← All trainings
SHireSwiftlee·Training program
★ Free training · Public preview

HIPAA Awareness Training — Handling Protected Health Information

Required before any engagement that involves protected health information (PHI). Covers what PHI is, the Privacy and Security Rules, safe day-to-day practice for remote contractors, and breach reporting. Valid for 12 months, then renewed.

Modules
7
Test
12 Q
Pass
80%
Renewal
12mo
01Module 1

Why this training — and what HIPAA is

Some HireSwiftlee clients are healthcare organizations. If you are placed on one of those engagements, you may see or handle patients’ health information. This training prepares you to do that safely and lawfully. You must complete it before your first shift on any role that involves protected health information (PHI), and renew it every 12 months.

HIPAA — the Health Insurance Portability and Accountability Act — is a U.S. law that protects the privacy and security of people’s health information. Healthcare providers and health plans are "covered entities." When they share health information with a company that performs services for them, that company is a "business associate," and it signs a Business Associate Agreement (BAA) that legally binds it to protect the information.

When you work an engagement involving PHI, you are part of that chain of responsibility. The protections in this training are not optional best practices — they are legal obligations that flow down to you through the BAA.

02Module 2

What counts as Protected Health Information (PHI)

PHI is any information that identifies a person and relates to their health, healthcare, or payment for healthcare. It is PHI whether it is spoken, on paper, or electronic (ePHI). It does not have to be a medical chart — a name next to an appointment time is PHI.

Identifiers that can make information PHI include, among others:

  • Name, address, and any dates tied to the person (birth, admission, appointment)
  • Phone number, email address, and Social Security number
  • Medical record number, health plan or account number
  • Diagnoses, treatments, prescriptions, test results, and provider notes
  • Photographs, voice recordings, and any other unique identifying detail

Removing only the name does not make information safe to share. Many of the identifiers above — dates, record or account numbers, an address, a phone number — can still point to a specific person. Deleting the name alone does not "de-identify" a record, so keep treating it as PHI.

If you are unsure whether something is PHI, treat it as PHI. It is always safer to over-protect than to guess wrong.

03Module 3

The Privacy Rule and "minimum necessary"

The HIPAA Privacy Rule controls when and how PHI may be used and disclosed. As a contractor, you may only use PHI for the specific job task the client has assigned you — never for curiosity, convenience, or any personal reason.

A core principle is "minimum necessary": you should access, use, and share only the smallest amount of PHI needed to do the task in front of you. If a task needs a patient’s appointment time, you do not need their diagnosis. Do not browse records you have no work reason to open.

  • Never look up a patient out of personal interest — even a friend, a relative, a coworker, a public figure, or yourself. Curiosity is never a work reason, and a record being already on your screen is not permission to read beyond your task.
  • Never share PHI with anyone who does not have a work need to know it, including other contractors — and even with a coworker who does, share only what their task needs.
  • Verify identity through the client’s process before discussing any PHI on a call. Knowing a patient’s name or date of birth is not, by itself, proof that a caller is authorized.
  • Follow the client’s specific instructions and systems — when their rule is stricter than this training, follow theirs.
04Module 4

The Security Rule — protecting electronic PHI

The HIPAA Security Rule requires safeguards for electronic PHI. Because you work remotely, your device and your workspace are part of those safeguards. The following are requirements, not suggestions:

  • Use a strong, unique password and enable multi-factor authentication on every account that touches PHI. Never share login credentials.
  • Lock your screen whenever you step away, even for a moment.
  • Only access PHI through the client-approved systems on an approved device. Do not copy PHI into personal email, personal messaging apps, personal cloud storage, or personal notes.
  • Do not take screenshots or photos of PHI, and do not print it unless the client has explicitly told you to.
  • If the client does have you print PHI, shred it as soon as the task is done. Never put PHI in ordinary trash or recycling, and do not keep copies — paper or digital — that you no longer need.
  • Work over a secure, private internet connection — never public Wi-Fi — and keep your device’s operating system and antivirus up to date.
  • Do not let family members or anyone else use the device you use for work.
05Module 5

Day-to-day practice for remote contractors

Most HIPAA risk for a remote contractor comes from ordinary moments, not dramatic ones. Build these habits:

  • Work in a private space where no one can see your screen or overhear your calls. Avoid cafes, shared rooms, and public spaces for PHI work.
  • Use a headset so call audio is not overheard, and keep your voice down when saying names or health details.
  • Position your screen away from windows, doorways, and other people — including household members.
  • Never discuss patients or client work on social media, in personal group chats, or with friends and family.
  • At the end of a shift, close PHI systems and lock your device. Do not leave records open.
  • When in doubt about whether something is allowed, stop and ask your HireSwiftlee contact before acting.
06Module 6

Breaches and incident reporting

A breach is an unauthorized access, use, or disclosure of PHI. Breaches are not always malicious — most are mistakes. Examples include emailing PHI to the wrong person, a lost or stolen laptop or phone, PHI seen by someone who should not have seen it, or a suspected phishing attack or account compromise.

Not every exposure is a breach. If you are taking reasonable safeguards and a detail is still briefly overheard or glimpsed, that kind of unavoidable, incidental exposure is acceptable — the expectation is that you keep your safeguards up, not that you flag every incidental moment. A breach is an exposure your safeguards should have prevented. When you are unsure which one it is, report it and let the client decide.

Your single most important duty if something goes wrong is to report it immediately — the same day you become aware of it — to your HireSwiftlee contact and the client, following the client’s incident process. Fast reporting limits the harm and is itself a legal requirement.

  • Report even if you are not certain a breach happened — a suspected incident still must be reported.
  • Report even if you believe the mistake was your own. Honest, prompt reporting is expected and protected.
  • Never try to hide, delete, or quietly fix a suspected breach. Concealment makes the situation far worse.
  • Do not retaliate against, or discourage, anyone who reports a concern.
07Module 7

Consequences, your duty, and renewal

HIPAA violations carry real consequences. Organizations face significant government fines, and individuals who knowingly misuse PHI can face personal penalties, including in serious cases criminal liability. For you as a contractor, mishandling PHI can also end an engagement and your eligibility for healthcare work on the platform.

Your obligation to protect PHI is ongoing — it applies on every shift, and it continues even after an engagement ends. You must never use or disclose PHI you encountered after you stop working a role.

This training must be renewed every 12 months, and you may be asked to retrain sooner if rules change. After the short knowledge check that follows, you will confirm your understanding with a written attestation. If you are ever unsure about the right thing to do, stop and ask first — that instinct is the most important thing this training can give you.

✍️Attestation

Agreement before the test

I confirm that I have read and understood this HIPAA Awareness Training. I understand that I may handle Protected Health Information (PHI) and that I must use and disclose it only as needed for my assigned work, protect it on every device and in every workspace, and report any suspected breach immediately. I understand this obligation continues after an engagement ends, that this training must be renewed every 12 months, and that mishandling PHI may result in removal from healthcare engagements.

🏅

Ready to earn the badge?

Sign up, accept the attestation, and pass the 12-question knowledge check (80% to pass). Your badge becomes visible to U.S. clients on the matching surface.

Sign up and take the test