Banner Image

HIPAA for Medical Office Staff

(4.6) 5468 reviews

HIPAA for Medical Office Staff

Enter Number of People


Price Per Person
$ 28.99
$ 23.99
$ 22.99
$ 19.99
$ Call for $


Toll Free
7 AM - 8 PM MST (M-F)

Faculty: Becca Kalivas, RN, MS

Successful Completion: Complete entire module, complete the exam with a passing score of 80% or better, and complete the evaluation form.

Estimated Time to Complete Activity: 90 minutes.

CEUs: HIPAA Exams is authorized by IACET to offer 0.2 CEUs for this program. CEU Information

Free Certification of Completion available instantly for download or printing upon successful completion.


This course is specific for Medical Office Staff personal who do not directly provide medical treatment to patients. This course covers the fundamentals of the HIPAA Privacy Rule, the HIPAA Security Rule, and the Enforcement Rule in case of HIPAA violations.

Includes 2021/2022 Updates - ONC 21st Cures Act Final Rule and the CMS Final Rule

Course includes a video and audio componentwith stand-alone exam

Receive HIPAA Certification "Certificate of Completion" with successful completion.

HIPAA for Medical Office Staff FAQs

Who is a Medical Office Staff Member Under HIPAA?

HIPAA Privacy Rule covers: 

  • Health plans 
  • Health care clearinghouses 
  • Healthcare providers that use electronic methods for certain financial and administrative transactions, like payment transfers and billing.


These entities, referred to as "covered entities," are subject to privacy rules even if they contract with others, referred to as "business associates," to perform some of their critical responsibilities. 


How does the HIPAA Privacy Rule Affect Medical Office Staff?

The Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers and controls how a covered entity shares protected health information (PHI) by placing limits and conditions on the uses and disclosures that may be made of such information without an individual's consent. 


Medical office staff is certainly affected by the HIPAA rules applying to them. Doctors, nurses, and healthcare organizations are prohibited by HIPAA from disclosing PHI without patient consent.


Health organizations are in charge of providing HIPAA compliance training to all staff members that handle and interact with medical records. All staff must receive proper HIPAA training to comply with HIPAA regulations, understand their personal obligations under HIPAA, and assist their employer in safeguarding the security and privacy of PHI.


Informing, educating, and training medical staff on HIPAA standards prevents them from unintentionally breaking the law. Health organizations should spend the time necessary to keep the staff informed of the requirements to make both the company and the staff HIPAA compliant.


What steps are necessary to be HIPAA compliant in a medical office? 

According to the U.S. Department of Health & Human Services (HHS), to be HIPAA compliant, covered entities must: 

  • Implement written PHI privacy procedures 
  • Appoint a privacy officer 
  • Require their business associates to sign agreements ensuring the confidentiality of PHI 
  • Regularly train all their staff members on privacy and security rule regulations  


Covered entities must also provide patients with:  

  • A written notice of the covered entities' privacy practices and access to their medical records 
  • The chance to request modifications to the records 
  • The option to request restrictions on the use or disclosure of their information 
  • The opportunity to request an accounting of any use of PHI 
  • The chance to request alternative methods of communicating information 


Additionally, covered entities must also set up a procedure for handling complaints and for patients to use in filing complaints. Finally, they must take all necessary steps to ensure that PHI is not used for fundraising, marketing, or making decisions regarding benefits or employment. 


Steps that medical office staff should take to avoid HIPAA violations are:  


Enable Firewalls and Encryption

Medical staff members frequently use their cell phones at work. Staff members should keep their cell phones safe and protected from the wrong individuals. But accidents could still occur. Because of this, medical staff should also implement firewalls, encryption, and virus protection on their work devices, especially cell phones. It's also important to ensure that employees are regularly updating these technologies. 


Ensure Privacy

Staff members could violate HIPAA regulations in a less severe way, such as having patient information on display to those who enter and leave the premises. For this reason, staff members should always keep patients' folders unopened. Every medical staff member must develop a habit of keeping confidential information private.  


Properly Dispose of Paper Documents

Most healthcare organizations use electronic health records. However, paper files are still often handled. Therefore, medical staff members must appropriately dispose of any documents containing patient information that are no longer needed. Never dispose of these documents in the regular trash.


Never Disclose Login Credentials

Each medical staff member should be issued and use a unique login to access private data in the office. To prevent a HIPAA breach, staff must keep their login information confidential and never disclose it to anybody. 


What steps must a covered entity follow when disclosing PHI?

When disclosing PHI, a covered entity must only share the amount of information required to satisfy the needs of the entity requesting the information (what the regulation refers to as the "minimum necessary" information to satisfy the inquiry), regardless of whether the PHI requires authorization or not. 

For more information on HIPAA for medical office staff visit the U.S. Department of Health & Human Services (HHS) website. 

