All courses
The Security Rule, read the way OCR reads it

HIPAA Security Fundamentals for Practice Leaders

Built for the practice administrator, compliance officer, or operations lead who owns HIPAA security without a CISO. You'll leave able to run a defensible risk-analysis process, read a BAA critically, and answer a carrier or investigator from evidence instead of intentions.

4 modules · 12 lessons~5.6 hoursCompletion certificate

Early-access pricing — final pricing set at launch. Secure checkout via Stripe.

Who this is for

Practice administrators, compliance/privacy officers, COOs at clinics and small hospitals

What you walk away with

  • A working asset-inventory and data-flow method you can maintain quarterly
  • The six artifacts OCR asks for, and how to produce each
  • A BAA review checklist applied to your real vendor list
  • Evidence packets that answer insurance questionnaires without guesswork

Curriculum

Module 1

The Rule and the Enforcer

What 45 CFR §§164.308–316 actually requires, and how a decade of OCR Resolution Agreements tells you which items carry enforcement weight.

  • How to Read the Security Rule

    Navigate §§164.308–316 by safeguard family and know which specifications apply to your practice.

    25 min
  • What OCR Actually Enforces

    Read Resolution Agreements to identify the controls that repeatedly anchor corrective action plans.

    30 min
  • The 2024 NPRM and What's Changing

    Understand how the proposed rule (90 Fed. Reg. 898) reshapes addressable specifications, SRA cadence, and inventory expectations.

    20 min

Module 2

The Risk Analysis That Survives

The §164.308(a)(1)(ii)(A) analysis done properly: inventory, threats, ratings with rationale, and a remediation plan with owners.

  • An Asset Inventory That Counts

    Build a device-level inventory and data-flow diagram that an investigator would accept as the SRA's foundation.

    35 min
  • Threats, Likelihood, and Impact — With Rationale

    Enumerate practice-specific threats and justify every likelihood/impact rating in writing.

    35 min
  • Remediation With Owners and Dates

    Turn findings into a roadmap that closes — and document closure as evidence.

    25 min

Module 3

Vendors, BAAs, and the Data You Don't Hold

Most clinic ePHI lives with vendors. Reading BAAs critically, reconciling them against the data-flow map, and handling the AI-vendor wave.

  • Reading a BAA Critically

    Check a BAA for the clauses that matter: subprocessors, retention, breach windows, training use.

    30 min
  • The BAA Reconciliation

    Reconcile the BAA file against the data-flow diagram and close the gaps in priority order.

    25 min
  • AI Vendors and PHI

    Apply an intake process to AI scribes and embedded AI features before they become load-bearing.

    30 min

Module 4

Evidence, Insurance, and Answering Hard Questions

Turning the program into producible evidence: carrier questionnaires, OCR data requests, and the documentation habit that makes both routine.

  • The Evidence Habit

    Set up the documentation cadence (45 CFR §164.316) so evidence exists before anyone asks.

    25 min
  • Surviving the Insurance Questionnaire

    Map carrier questions to evidence and never attest to a control you can't produce.

    30 min
  • When OCR Writes

    Handle a data request or investigation opening: counsel, scope, and the first 30 days.

    25 min

Early-access pricing — final pricing set at launch. Secure checkout via Stripe.

HIPAA Security Fundamentals for Practice Leaders — Diallo Security Advisors Academy