HIPAA for Medical Office Staff



Toll Free
9AM - 5PM CST (M-F)

Faculty: Becca Kalivas, RN, MS


Successful Completion: Complete entire module, complete the exam with a passing score of 80% or better, and complete the evaluation form.


Estimated Time to Complete Activity: 90 minutes.


Free Certification of Completion available instantly for download or printing upon successful completion.


This course is specific for Medical Office Staff personnel who do not provide medical treatment to patients directly. This course covers the fundamentals of the HIPAA Privacy Rule, the HIPAA Security Rule, and the Enforcement Rule in case of HIPAA violations.

Includes 2021/2022 Updates - ONC 21st Cures Act Final Rule and the CMS Final Rule

The course includes a video and audio component with a stand-alone exam.

Receive HIPAA Certification "Certificate of Completion" with successful completion.

HIPAA for Medical Office Staff FAQs

Who is a Medical Office Staff Member Under HIPAA?

HIPAA Privacy Rule covers: 

  • Health plans 
  • Health care clearinghouses 
  • Healthcare providers who use electronic methods for certain financial and administrative transactions, like payment transfers and billing

These entities, referred to as "covered entities," are subject to privacy rules even if they contract with others as "business associates" to perform some of their critical responsibilities. 

How does the HIPAA Privacy Rule Affect Medical Office Staff?

The Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers and controls how a covered entity shares protected health information (PHI) by placing limits and conditions on the uses and disclosures that may be made of such information without an individual's consent. 

The medical office staff is undoubtedly affected by the HIPAA rules applying to them. HIPAA prohibits Doctors, nurses, and healthcare organizations from disclosing PHI without patient consent.

Health organizations are in charge of providing HIPAA compliance training to all staff members that handle and interact with medical records. All staff must receive proper HIPAA training to comply with HIPAA regulations, understand their obligations under HIPAA, and assist their employer in safeguarding the security and privacy of PHI.

Informing, educating, and training medical staff on HIPAA standards prevents them from unintentionally breaking the law. Health organizations should spend the time necessary to keep the team informed of the requirements to make the company and the staff HIPAA compliant.

What steps are necessary to be HIPAA compliant in a medical office? 

According to the U.S. Department of Health & Human Services (HHS), to be HIPAA compliant, covered entities must: 

  • Implement written PHI privacy procedures 
  • Appoint a privacy officer 
  • Require their business associates to sign agreements ensuring the confidentiality of PHI 
  • Regularly train all their staff members on privacy and security rule regulations  

Covered entities must also provide patients with the following:  

  • A written notice of the covered entities' privacy practices and access to their medical records 
  • The chance to request modifications to the records 
  • The option to request restrictions on the use or disclosure of their information 
  • The opportunity to request an accounting of any use of PHI 
  • The chance to ask for alternative methods of communicating information 

Additionally, covered entities must also set up a procedure for handling complaints and for patients to use in filing complaints. Finally, they must take all necessary steps to ensure that PHI is not used for fundraising, marketing, or making decisions regarding benefits or employment. 

Steps that medical office staff should take to avoid HIPAA violations are:  

Enable Firewalls and Encryption

Medical staff members frequently use their cell phones at work. Staff members should keep their cell phones safe and protected from the wrong individuals. But accidents could still occur. Because of this, medical staff should also implement firewalls, encryption, and virus protection on their work devices, especially cell phones. It's also essential to ensure that employees are regularly updating these technologies. 

Ensure Privacy

Staff members could violate HIPAA regulations less severely, such as having patient information on display to those who enter and leave the premises. For this reason, staff members should always keep patients' folders unopened. Every medical staff member must develop a habit of keeping confidential information private.  

Properly Dispose of Paper Documents

Most healthcare organizations use electronic health records. However, paper files are still often handled. Therefore, medical staff members must appropriately dispose of any documents containing patient information that is no longer needed. Never dispose of these documents in the regular trash.

Never Disclose Login Credentials

Each medical staff member should be issued and use a unique login to access private data in the office. To prevent a HIPAA breach, staff must keep their login information confidential and never disclose it to anybody. 

What steps must a covered entity follow when disclosing PHI?

When disclosing PHI, a covered entity must only share the amount of information required to satisfy the needs of the entity requesting the data (what the regulation refers to as the "minimum necessary" information to satisfy the inquiry), regardless of whether the PHI requires authorization or not. 

For more information on HIPAA for medical office staff visit the U.S. Department of Health & Human Services (HHS) website. 

How to Purchase

To enroll in this course, simply add the number of users you need below and ADD TO CART. Follow the steps for CHECKOUT which will include registering your account.


Learning Objectives

  • Describe the purpose of HIPAA legislation - i.e. HIPAA law
  • Explain the changes implemented by the Omnibus Final Rule
  • Identify the key elements of the Privacy, Security, and Enforcement Rule
  • Explain the process for Breach Notification
  • Illustrate how HIPAA affects his/her role in a Medical Office setting

Target Audience

This course is specific for Medical Office Staff personal who do not directly provide medical treatment to patients, such as front desk, messaging services, billing specialists, janitorial staff, etc.

Table of Contents

HIPAA for Medical Office Staff

(HIPAA Privacy, Security, and Enforcement Training)

Table of Contents:

  • HIPAA for Medical Office Staff
  • Legal Notice
  • Objectives
  • Purpose of Course
  • What is HIPAA?
  • What is Portability?
  • What is Accountability?
  • HITECH and Omnibus Final Rule
  • Who Must Abide by HIPAA Rules?
  • HIPAA Covered Entity
  • Business Associates
  • Expanded Definition of Business Associate
  • Business Associate Agreement
  • Things to Consider within an Office
  • HIPAA Privacy Rule
  • Permitted Use and Disclosure of PHI
  • Authorized Use and Disclosure of PHI
  • Incidental Use and Disclosure of PHI
  • "Minimum Necessary" Principal
  • Notice of Privacy Practices
  • Individual Access to PHI
  • ONC Cures Act Final Rule - 2021/2022 Update
  • CMS Final Rule - 2021/2022 Update
  • More Individual Rights Under the Privacy Rule
  • Administrative Requirements for Privacy Rule Compliance
  • State Law and the Privacy Rule
  • Personal Representatives and Minors Under the Privacy Rule
  • Privacy Rule and Decedents
  • Privacy Rule and Student Disclosures
  • Additional Privacy Considerations within the Office
  • HIPAA Security Rule
  • What Security Measures Must be Used?
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Privacy and Security for Mobile Devices
  • Transaction and Code Set Standards
  • Unique Identifiers Rule
  • HIPAA Breach Notification
  • Breach Notification and Risk Assessment
  • Breach Notification Rule Exceptions
  • Breach Notification Rule and Unsecured PHI
  • Breach Notification Requirements Media
  • Breach Notification Requirements Individual
  • Breach Notification Requirements Secretary
  • Burden of Proof for Breach Notification
  • Real Life HIPAA Violations and Breaches
  • HIPAA Enforcement Rule
  • Enforcement Rule and Civil Money Penalties
  • Defenses and Waivers for CMP
  • Recent Updates to HIPAA Opioid Crisis
  • Recent Updates to HIPAA Cloud Computing
  • End of Course Exam

Course Content Example 1:

Notice of Privacy Practices

Your office is required to provide a Notice of Privacy Practices. These must:

  • Describe the ways PHI may be used and disclosed
  • State your office's duty to protect privacy
  • Describe individuals' rights, including the right to complain if they believe privacy rights have been violated
  • Provide a point of contact for further information and for making complaints

Since the Final Rule, Notice of Privacy Practices must also include statements:

  • Indicating that individual authorization is required for most users and disclosures of PHI regarding psychotherapy notes, for marketing purposes, and for the sale of PHI
  • Informing that authorization is required for any uses and disclosures of PHI not mentioned in the Notice
  • Indicating the right to opt out of fundraising communications
  • Indicating the right to restrict disclosure of PHI when paying out of pocket
  • Indicating a right to be notified of a breach of their PHI

Course Content Example 2:

Things to Consider within the Medical Office

Make sure your policies and procedures are up-to-date and working effectively

  • Do they account for new technology developments, social media, and email use, ect?
  • Perform a thorough and documented risk analysis to determine if there are ways ePHI could be compromised
  • Find ways to correct any areas of concern
  • Do not share computer passwords to make them too easy
  • Always log off computers when you are done
  • Make sure ePHI is encrypted before sending it electronically
  • Keep a record of all mobile devices, such as laptops, tables and cell phones that contain ePHI. Track when they leave the office


Instant Certificate Of Completion Printing Upon Successful Completion Of HIPAA for Medical Office Staff

3 Attempts to Pass Your Exam

Instant Access: 100% Online - Access 24/7 from Anywhere

No Recurring Fees

Banner Image

Train Anywhere, Anytime

Courses can be accessed from any internet device at anytime.