Free HIPAA Awareness Training

HIPAA Awareness: The Basics

About 15 minutes. Read the short sections below, answer ten questions, and your record of completion displays for you to print or save. It stays in your browser. Nothing is sent to SecureLynx, and nothing is stored.

Read this first

This is free HIPAA awareness education. It is not certification, and completing it does not make you or your practice HIPAA compliant. There is no such thing as being "HIPAA certified."

The record you print at the end is a self-reported record of completion: you type your own name and nothing verifies your identity. It documents that the training was taken. It is not a verified compliance record.

Your name and answers never leave this page. SecureLynx stores no copy. When you finish, the record shows on screen for you to keep. It is the only copy, so save or print it.

What HIPAA protects, and who has to follow it

HIPAA is the federal law that protects patients' health information. If you work in a medical practice, you are part of its "workforce," which means these rules apply to you directly, not just to the practice owner or the IT department.

The goal is simple to state: keep patient information private, keep it accurate, and keep it available to the people who are supposed to have it. Everything below is a way of doing that.

What counts as protected health information (PHI)

PHI is any health information that can be tied to a specific person. It is more than diagnoses and test results. It includes anything that identifies the patient alongside their care, such as:

  • Name, address, phone number, email, or dates tied to the patient
  • Medical record numbers, account numbers, or insurance details
  • Appointment information, visit notes, images, and billing records
  • Even a photo, a voicemail, or a sticky note, if it identifies a patient and their care
Rule of thumb: if it connects a person to their health or care, treat it as PHI, whatever form it takes.

The minimum necessary rule

Access and share only the information needed for the task in front of you. If you are confirming an appointment, you do not need the full chart. If a request comes in for records, send only what was asked for and authorized, not the entire file "to be safe."

This applies to what you look at as much as what you send. Opening a record you have no work reason to open is a violation, even if you never share it.

Everyday safeguards

Most protection is ordinary habits done consistently:

  • Lock your screen whenever you step away, even for a minute
  • Use your own login, and use multi-factor authentication where it is offered
  • Never share passwords or write them where others can see them
  • Do not put PHI in personal email or text messages, or in tools the practice has not approved
  • Keep conversations about patients out of waiting rooms, hallways, and elevators
  • Verify who you are speaking to before disclosing anything over the phone

Common ways things go wrong

Most incidents are honest mistakes, not attacks. The frequent ones are worth knowing so you can catch them:

  • A fax or email sent to the wrong recipient
  • Looking up a friend, family member, coworker, or well-known person out of curiosity
  • A screen or paper left visible to patients or visitors
  • A phishing email that tricks someone into giving up a password
  • A lost or unencrypted laptop, phone, or USB drive with PHI on it

If something goes wrong, report it right away

If you think PHI was seen, sent, lost, or accessed the wrong way, report it immediately to your practice's Privacy Officer or Security Officer. Do not try to hide it or fix it quietly. Fast reporting is what lets the practice meet its obligations and limit the harm.

Breach notification timelines and decisions are the practice's responsibility. Your job is to raise it quickly and honestly.

Patients have rights over their information

Patients can ask to see and get a copy of their records, ask to correct information they believe is wrong, and in many cases ask who their information has been shared with. When a patient makes one of these requests, route it to the right person at your practice rather than handling it informally.

Check your understanding

Ten questions

Answer all ten. A pass is eight correct (80%). Your answers are scored here in your browser and are never sent anywhere.

Self-reported. This is typed by you and prints on your record. Nothing verifies it, and nothing is stored.
Q1. What does PHI mean?
Q2. The "minimum necessary" rule means you should:
Q3. A coworker asks you to look up a well-known patient's record out of curiosity. You should:
Q4. You realize you emailed PHI to the wrong address. You should:
Q5. Which is a good everyday safeguard?
Q6. Which of these is protected health information?
Q7. A records request comes in for one specific date of service. You should send:
Q8. You get an email asking you to "verify your login" through a link. You should:
Q9. What is the safest way to handle a patient's PHI when you are away from your desk?
Q10. A patient asks to see and get a copy of their own records. You should: