HIPAA Security Fundamentals for Practice Leaders
Built for the practice administrator, compliance officer, or operations lead who owns HIPAA security without a CISO. You'll leave able to run a defensible risk-analysis process, read a BAA critically, and answer a carrier or investigator from evidence instead of intentions.
Early-access pricing — final pricing set at launch. Secure checkout via Stripe.
Who this is for
Practice administrators, compliance/privacy officers, COOs at clinics and small hospitals
What you walk away with
- A working asset-inventory and data-flow method you can maintain quarterly
- The six artifacts OCR asks for, and how to produce each
- A BAA review checklist applied to your real vendor list
- Evidence packets that answer insurance questionnaires without guesswork
Curriculum
Module 1
The Rule and the Enforcer
What 45 CFR §§164.308–316 actually requires, and how a decade of OCR Resolution Agreements tells you which items carry enforcement weight.
- 25 min
How to Read the Security Rule
Navigate §§164.308–316 by safeguard family and know which specifications apply to your practice.
- 30 min
What OCR Actually Enforces
Read Resolution Agreements to identify the controls that repeatedly anchor corrective action plans.
- 20 min
The 2024 NPRM and What's Changing
Understand how the proposed rule (90 Fed. Reg. 898) reshapes addressable specifications, SRA cadence, and inventory expectations.
Module 2
The Risk Analysis That Survives
The §164.308(a)(1)(ii)(A) analysis done properly: inventory, threats, ratings with rationale, and a remediation plan with owners.
- 35 min
An Asset Inventory That Counts
Build a device-level inventory and data-flow diagram that an investigator would accept as the SRA's foundation.
- 35 min
Threats, Likelihood, and Impact — With Rationale
Enumerate practice-specific threats and justify every likelihood/impact rating in writing.
- 25 min
Remediation With Owners and Dates
Turn findings into a roadmap that closes — and document closure as evidence.
Module 3
Vendors, BAAs, and the Data You Don't Hold
Most clinic ePHI lives with vendors. Reading BAAs critically, reconciling them against the data-flow map, and handling the AI-vendor wave.
- 30 min
Reading a BAA Critically
Check a BAA for the clauses that matter: subprocessors, retention, breach windows, training use.
- 25 min
The BAA Reconciliation
Reconcile the BAA file against the data-flow diagram and close the gaps in priority order.
- 30 min
AI Vendors and PHI
Apply an intake process to AI scribes and embedded AI features before they become load-bearing.
Module 4
Evidence, Insurance, and Answering Hard Questions
Turning the program into producible evidence: carrier questionnaires, OCR data requests, and the documentation habit that makes both routine.
- 25 min
The Evidence Habit
Set up the documentation cadence (45 CFR §164.316) so evidence exists before anyone asks.
- 30 min
Surviving the Insurance Questionnaire
Map carrier questions to evidence and never attest to a control you can't produce.
- 25 min
When OCR Writes
Handle a data request or investigation opening: counsel, scope, and the first 30 days.
Early-access pricing — final pricing set at launch. Secure checkout via Stripe.