Your team handles patient data all day. Do they know what they're allowed to do with it?
Scheduling calls, intake forms, insurance verifications, referrals, after-visit summaries. Every touchpoint involves protected health information. EZBunny's HIPAA Privacy Rule course teaches your entire workforce exactly what the rules require - and what's off limits.
Start 14-day free trialHIPAA Privacy Rule training is required for all workforce members of covered entities under 45 CFR 164.530(b). Annual refresher is widely accepted best practice.
Course Details
35 minutes
HIPAA / Privacy
HIPAA Privacy Rule
Online, self-paced
What your team will learn
- What counts as protected health information (PHI) and how it is defined under HIPAA
- Patients' rights to access, amend, and restrict their own health information
- Permissible uses and disclosures - when sharing is allowed and when it is not
- The minimum necessary standard and how to apply it in daily work
- Notice of privacy practices requirements and patient authorization rules
- How to respond to patient requests and handle potential privacy complaints
Who needs this training?
Requirements vary by organization type. R = Required by federal/state regulation. S = Strongly recommended (accreditation or best practice).
| Practice Type | Status | Authority |
|---|---|---|
| Physician Practices & Medical Groups | Required | 45 CFR 164.530(b) |
| Dental Offices | Required | 45 CFR 164 |
| Urgent Care Centers | Required | 45 CFR 164 |
| Home Health Agencies | Required | 45 CFR 164 |
| Behavioral Health & SUD Treatment | Required | 45 CFR 164 |
| Chiropractic Offices | Required | 45 CFR 164 |
| Physical Therapy & Rehab Clinics | Required | 45 CFR 164 |
| Ambulatory Surgery Centers (ASCs) | Required | 45 CFR 164 |
| Pharmacies | Required | 45 CFR 164 |
| Mental Health Private Practices | Required | 45 CFR 164 |
| Community Health Centers (FQHCs) | Required | 45 CFR 164 |
| Telehealth Providers | Required | 45 CFR 164 |
Role-specific notes
Every workforce member who accesses PHI must complete this training. Role-specific depth varies:
- Clinical staff (physicians, nurses, therapists): Patient rights, treatment disclosures, minimum necessary in clinical context
- Front desk / scheduling: PHI on phone calls, intake forms, appointment reminders, who is allowed to pick up records
- Billing / coding: Minimum necessary for claim submissions, third-party billing company BAA requirements
- IT / EHR staff: Access control configurations, audit log obligations, system-level PHI protections
- Management / compliance: Workforce sanctions, breach reporting obligations, Notice of Privacy Practices maintenance
State-specific notes
- If you operate in California: CMIA (Confidentiality of Medical Information Act) imposes stricter rules on marketing uses and research access to medical information
- If you operate in Texas: HB 300 requires privacy training within 90 days of hire; penalties up to $1.5M per incident, stricter than federal HIPAA
- If you operate in New York: Sexual harassment prevention annually required; mandatory reporter obligations apply to most healthcare workers
- If you operate in Florida: HIV/AIDS training required for applicable licensed practitioners per FL Statute 381.0034
- If you operate in Illinois: BIPA (Biometric Information Privacy Act) restricts collection of biometric data including fingerprints and facial scans used in patient identification systems; the Personal Information Protection Act requires notification and safeguards for personal health data
Common HIPAA Privacy Rule questions
What does HIPAA Privacy Rule training cover?
HIPAA Privacy Rule training covers patients' rights, permissible PHI uses and disclosures, the minimum necessary standard, and workforce obligations. The course covers what counts as PHI, when sharing is allowed (treatment, payment, operations) and when it is not, patient rights to access and amend their records, and how to handle common situations like family member requests, phone calls, and records requests.
Who is required to take HIPAA Privacy Rule training?
All workforce members of a covered entity (CE) who access or handle PHI must complete HIPAA Privacy Rule training under 45 CFR 164.530(b). This applies to employees, volunteers, trainees, and contractors - not just clinical staff. Front desk, billing, IT, and management all need training. The requirement kicks in for new hires and whenever relevant policies materially change.
How often should HIPAA Privacy Rule training be completed?
HIPAA does not mandate a specific frequency, but annual refresher training is widely accepted best practice across the healthcare industry. The regulations require training at hire and when policies materially change. HHS strongly recommends periodic refreshers. Many state regulators and accreditation bodies (Joint Commission, AAAHC, URAC) reinforce annual training as the standard of care for compliance programs.
What is the minimum necessary standard under HIPAA?
The minimum necessary standard requires limiting PHI access, use, and disclosure to what is actually needed for the task at hand. Staff should not access records unrelated to their work. A front desk coordinator typically does not need clinical notes; a billing specialist typically does not need records of patients they are not billing for. Role-based access controls in your EHR system help enforce this automatically - and training helps staff understand why the rules exist.
Get your entire team trained on HIPAA Privacy
35 minutes per person. Certificate on completion. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.