HIPAA Employee Training Guide

Privacy and Security Awareness Training

Training Version: 1.0 | Completion Required: Within 30 Days of Hire

Welcome to HIPAA Training

This training is required for all workforce members who have access to Protected Health Information (PHI). Upon completion, you will understand your responsibilities for protecting patient privacy and maintaining the security of health information.

1What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that:

  • Protects the privacy of patients' health information
  • Sets standards for securing electronic health records
  • Gives patients rights over their health information
  • Establishes penalties for violations

Why It Matters

HIPAA violations can result in fines from $100 to $50,000 per violation, up to $1.5 million per year. Criminal penalties can include imprisonment up to 10 years.

2What is Protected Health Information (PHI)?

PHI is any health information that can identify an individual. This includes:

Patient Identifiers

  • • Name
  • • Address
  • • Date of birth
  • • Social Security Number
  • • Phone/fax numbers
  • • Email address
  • • Medical record number
  • • Photos

Health Information

  • • Diagnoses
  • • Treatment plans
  • • Medications
  • • Lab results
  • • Mental health notes
  • • Insurance information
  • • Payment information
  • • Appointment dates

Remember: If health information can be linked to a specific person, it's PHI and must be protected.

3The Minimum Necessary Rule

Only access, use, or disclose the minimum amount of PHI necessary to do your job.

Do This

  • • Only look at records you need for your work
  • • Close records when done
  • • Only share what's required
  • • Log out when leaving your computer

Don't Do This

  • • Look up family, friends, or celebrities
  • • Browse records out of curiosity
  • • Share more info than needed
  • • Leave records open on screen

4Password and Access Security

Password Rules

  • • Use at least 12 characters
  • • Include uppercase, lowercase, numbers, and symbols
  • • Never share your password with anyone
  • • Never write passwords on sticky notes
  • • Use a password manager
  • • Change password every 90 days

Computer Security

  • • Lock your screen when stepping away (Win+L or Cmd+Ctrl+Q)
  • • Never share your login with coworkers
  • • Log out completely at end of day
  • • Report lost/stolen devices immediately

5Email and Communication Security

Phishing Warning

Phishing emails try to trick you into revealing passwords or clicking malicious links. Watch for: urgent language, misspelled addresses, requests for passwords, suspicious attachments.

Email Rules for PHI

  • • Only send PHI through secure/encrypted email
  • • Double-check recipient email addresses
  • • Never send PHI to personal email accounts
  • • Don't include PHI in email subject lines
  • • Be cautious with attachments

6Physical Security

  • • Never leave PHI visible on desks or screens
  • • Use privacy screens on monitors
  • • Shred documents containing PHI
  • • Don't discuss PHI in public areas
  • • Be aware of who can see/hear you
  • • Secure paper records in locked cabinets
  • • Challenge unknown persons in work areas

7Reporting Security Incidents

Report Immediately If You Notice:

  • • Lost or stolen devices (laptop, phone, USB drive)
  • • Suspicious emails or phone calls
  • • Someone accessing records they shouldn't
  • • Misdirected faxes or emails containing PHI
  • • Unauthorized persons in secure areas
  • • Any suspected breach of patient information

How to Report:

Contact the Privacy Officer or Security Officer immediately. You can report verbally, by email, or through the incident reporting system. There is no penalty for good-faith reporting.

8Patient Rights

Patients have the following rights under HIPAA:

  • Access: Right to see and get copies of their records
  • Amendment: Right to request corrections to their records
  • Accounting: Right to know who has accessed their information
  • Restriction: Right to request limits on disclosures
  • Confidential Communication: Right to request alternative contact methods
  • Complaint: Right to file complaints about privacy violations

Knowledge Check

Answer the following questions to test your understanding:

  1. 1. What does PHI stand for?

  2. 2. How long should your password be (minimum)?

  3. 3. What should you do before leaving your workstation?

  4. 4. Who should you report a suspected breach to?

  5. 5. True or False: It's okay to look up a celebrity's medical records if they visit your clinic.

Training Acknowledgment

By signing below, I acknowledge that I have completed the HIPAA Privacy and Security training. I understand my responsibilities for protecting Protected Health Information (PHI) and agree to comply with all applicable policies. I understand that violations may result in disciplinary action and/or legal penalties.

Employee Name (Print):

Job Title:

Signature:

Date: