One click on a fake password reset. 190,000 patient records exposed. A $600,000 settlement.
Phishing is the most common cyberattack in healthcare, and risk analysis is HIPAA's most-cited enforcement requirement. EZBunny's course teaches your team to recognize phishing attempts, understand the five steps of risk analysis, and take action that protects electronic patient data.
Start 14-day free trialHIPAA requires risk analysis under 45 CFR 164.308(a)(1) and security awareness training under 45 CFR 164.308(a)(5).
Course Details
20 minutes
Technology
HIPAA Security Rule
Online, self-paced
What your team will learn
- Why risk analysis is HIPAA's most frequently cited requirement
- The five steps of a HIPAA risk analysis
- How to spot phishing emails, texts, and voice calls (vishing)
- What to do when you identify a suspected phishing attempt
- Organizational defenses (email filtering, MFA, access controls)
- Your individual role in your organization's cybersecurity posture
Who needs this training?
Recommended for all HIPAA-covered entities. R = Required by regulation. S = Strongly recommended.
| Practice Type | Status | Authority |
|---|---|---|
| Telehealth Providers | Required | HIPAA Security Rule (heightened risk) |
| Physician Practices & Medical Groups | Recommended | HIPAA Security Rule 45 CFR 164.308(a)(5) |
| Dental Offices | Recommended | HIPAA Security Rule |
| Urgent Care Centers | Recommended | HIPAA Security Rule |
| Home Health Agencies | Recommended | HIPAA Security Rule |
| Behavioral Health & SUD Treatment | Recommended | HIPAA Security Rule |
| Ambulatory Surgery Centers (ASCs) | Recommended | HIPAA Security Rule |
| Pharmacies | Recommended | HIPAA Security Rule |
| Community Health Centers (FQHCs) | Recommended | HIPAA Security Rule |
| Mental Health Private Practices | Recommended | HIPAA Security Rule |
| Chiropractic Offices | Recommended | HIPAA Security Rule |
| Physical Therapy & Rehab Clinics | Recommended | HIPAA Security Rule |
Which roles must complete this training?
All staff with email access or who handle electronic PHI:
- IT / EHR Administrators: Primary cybersecurity responsibility and incident response
- Front Desk / Schedulers: Common phishing targets due to high email volume
- Billing Staff: Targeted by invoice and payment fraud schemes
- Practice Managers: Risk analysis oversight and policy enforcement
- Compliance Officers: Risk analysis documentation and regulatory reporting
HIPAA requires security awareness training. Best practice is annual training with periodic simulated phishing exercises.
Common Phishing & Risk Analysis training questions
Why is risk analysis HIPAA's most-cited requirement?
OCR has cited inadequate or missing risk analysis as a factor in the majority of HIPAA enforcement actions. Risk analysis under 45 CFR 164.308(a)(1) is the foundation of the Security Rule - without it, organizations cannot identify vulnerabilities or implement appropriate safeguards. It is the starting point for all other security measures.
What are the most common phishing tactics targeting healthcare?
The most common tactics include fake password reset emails, spoofed vendor invoices, urgent "IT support" requests, compromised internal accounts forwarding malicious links, and SMS phishing (smishing) posing as scheduling or prescription notifications. Healthcare is a prime target because of the value of medical records and the time pressure staff work under.
What should I do if I click a suspicious link?
Disconnect from the network immediately, do not enter any credentials, report the incident to your IT security team and supervisor, and document what happened. Speed matters - the faster you report, the faster your organization can contain potential damage. Do not try to investigate on your own or delete the email.
How often should phishing training occur?
HIPAA requires security awareness training but does not specify frequency. Best practice is at least annual training with periodic simulated phishing exercises throughout the year. Organizations with high turnover should train at onboarding and quarterly. The key is consistency - one-time training does not build lasting awareness.
Train your team to spot phishing before it costs you a breach
20 minutes per person. Certificate on completion. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.