HIPAA for Medical Office Staff



Toll Free
9AM - 5PM CST (M-F)

Faculty: Becca Kalivas, RN, MS


Successful Completion: Complete entire module, complete the exam with a passing score of 80% or better, and complete the evaluation form.


Estimated Time to Complete Activity: 90 minutes.


Free Certification of Completion available instantly for download or printing upon successful completion.


This course is specific for Medical Office Staff personnel who do not provide medical treatment to patients directly. This course covers the fundamentals of the HIPAA Privacy Rule, the HIPAA Security Rule, and the Enforcement Rule in case of HIPAA violations.

Includes 2021/2022 Updates - ONC 21st Cures Act Final Rule and the CMS Final Rule

The course includes a video and audio component with a stand-alone exam.

Receive HIPAA Certification "Certificate of Completion" with successful completion.

HIPAA for Medical Office Staff FAQs

Who is a Medical Office Staff Member Under HIPAA?

HIPAA Privacy Rule covers: 

  • Health plans 
  • Health care clearinghouses 
  • Healthcare providers who use electronic methods for certain financial and administrative transactions, like payment transfers and billing

These entities, referred to as "covered entities," are subject to privacy rules even if they contract with others as "business associates" to perform some of their critical responsibilities. 

How does the HIPAA Privacy Rule Affect Medical Office Staff?

The Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers and controls how a covered entity shares protected health information (PHI) by placing limits and conditions on the uses and disclosures that may be made of such information without an individual's consent. 

The medical office staff is undoubtedly affected by the HIPAA rules applying to them. HIPAA prohibits Doctors, nurses, and healthcare organizations from disclosing PHI without patient consent.

Health organizations are in charge of providing HIPAA compliance training to all staff members that handle and interact with medical records. All staff must receive proper HIPAA training to comply with HIPAA regulations, understand their obligations under HIPAA, and assist their employer in safeguarding the security and privacy of PHI.

Informing, educating, and training medical staff on HIPAA standards prevents them from unintentionally breaking the law. Health organizations should spend the time necessary to keep the team informed of the requirements to make the company and the staff HIPAA compliant.

What steps are necessary to be HIPAA compliant in a medical office? 

According to the U.S. Department of Health & Human Services (HHS), to be HIPAA compliant, covered entities must: 

  • Implement written PHI privacy procedures 
  • Appoint a privacy officer 
  • Require their business associates to sign agreements ensuring the confidentiality of PHI 
  • Regularly train all their staff members on privacy and security rule regulations  

Covered entities must also provide patients with the following:  

  • A written notice of the covered entities' privacy practices and access to their medical records 
  • The chance to request modifications to the records 
  • The option to request restrictions on the use or disclosure of their information 
  • The opportunity to request an accounting of any use of PHI 
  • The chance to ask for alternative methods of communicating information 

Additionally, covered entities must also set up a procedure for handling complaints and for patients to use in filing complaints. Finally, they must take all necessary steps to ensure that PHI is not used for fundraising, marketing, or making decisions regarding benefits or employment. 

Steps that medical office staff should take to avoid HIPAA violations are:  

Enable Firewalls and Encryption

Medical staff members frequently use their cell phones at work. Staff members should keep their cell phones safe and protected from the wrong individuals. But accidents could still occur. Because of this, medical staff should also implement firewalls, encryption, and virus protection on their work devices, especially cell phones. It's also essential to ensure that employees are regularly updating these technologies. 

Ensure Privacy

Staff members could violate HIPAA regulations less severely, such as having patient information on display to those who enter and leave the premises. For this reason, staff members should always keep patients' folders unopened. Every medical staff member must develop a habit of keeping confidential information private.  

Properly Dispose of Paper Documents

Most healthcare organizations use electronic health records. However, paper files are still often handled. Therefore, medical staff members must appropriately dispose of any documents containing patient information that is no longer needed. Never dispose of these documents in the regular trash.

Never Disclose Login Credentials

Each medical staff member should be issued and use a unique login to access private data in the office. To prevent a HIPAA breach, staff must keep their login information confidential and never disclose it to anybody. 

What steps must a covered entity follow when disclosing PHI?

When disclosing PHI, a covered entity must only share the amount of information required to satisfy the needs of the entity requesting the data (what the regulation refers to as the "minimum necessary" information to satisfy the inquiry), regardless of whether the PHI requires authorization or not. 

For more information on HIPAA for medical office staff visit the U.S. Department of Health & Human Services (HHS) website. 

Which Organization May Send a Compliance Officer to Inspect a Medical Office?

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is responsible for administering and enforcing HIPAA Privacy and Security Rules by sending out compliance officers. OCR investigates complaints, conducts compliance reviews, and sometimes initiates education and outreach to encourage compliance with the Privacy and Security Rules among covered companies.

How Do I Create a Medical Office Compliance Plan?

The US healthcare industry is heavily regulated by state and federal laws, making it crucial for providers to be aware of complex compliance concerns. Healthcare law specialists can help resolve common regulatory challenges, as simply following contract and business regulations is not enough for effective operations. Medical offices must cope with unique compliance difficulties, here are the most essential elements of a successful compliance plan:


  • Putting in place written policies, procedures, and conduct standards that enhance practice's compliance to applicable laws and regulations
  • Appointing a compliance officer and a compliance committee to oversee the compliance plan
  • Effective and ongoing training and education
  • Establishing effective channels for handling complaints about potential plan violations, ensuring privacy of complainants, and implementing policies to prevent retaliation.
  • Carrying out internal procedures for responding to claims of inappropriate behavior and enforcing appropriate disciplinary action
  • Enforcing standards via widely published disciplinary guidelines
  • Promptly responding to recognized infractions and taking appropriate action

What is Personal Ethics in a Medical Office?

