Security

Ransomware hit 389 healthcare organizations last year. Is your team the last line of defense?

Healthcare is the most targeted industry for cyberattacks. The HIPAA Security Rule requires covered entities to train every workforce member on electronic PHI safeguards. EZBunny's Security Rule course covers what your team actually needs to know - and what to do when something goes wrong.

Start 14-day free trial

HIPAA Security Rule training is required for all workforce members under 45 CFR 164.308(a)(5). Annual refresher is widely accepted best practice.

Proposed changes to the HIPAA Security Rule (Final Rule expected May 2026) may significantly expand these requirements - including mandatory encryption and enhanced risk analysis documentation. Train your team now.

Course Details

Duration

25 minutes

Category

HIPAA / Security

Authority

HIPAA Security Rule

Format

Online, self-paced

NPRM Notice: Proposed changes to the HIPAA Security Rule (Final Rule expected May 2026) may expand these requirements, including mandatory encryption for all ePHI and enhanced risk analysis standards. View the proposed rule →

What your team will learn

  • What electronic protected health information (ePHI) is and why it requires special protections
  • Administrative safeguards - risk analysis, workforce training, access management policies
  • Physical safeguards - workstation security, device controls, facility access restrictions
  • Technical safeguards - encryption, unique user IDs, automatic logoff, audit controls
  • How to respond to a suspected security incident or breach involving ePHI
  • Password hygiene, device security, and phishing recognition basics

Who needs this training?

Requirements vary by organization type. R = Required by federal/state regulation. S = Strongly recommended (accreditation or best practice).

Practice Type Status Authority
Physician Practices & Medical Groups Required 45 CFR 164.308(a)(5)
Dental Offices Required 45 CFR 164.308
Urgent Care Centers Required 45 CFR 164
Home Health Agencies Required 45 CFR 164
Behavioral Health & SUD Treatment Required 45 CFR 164
Chiropractic Offices Required 45 CFR 164.308
Physical Therapy & Rehab Clinics Required 45 CFR 164.308
Ambulatory Surgery Centers (ASCs) Required 45 CFR 164
Pharmacies Required 45 CFR 164
Mental Health Private Practices Required 45 CFR 164
Community Health Centers (FQHCs) Required 45 CFR 164
Telehealth Providers Required 45 CFR 164

Role-specific notes

  • Clinical staff with system access: Password hygiene, screen lock practices, device security for tablets and laptops
  • IT / EHR administrators: Full security rule requirements - managing access controls, audit log review, technical safeguard setup
  • Front desk / scheduling: Workstation security, unique login credentials, how to recognize phishing attempts
  • Remote / home health staff: Mobile device security, working on unsecured networks, lost device procedures
  • Management / compliance: Risk analysis obligations, workforce sanctions policy, security incident response procedures

Proposed changes to the HIPAA Security Rule (Final Rule expected May 2026) may expand cybersecurity requirements for all covered entities. Browse all courses →

Common HIPAA Security Rule questions

What does HIPAA Security Rule training cover?

HIPAA Security Rule training covers the administrative, physical, and technical safeguards required to protect electronic protected health information (ePHI). Administrative safeguards include risk analysis, access management, and workforce training programs. Physical safeguards cover workstation security and device controls. Technical safeguards address encryption, unique user authentication, automatic logoff, and audit logging. The course also covers breach response procedures and how to handle a lost or stolen device.

What is the difference between the HIPAA Privacy Rule and Security Rule?

The Privacy Rule covers all PHI in any form (paper, verbal, electronic) and governs what you can do with it. The Security Rule applies only to electronic PHI (ePHI) and governs how you protect it technically. Most healthcare organizations need both. The Privacy Rule establishes patient rights and disclosure rules. The Security Rule mandates the technical controls - encryption, access logs, risk analysis - that make those protections real in digital systems.

Who must complete HIPAA Security Rule training?

All workforce members of a covered entity who access electronic systems containing ePHI must complete Security Rule training, under 45 CFR 164.308(a)(5). This includes clinicians, front desk staff, billing, IT, and management. The training helps every staff member understand why password policies, screen locks, and device encryption exist - and what their personal role is in keeping patient data secure.

Does the HIPAA Security Rule require a risk assessment?

Yes. A risk analysis is an explicit requirement under 45 CFR 164.308(a)(1). Covered entities must conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI confidentiality, integrity, and availability. HHS OCR has cited missing risk analyses as one of the most common violations in enforcement actions. The Security Rule course explains what a risk analysis must include and how workforce members support the ongoing process.

Get your entire team trained on HIPAA Security

25 minutes per person. Certificate on completion. Start your 14-day free trial now.

Start 14-day free trial

Regulatory Disclaimer

Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. Proposed changes to the HIPAA Security Rule (Final Rule expected May 2026) may expand these requirements. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.