How to Purchase

To enroll in this course, simply add the number of users you need below and ADD TO CART. Follow the steps for CHECKOUT which will include registering your account.

Enter Number of People

Course Demo

This demo video is a small example of this course’s content, it is not representative of the full course and the level of engagement required.

Video Image Placeholder

Learning Objectives

  • Describe the purpose of HIPAA legislation - i.e. HIPAA law
  • Explain the changes implemented by the Omnibus Final Rule
  • Identify the key elements of the Privacy, Security, and Enforcement Rule
  • Explain the process for Breach Notification
  • Illustrate how HIPAA affects his/her role in a Medical Office setting

Target Audience

This course is specific for Medical Office Staff personal who do not directly provide medical treatment to patients, such as front desk, messaging services, billing specialists, janitorial staff, etc.

Table of Contents

HIPAA for Medical Office Staff

(HIPAA Privacy, Security, and Enforcement Training)

Table of Contents:

  • HIPAA for Medical Office Staff
  • Legal Notice
  • Objectives
  • Purpose of Course
  • What is HIPAA?
  • What is Portability?
  • What is Accountability?
  • HITECH and Omnibus Final Rule
  • Who Must Abide by HIPAA Rules?
  • HIPAA Covered Entity
  • Business Associates
  • Expanded Definition of Business Associate
  • Business Associate Agreement
  • Things to Consider within an Office
  • HIPAA Privacy Rule
  • Permitted Use and Disclosure of PHI
  • Authorized Use and Disclosure of PHI
  • Incidental Use and Disclosure of PHI
  • “Minimum Necessary” Principal
  • Notice of Privacy Practices
  • Individual Access to PHI
  • ONC Cures Act Final Rule - 2021/2022 Update
  • CMS Final Rule - 2021/2022 Update
  • More Individual Rights Under the Privacy Rule
  • Administrative Requirements for Privacy Rule Compliance
  • State Law and the Privacy Rule
  • Personal Representatives and Minors Under the Privacy Rule
  • Privacy Rule and Decedents
  • Privacy Rule and Student Disclosures
  • Additional Privacy Considerations within the Office
  • HIPAA Security Rule
  • What Security Measures Must be Used?
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Privacy and Security for Mobile Devices
  • Transaction and Code Set Standards
  • Unique Identifiers Rule
  • HIPAA Breach Notification
  • Breach Notification and Risk Assessment
  • Breach Notification Rule – Exceptions
  • Breach Notification Rule and Unsecured PHI
  • Breach Notification Requirements – Media
  • Breach Notification Requirements – Individual
  • Breach Notification Requirements – Secretary
  • Burden of Proof for Breach Notification
  • Real Life HIPAA Violations and Breaches
  • HIPAA Enforcement Rule
  • Enforcement Rule and Civil Money Penalties
  • Defenses and Waivers for CMP
  • Recent Updates to HIPAA – Opioid Crisis
  • Recent Updates to HIPAA – Cloud Computing
  • End of Course Exam

Course Content Example 1:

Notice of Privacy Practices

Your office is required to provide a Notice of Privacy Practices. These must:

  • Describe the ways PHI may be used and disclosed
  • State your office’s duty to protect privacy
  • Describe individuals’ rights, including the right to complain if they believe privacy rights have been violated
  • Provide a point of contact for further information and for making complaints

Since the Final Rule, Notice of Privacy Practices must also include statements:

  • Indicating that individual authorization is required for most users and disclosures of PHI regarding psychotherapy notes, for marketing purposes, and for the sale of PHI
  • Informing that authorization is required for any uses and disclosures of PHI not mentioned in the Notice
  • Indicating the right to opt out of fundraising communications
  • Indicating the right to restrict disclosure of PHI when paying out of pocket
  • Indicating a right to be notified of a breach of their PHI

Course Content Example 2:

Things to Consider within the Medical Office

Make sure your policies and procedures are up-to-date and working effectively

  • Do they account for new technology developments, social media, and email use, ect?
  • Perform a thorough and documented risk analysis to determine if there are ways ePHI could be compromised
  • Find ways to correct any areas of concern
  • Do not share computer passwords to make them too easy
  • Always log off computers when you are done
  • Make sure ePHI is encrypted before sending it electronically
  • Keep a record of all mobile devices, such as laptops, tables and cell phones that contain ePHI. Track when they leave the office


Instant Certificate Of Completion Printing Upon Successful Completion Of HIPAA for Medical Office Staff

Free Retakes on Exam Until You Pass

Instant Access: 100% Online - Access 24/7 from Anywhere

No Recurring Fees

Banner Image

Train Anywhere, Anytime

Courses can be accessed from any internet device at anytime.

Tablet Image
Phone Image

Related Courses

Chat Image