HIPAA Compliance Self-Learning Hands-On Practice Lab

Self-Learning Practice Instructions

Complete each section independently. Answers and explanations are hidden until you submit your response.

Learner Instructions

Complete each practice section in order.
Read the scenario carefully.
Select or write your answer.
Click Submit Answer.
Review the correct answer and explanation after submission.
Use the explanation to understand the HIPAA rule or safeguard involved.

Learning Goals

Identify PHI and ePHI in daily healthcare work.
Apply the Minimum Necessary Standard.
Recognize Privacy Rule, Security Rule, and safeguard failures.
Decide when to report a HIPAA incident or potential breach.
Apply HIPAA thinking to telehealth, EHR, billing, testing, and system support work.

PHI Identification Exercises

Decide whether the information is PHI, Non-PHI, or PHI/ePHI. Submit your answers to review feedback.

Exercise 1: PHI or Non-PHI?

Information	Your Answer
Patient full name with diagnosis
Medical Record Number
Hospital cafeteria menu
Appointment date with patient name
De-identified health survey with no identifiers
Insurance member ID
Patient portal username linked to patient profile
Lab result attached to patient account

Exercise 2: Quick Check

A learner says: “If the patient name is removed, it is always safe to share the file.”

True False

HIPAA Privacy Rule Practice

Focus: patient privacy, appropriate use and disclosure, patient rights, and minimum necessary access.

Scenario 1: Family Member Request

A patient’s sister calls the front desk and asks for the patient’s lab results. She says, “I am family, so you can tell me.”

Question: What should the staff member do?

Scenario 2: Minimum Necessary

A scheduling team member opens a patient’s complete clinical record while only confirming the patient’s appointment time.

This is a minimum necessary concern. This is acceptable because the employee works in healthcare.

Scenario 3: Elevator Discussion

Two employees discuss a patient’s treatment plan in an elevator where visitors can hear the conversation.

HIPAA Security Rule Practice

Focus: ePHI protection, access controls, authentication, encryption, audit logs, workstation security, and secure transmission.

Scenario 1: Personal Email

A nurse emails a patient’s lab report to a coworker using a personal Gmail account because the work email is slow.

Acceptable if the coworker needs it. Not acceptable; use approved secure communication methods.

Scenario 2: Shared Password

A coworker forgot their login and asks to use your EHR username and password to quickly print a report.

Scenario 3: Unlocked Workstation

An employee leaves the workstation unlocked with a patient chart open while going to lunch.

Lock the screen before leaving. Leave it open if returning soon. Secure any printed PHI. Ask another employee to watch the screen.

Role-Based Access Control Practice

Focus: least privilege, job-based access, and access review.

Exercise: Access Decision Matrix

Select the best access decision for each role-based scenario.

Role	Scenario	Your Access Decision
Physician	Needs chart for active treatment
Billing Specialist	Needs diagnosis and claim details for billing
Developer	Wants production data to test a UI issue
Marketing Team	Wants patient list for campaign
Business Analyst	Needs sample claims workflow for requirements

BA/System Analyst Practice

A Business Analyst is documenting requirements for a telehealth appointment module. The BA asks for 100 real patient records to understand the workflow.

Telehealth-Specific HIPAA Practice

Focus: virtual visits, patient portals, messaging, appointment scheduling, insurance workflows, and remote care.

Scenario 1: Virtual Visit Privacy

A provider conducts a telehealth visit from a public coffee shop. Other people may hear the patient discussion.

Not appropriate; telehealth visits should be conducted in a private setting. Acceptable if headphones are used.

Scenario 2: Patient Portal Message

A patient sends symptoms through a patient portal. A support user copies the message into an unsecured spreadsheet to track open cases.

Scenario 3: Insurance Verification

An insurance coordinator needs to verify coverage for a telehealth visit.

Question: Which data is appropriate? Select all that apply.

Patient name Date of birth or required identifier Insurance member ID Complete therapy notes Full lab history

Incident Reporting Workshop

Focus: identifying incidents, reporting quickly, documenting facts, and cooperating with investigation.

Scenario 1: Wrong Recipient Email

A staff member accidentally emails a patient document to the wrong external recipient.

Scenario 2: Lost Laptop

A laptop containing unencrypted patient data is stolen from an employee’s car.

Potential breach; report immediately. Not reportable if the laptop had a password.

Final Capstone Simulation

Act as a HIPAA compliance reviewer. Identify all risks, rule concerns, severity, and corrective actions.

Simulation: One Day in a Telehealth Clinic

A patient registers for a telehealth visit. The front desk verifies insurance while the patient is on speakerphone in a shared office. A billing employee opens the patient’s full clinical notes to confirm claim details. A developer downloads a production patient file to troubleshoot a portal issue. A provider conducts the video visit from a public area. Later, a support employee emails the visit summary using personal email because the secure system is slow. At the end of the day, printed patient reports are left on the front desk.

Task: Identify every HIPAA issue and complete the table.

Issue Found	HIPAA Concern	Risk Severity	Corrective Action

Practice Feedback: Compare your response with the model answer below.

HIPAA concept involved: Privacy Rule, Security Rule, Minimum Necessary Standard, Role-Based Access Control, telehealth privacy, transmission security, and physical safeguards.

Issue	Concern	Severity	Corrective Action
Speakerphone in shared office	Verbal PHI disclosure risk	Medium	Use private space or headset; verify identity discreetly
Billing opens full clinical notes	Minimum necessary concern	Medium	Limit billing access to claim/payment data needed
Developer downloads production file	Unauthorized/unsafe use of ePHI	High	Use masked/test data; require approval and audit controls
Provider conducts visit in public area	Telehealth privacy failure	High	Conduct visit in private location using approved platform
Personal email used for visit summary	Transmission security failure	High	Use approved secure email/portal only
Printed reports left on desk	Physical safeguard failure	Medium	Secure, shred, or store printed PHI properly

Self-Review Rubric

Use this rubric after submitting the final simulation to review your response.

Skill Area	Points
Identifies PHI/ePHI correctly	20
Applies Minimum Necessary Standard	20
Recognizes Privacy Rule issues	15
Recognizes Security Rule issues	15
Understands incident reporting steps	15
Provides practical corrective actions	15