Sample Course An illustrative program built inside CMP — a product walkthrough, not the marketing site.
Healthcare & Enterprise · Built in CMP
HIP101

HIPAA Privacy & Security Essentials

A complete compliance program — shown here with the competency evidence and approval trail it produces. CMP is learning infrastructure, not a training vendor: your experts review, refine, and approve, and you own everything that comes out.

45 CFR
Parts 160 · 162 · 164
Owned by you
Content, record & audit trail
How It Works

Your team builds it. Your experts own it.
CMP is the infrastructure.

CMP works the way your organization works — around your mission, your standards, and your governance process.

1
Configure to your mission

Your team gives CMP what matters — policies, regulatory standards, handbook, risk profile, role tracks. Every program reflects your organization, not a template.

2
Your experts own the output

CMP drafts outcomes, modules, assessments and rubrics. Your SMEs review everything, edit, and decide what stays. The content becomes yours entirely.

3
Your governance approves

Nothing reaches staff without passing your approval workflow. Every version tracked, every edit logged, then deployed to your LMS — audit trail built in.

Why the Distinction Matters Legally

Completion records prove your program ran.
Competency evidence proves it worked.

Under the 2021 HITECH amendment, HHS OCR must consider whether your training demonstrably functioned — not just that it ran — when determining fines and audit scope. Organizations with effective training in place for the prior 12 months are eligible for reduced penalties.

In one recent enforcement case that meant a 20% penalty reduction. In another, the reduction was denied because effectiveness couldn't be shown. The difference was documentation of how the program worked — not whether it existed.

HIP101 is designed to generate competency evidence — decision logs, scenario assessments, triage artifacts — that your organization owns and controls.

−20%
Penalty reduction when effectiveness is documented
Denied
When effectiveness couldn't be shown
Sources: HITECH Act § 13412 (2021); HHS OIG General Compliance Program Guidance (Nov. 2023); DOJ Criminal Division ECCP (Sept. 2024).
HHS Office of Inspector General — 2024
“A compliance program that exists but fails to detect a violation it should have caught may be treated as ineffective. It must not only exist — it must demonstrably function.”
U.S. Dept. of Justice — Sept. 2024
“Paper programs offering mere checkbox compliance provide little protection, while robust, operational programs can mean the difference between civil resolution and criminal prosecution.”
What Your Team Built Inside CMP

HIP101 — outcomes your experts approved.

Designed during the CMP build session — peer-benchmarked, grounded in 45 CFR Parts 160, 162 & 164, and approved by your Chief Compliance Officer before content generation began.

Course Learning Outcomes (6)

Enterprise compliance training · 5 modules · separate Clinical & Administrative scenario tracks.
5Peer programs benchmarked
3Outcomes strengthened after analysis
1Identify PHI categories and apply the minimum-necessary standard to daily access and disclosure decisions.
2Distinguish permitted from impermissible disclosures, including patient rights to access, amend, and restrict.
3Apply Security Rule safeguards across all contexts — including personal mobile devices and social media.Strengthened
4Recognize breach indicators, classify severity using the four-factor risk framework, and initiate reporting.
5Demonstrate role-appropriate PHI handling — separate scenario tracks for clinical and administrative staff.Strengthened
6Evaluate real HIPAA situations, including OCR enforcement cases with actual penalties, and determine action.Strengthened
Outcomes 3, 5, and 6 were strengthened after your team's peer-benchmarking session. Mobile and social-media ePHI risks, role-differentiated scenario tracks, and real OCR enforcement cases were each addressed by fewer than half of the five comparable programs reviewed. Your team added all three.
Inside a Module

Every module produces a compliance record —
not just a completion timestamp.

Module 1 of 5 — all five follow the same structure, all approved by your subject-matter experts.

Module 1 — HIPAA Foundations & PHI Identification
Learning Outcome 1 · Clinical & Administrative tracks
Scenario-based assignment

Staff apply the minimum-necessary standard to a real situation in their role and document every decision. The completed record is a compliance file you own.

Role-specific discussion

A workplace prompt tailored to their role, requiring a regulatory citation, with peer review built in.

Compliance documentation artifact

A completed PHI-identification checklist — evidence that demonstrates your program is functioning, not just existing.

Lecture narrative — Module 1, §2 (approved by your SME)
The minimum-necessary standard is not a technicality. It is the daily operating principle that governs every access decision a healthcare employee makes. Under 45 CFR §164.514(d), covered entities must make reasonable efforts to limit PHI access to only what is needed — not what is convenient, not what has historically been shared, and not what feels close enough.

Consider a billing coordinator who routinely pulls full patient charts to locate an insurance ID. The standard does not prohibit this access — it requires the organization to assess whether a more limited path…
Excerpt shown for illustration — narrative continues.
Lecture narrative Scenario-based assignment Role-specific discussion Criterion-referenced rubric Compliance documentation artifact Current HHS / OCR references Automatic change-log entry
Your Governance in Action

CMP drafts it. Your experts decide what's final.
Every edit is on the record.

Your Chief Compliance Officer — an RN with 20 years in healthcare compliance — refines a module before it reaches staff. The content is yours, the decision is hers, and the record belongs to your organization.

CMP's initial draft — Module 2 assignment
Review five disclosure scenarios. Classify each as permitted without authorization, permitted with authorization, or impermissible. Cite the applicable section of 45 CFR Part 164 Subpart E.
After your CCO revised it
Review five disclosure scenarios drawn from actual OCR enforcement cases at hhs.gov/ocr. Classify each, cite the applicable section, and identify the specific OCR penalty or resolution agreement that resulted.
“Real enforcement cases make staff take this seriously. — CCO (RN, MSN)
cmp.lumnitek.com / hip101 / governance Approved → Live
Design
Content
Governance
Change Log
Pipeline

Governance Record — HIP101

Approved → Live
Generated automatically · owned by your organization
Course generated — HIP101, 5 modules
Built from your team's approved spec, aligned to 45 CFR Parts 160, 162 and 164.
Jun 3, 2026 · 10:14 AM · Cheryl H.
Module 2 revised — your CCO (RN, MSN)
OCR enforcement-case references added. Version 1.1 auto-archived.
Jun 3, 2026 · 2:31 PM · Chief Compliance Officer
Submitted for approval — your team
“All modules reviewed. Learning-outcome alignment verified.”
Jun 3, 2026 · 4:05 PM · Cheryl H.
Approved → Live — your CHCO
“Scenarios are workplace-relevant, citations current. Approved for deployment.”
Jun 3, 2026 · 4:48 PM · Chief HR & Compliance Officer
Deploy to your LMS
Pending — one click from live partition. No export, no manual upload.

See what your team would build.

Bring a real training requirement. We'll work through it with you live — your standards, your mission, your governance process.

Request a Live Demo ← Back to lumnitek.com
Illustrative example: HIP101, June 2026. Content Manager Pro™ — LumniTEK.