HIPAA Privacy and Security Rules

(based on 8282 customer ratings)

Authors: Debbie Sabatino; Julia Clendenin; and Paul Fekete, MD FCAP
Reviewer: Stephanie Mihane, MLS(ASCP)CM

This course, using examples specific to the clinical laboratory, covers the HIPAA privacy regulations and treatment of protected health information (PHI) in a succinct manner. Content is directed at laboratory staff, from desk personnel to phlebotomists to medical technologists. Includes numerous interactive case studies. Appropriate for annual HIPAA training for laboratory staff. Key areas covered include technical and physical safeguards, minimum necessary standard, administrative requirements, and authorization.

Continuing Education Credits


  • Define HIPAA.
  • Define "covered entities" and "business associates" and list which individuals, groups, or organizations are included in each category.
  • Explain what is meant by protected health information, who is authorized to view this information, and what safeguards are in place to prevent unauthorized access.
  • Apply HIPAA privacy and security requirements to your daily clinical responsibilities.

Course Outline

  • Overview of HIPAA
      • What is HIPAA?
      • What Information is Protected?
      • Covered Entities
      • Business Associates
      • All of the following are considered protected health information EXCEPT for:
      • Which of the following individuals, organizations, or agencies are covered by HIPAA?
      • All of the following are examples of HIPAA-regulated business associates EXCEPT for:
      • HIPAA Rules and Acts
  • HIPAA Privacy Rule
    • Privacy Rule Introduction
      • What is the HIPAA Privacy Rule?
      • The HIPAA Privacy Rule
      • Administrative Requirements
    • Patients' Rights
      • Patients' Rights Under HIPAA
      • Notice of Privacy Practices
      • Case Study: Accessing PHI You are answering the office phone today. A person claiming to be a patient, whose voice you do not recognize, calls demand...
    • Privacy Rule Safeguards
      • Privacy Rule Safeguards
      • Physical Safeguards
      • Administrative Safeguards
      • Technical Safeguards
      • Case Study: Incidental Disclosures and Safeguards As a manager, you guided a group of students through your clinical laboratory. You did not explain t...
    • Use and Disclosure of PHI
      • Patient Authorization
      • Limiting Use and Disclosure of PHI
      • Case Study: AuthorizationYou are working in a physician's office. The doctor orders laboratory and other diagnostic tests on a patient with suspected ...
      • Case Study: Limiting Use and Disclosure of PHI You are the customer service representative in a clinical laboratory. You get a call from a nurse at on...
      • Minimum Necessary Use and Disclosure
      • Case Study: Minimum Necessary Use and Disclosure You are a ward clerk responsible for inserting laboratory reports into a patient's medical records. Y...
      • Case Study: Minimum Necessary Use and Disclosure You are a phlebotomist at a specimen collection center. A patient arrives with orders for a blood gl...
      • De-Identified Health Information
      • Case Study: De-identified Health InformationYou work in a laboratory microbiology department that provides a local nursing home with information about...
  • HIPAA Security Rule
    • Security Rule Introduction
      • What is the HIPAA Security Rule?
      • Security Officer Requirement
    • Security Rule Safeguards
      • Security Rule Safeguards
      • Physical Safeguards
      • Case Study: Physical SafeguardsYou are a supervisor of a health clinic. During orientation of a new employee, you instruct him to keep the door leadin...
      • Administrative Safeguards
      • Case Study: Administrative Safeguards You are the scientist in charge of the hematology department in a hospital laboratory. The laboratory manager a...
      • Technical Safeguards: System Access Control
      • Technical Safeguards: Passwords
      • Technical Safeguards: Protection Against Viruses and Malicious Software
      • Technical Safeguards: Email Security
      • Technical Safeguards: Summary
      • Case Study: Technical SafeguardsYou have several sets of logins and passwords to access various information systems. The login is your own first initi...
  • HITECH Act
      • What is the HITECH Act?
      • Filing a HIPAA Violation
      • HIPAA Violation Penalties
      • Increased Business Associate Liability
      • HIPAA Breach Notification Rule
  • Omnibus Rule
      • What is the Omnibus Rule?
      • Stronger Patients' Rights
      • Privacy and Security Rule Modifications
      • HITECH Act Enforcements and Modifications
      • The Omnibus Rule created which of the following modifications?
  • Conclusion
      • HIPAA Discretions As a Result of COVID-19
      • Follow your Facilities' Policies and Procedures
  • References
      • References

Additional Information

Intended Audience: All health care personnel
Level of Instruction: Basic 
Authors' Information:
Debbie Sabatino has over 20 years of progressive technical, operational, business development and risk management experience in the health care field. Currently, she is the Senior Manager, Enterprise Risk at McMaster University. Previously, she held the position of Director, Privacy for MDS Laboratory Services, which includes both Canadian and US Operations. As privacy expert for the organization, Ms. Sabatino is responsible for the development, implementation and ongoing success of the Laboratory Services privacy program as well as the company’s global privacy approach. Debbie is a member of the International Association of Privacy Officers (IAPO), and the Conference Board of Canada Chief Privacy Officers Council.
Julia Clendenin is a content and graphics developer for MediaLab, Inc. She graduated from Georgia Institute of Technology with a B.S. in Biochemistry and a B.S. in Literature, Media, and Communication. 
Paul Fekete, MD is the CEO of MediaLab, Inc. He was formerly Assistant Professor of Pathology at Emory University, and was Director of Laboratories for Gwinnett Health System, near Atlanta. Dr. Fekete has extensive experience teaching, and is the author of numerous journal articles, and several book chapters. He additionally has extensive experience in instructional design.
Reviewer information
Stephanie Mihane, MLS(ASCP)CM, is a retired laboratory professional with over 35 years of experience as a generalist.  She also worked as the Point-of-Care Coordinator for 15 years at Kaiser Permanente -Colorado Region.  Stephanie also served on the ASCLS Board of Directors for Region VIII from 2019 until 2022.  

This course is part of: