M03-01 · AI + Healthcare Operations

Healthcare Compliance — HIPAA, Security, and Regulatory Readiness

Teaches students the regulatory and compliance foundations required to work in any healthcare IT role. Covers HIPAA Privacy and Security Rules in operational detail — PHI identification, the 18 identifiers, minimum necessary standard, breach response protocols, and personal liability. Includes the 2026 HIPAA Security Rule changes: mandatory MFA, encryption at rest and in transit, network segmentation, and the 180–240 day compliance window. Extends to BAAs, Joint Commission and CMS readiness, NIST 800-66 risk assessments, and SOC 2 evidence collection for health-tech companies.

35 Hours

9 Learning objectives

Create Bloom's ceiling (?)

5 Competencies

What You'll Be Able To Do

Learning Objectives

Objectives

Depth

Identify all 18 HIPAA identifiers and apply the minimum necessary standard when evaluating data access requests Apply
Evaluate whether a given data request qualifies under treatment, payment, or operations (TPO) and determine the appropriate authorization pathway Evaluate
Apply the Safe Harbor de-identification method to transform a dataset containing PHI into a de-identified dataset suitable for analysis Apply
Design a breach response procedure that meets the 60-day notification window, including scope assessment, Privacy Officer escalation, and affected-party communication Create
Analyze an access audit log to identify unauthorized PHI access patterns and produce a compliance-ready findings report Analyze
Evaluate a vendor's HIPAA readiness by reviewing their BAA terms, data handling practices, encryption posture, and subprocessor disclosures Evaluate
Conduct a NIST 800-66-based security risk assessment for a healthcare application, documenting threats, safeguards, and gaps Apply
Understand the regulatory landscape across HIPAA, Joint Commission, CMS Conditions of Participation, and state health department requirements Understand
Apply the 2026 HIPAA Security Rule requirements — mandatory multi-factor authentication, encryption at rest and in transit, network segmentation, and asset inventory — to evaluate an organization's compliance readiness within the 180–240 day implementation window Apply

Levels: Remember · Understand · Apply · Analyze · Evaluate · Create — highest demands most original thinking.

Core Competencies

What You'll Master

HIPAA Operational Compliance

PHI handling, minimum necessary standard, TPO determination, workforce training requirements, personal liability awareness.

Breach Response & Incident Management

Detection, scope assessment, escalation protocols, notification timelines, remediation documentation.

Access Auditing & Monitoring

Break the Glass configuration, audit log analysis, anomaly detection, VIP patient protections, proactive monitoring.

BAA & Vendor Compliance

Contract review, subprocessor evaluation, cloud provider HIPAA configuration (AWS/GCP BAAs), E&O insurance requirements.

Regulatory Readiness

Joint Commission survey preparation, CMS Conditions of Participation, Meaningful Use/Promoting Interoperability reporting, SOC 2 Type II evidence collection.

Portfolio Artifact

What You'll Build

Healthcare Compliance Audit Package — Student conducts a simulated compliance audit for a health-tech organization: a NIST 800-66 risk assessment identifying 10+ threats with safeguard recommendations, a BAA review checklist applied to a sample vendor agreement with flagged gaps, a breach response playbook with decision tree and notification templates, and an access audit analysis of a simulated Epic audit log identifying unauthorized access patterns.

Tools You'll Use

Industry Tools, Not Toy Projects

Claude

AI assistant for de-identified compliance research, policy analysis, and regulatory interpretation.

Microsoft Excel / Google Sheets

Audit log analysis, risk assessment documentation, and compliance tracking spreadsheets.

Epic Audit Reporting

Simulated Epic audit log environment for access monitoring and compliance verification.

NIST 800-66 Framework

Security risk assessment framework specifically designed for healthcare organizations.

Vanta / Drata

SOC 2 evidence collection and compliance automation platforms for health-tech companies.