Medical professionals often face moral and ethical dilemmas in their work. To make ethical decisions for patients, they need a solid understanding of medical ethics. The four pillars of medical ethics are respect for autonomy, beneficence, nonmaleficence, and justice. Aspiring doctors must have an ethical commitment to help patients, avoid harm, and respect their beliefs and preferences, making ethics an integral part of clinical medicine.

What Does the Sunshine Act Do?

The Physician Payments Sunshine Act, known as the Sunshine Act, is a federal law that requires producers of medical products such as drugs, medical devices, biologics, or medical supplies to report certain payments and items of value given to physicians and teaching hospitals. The Sunshine Act requires producers to gather specific information on such transfers exceeding $10.

When Was the Sunshine Act Passed?

The Sunshine Act was first proposed in 2007 but wasn’t signed into law until 2010 alongside the Patient Protection and Affordable Care Act.

How to Purchase

To enroll in this course, simply add the number of users you need below and ADD TO CART. Follow the steps for CHECKOUT which will include registering your account.


Learning Objectives

  • Describe the purpose of HIPAA legislation - i.e. HIPAA law
  • Explain the changes implemented by the Omnibus Final Rule
  • Identify the key elements of the Privacy, Security, and Enforcement Rule
  • Explain the process for Breach Notification
  • Illustrate how HIPAA affects his/her role in a Medical Office setting

Target Audience

This course is specific for Medical Office Staff personal who do not directly provide medical treatment to patients, such as front desk, messaging services, billing specialists, janitorial staff, etc.

Table of Contents

HIPAA for Medical Office Staff

(HIPAA Privacy, Security, and Enforcement Training)

Table of Contents:

  • HIPAA for Medical Office Staff
  • Legal Notice
  • Objectives
  • Purpose of Course
  • What is HIPAA?
  • What is Portability?
  • What is Accountability?
  • HITECH and Omnibus Final Rule
  • Who Must Abide by HIPAA Rules?
  • HIPAA Covered Entity
  • Business Associates
  • Expanded Definition of Business Associate
  • Business Associate Agreement
  • Things to Consider within an Office
  • HIPAA Privacy Rule
  • Permitted Use and Disclosure of PHI
  • Authorized Use and Disclosure of PHI
  • Incidental Use and Disclosure of PHI
  • "Minimum Necessary" Principal
  • Notice of Privacy Practices
  • Individual Access to PHI
  • ONC Cures Act Final Rule - 2021/2022 Update
  • CMS Final Rule - 2021/2022 Update
  • More Individual Rights Under the Privacy Rule
  • Administrative Requirements for Privacy Rule Compliance
  • State Law and the Privacy Rule
  • Personal Representatives and Minors Under the Privacy Rule
  • Privacy Rule and Decedents
  • Privacy Rule and Student Disclosures
  • Additional Privacy Considerations within the Office
  • HIPAA Security Rule
  • What Security Measures Must be Used?
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Privacy and Security for Mobile Devices
  • Transaction and Code Set Standards
  • Unique Identifiers Rule
  • HIPAA Breach Notification
  • Breach Notification and Risk Assessment
  • Breach Notification Rule Exceptions
  • Breach Notification Rule and Unsecured PHI
  • Breach Notification Requirements Media
  • Breach Notification Requirements Individual
  • Breach Notification Requirements Secretary
  • Burden of Proof for Breach Notification
  • Real Life HIPAA Violations and Breaches
  • HIPAA Enforcement Rule
  • Enforcement Rule and Civil Money Penalties
  • Defenses and Waivers for CMP
  • Recent Updates to HIPAA Opioid Crisis
  • Recent Updates to HIPAA Cloud Computing
  • End of Course Exam

Course Content Example 1:

Notice of Privacy Practices

Your office is required to provide a Notice of Privacy Practices. These must:

  • Describe the ways PHI may be used and disclosed
  • State your office's duty to protect privacy
  • Describe individuals' rights, including the right to complain if they believe privacy rights have been violated
  • Provide a point of contact for further information and for making complaints

Since the Final Rule, Notice of Privacy Practices must also include statements:

  • Indicating that individual authorization is required for most users and disclosures of PHI regarding psychotherapy notes, for marketing purposes, and for the sale of PHI
  • Informing that authorization is required for any uses and disclosures of PHI not mentioned in the Notice
  • Indicating the right to opt out of fundraising communications
  • Indicating the right to restrict disclosure of PHI when paying out of pocket
  • Indicating a right to be notified of a breach of their PHI

Course Content Example 2:

Things to Consider within the Medical Office

Make sure your policies and procedures are up-to-date and working effectively

  • Do they account for new technology developments, social media, and email use, ect?
  • Perform a thorough and documented risk analysis to determine if there are ways ePHI could be compromised
  • Find ways to correct any areas of concern
  • Do not share computer passwords to make them too easy
  • Always log off computers when you are done
  • Make sure ePHI is encrypted before sending it electronically
  • Keep a record of all mobile devices, such as laptops, tables and cell phones that contain ePHI. Track when they leave the office


Download Certificate of Completion Immediately

3 Attempts to Pass Your Exam

Instant Access: 100% Online - Access 24/7 from Anywhere

No Recurring Fees

Banner Image

Train Anywhere, Anytime

Courses can be accessed from any internet device at anytime.