors at covered entities responsible for enforcing HIPAA policies in their departments

Regulatory Background

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, strengthened by the HITECH Act of 2009, establishes national standards for protecting individuals' health information. The HHS Office for Civil Rights enforces HIPAA through investigations, corrective action plans, and civil monetary penalties. As of 2025, penalty tiers range from $145 per violation for unknowing violations to over $2.1 million per violation for uncorrected willful neglect, with annual caps reaching $2,190,294 per identical provision. OCR has resolved over 31,000 cases and collected nearly $145 million in settlements and penalties since enforcement began. In 2025, OCR continued its focus on risk analysis enforcement, with 10 resolution agreements in the first five months targeting organizations that failed to conduct comprehensive security risk analyses. Criminal penalties for knowing HIPAA violations can reach $250,000 in fines and up to 10 years of imprisonment.

Frequently Asked Questions

HIPAA penalties are assessed in four tiers based on culpability. Tier 1 (lack of knowledge) starts at $145 per violation. Tier 2 (reasonable cause) starts at $1,452 per violation. Tier 3 (willful neglect, corrected within 30 days) starts at $14,517 per violation. Tier 4 (willful neglect, not corrected) starts at $72,582 per violation, with an annual cap of $2,190,294 per identical provision. Criminal penalties can reach $250,000 and 10 years of imprisonment.
HIPAA does not specify a mandatory annual training interval in the Privacy Rule. However, the Security Rule requires security awareness training for all workforce members as part of the administrative safeguards. OCR expects covered entities to provide training at hire and periodically thereafter. Most compliance experts recommend annual refresher training, and many state laws and accreditation bodies require it.
A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information. Common examples include medical billing companies, IT service providers, cloud storage vendors, shredding and document destruction services, and accounting firms. Business associates must sign a Business Associate Agreement and comply independently with applicable HIPAA Security Rule requirements.
According to OCR's 2025 enforcement data, failure to conduct or maintain a comprehensive security risk analysis is the most common finding across resolution agreements. Other frequently cited violations include unauthorized disclosures of PHI, failure to implement adequate access controls, and delayed breach notification. OCR has made risk analysis a focal point of its enforcement initiatives.
Yes. Under the HITECH Act, state attorneys general have authority to bring civil actions for HIPAA Privacy and Security Rule violations affecting their residents. States can seek injunctive relief and statutory damages up to $100 per violation, capped at $25,000 per year for identical violations. This means organizations may face parallel federal and state enforcement for the same incident.

Part of These Training Packages

Office & Corporate

15 courses combining HR compliance, office safety, and leadership

View Package Details

Healthcare

10 courses for clinical and support staff compliance

View Package Details

Related Courses

Healthcare organizations often pair this course with Bloodborne Pathogens in Healthcare Settings to cover both patient privacy and worker safety requirements in a single compliance package. For broader compliance coverage, add Workplace Ethics Made Simple to address the ethical decision-making that supports HIPAA compliance in practice.

HR Compliance

Abusive Conduct in the Workplace: California AB2053

15 min - EN / ES

$24.95View Course
HR Compliance

Americans With Disabilities Act (ADA)

15 min - EN

$24.95View Course
HR Compliance

Anti-Trust Law Made Simple

21 min - EN

$24.95View Course
$24.95
per person
Volume Pricing
Team Size Price per Person
1 - 9$24.95
10 - 24$19.95
25 - 49$17.95
50 - 99$17.50
Subtotal $24.95
Language

This course is available in English, Spanish, and Multi-Language CC at no additional charge.

Certificate of completion included. Downloadable upon passing the final assessment.

Need Help?
1-800-287-5942 Request a Custom Quote
$24.95
per person