The Brody School of Medicine at East Carolina University (ECU), like other institutions covered by the Health Information Portability and Accountability Act (HIPAA), has to make sure that anyone handling electronic patient records is properly trained to ensure compliance with the HIPAA Security Rule. The rule does not specify any technology or programs that institutions must use to achieve the training objectives.
In ECU’s case, Information Technology & Computing Services (ITCS), led by the IT Security Office, was charged by the campus HIPAA Steering Committee with evaluating and implementing training for the HIPAA Security Rule. Participating in the decision-making were representatives of clinical and IT departments as well as privacy and security personnel.
The goal was to ensure that all employees (including doctors and upper management) would know their roles and responsibilities with regard to HIPAA compliance, such as what security threats and vulnerabilities to watch out for when handling data and how to report and respond to security incidents. Similarly, students would be included because they would have to be educated on basic security awareness while participating in clinics.
The ITCS team had numerous training options to choose from, including instructor-led sessions, purchasing developed online training, developing an in-house Web link providing presentation materials, developing training on CD-ROMs, and creating custom online training using course-management software the facility had already licensed, which was called the Blackboard Academic Suite™. Here’s a look at how the team made its decision and how it’s working.
ECU’s Brody School was established in 1975 by the North Carolina General Assembly to undertake a three-fold mission: train physicians in primary care, provide access to medical education for minority and disadvantaged students, and enhance the health status of the residents of eastern North Carolina. As a healthcare provider with more than 300 practitioners, the Brody School of Medicine is considered a healthcare-covered entity or provider and must follow HIPAA.
ECU has long taken advantage of electronic medical records, and the affiliated University Health Systems of Eastern Carolina has been named one of the nation’s “most wired” hospitals and health systems by Hospitals and Health Networks magazine. While that technology affords the opportunity to provide better healthcare by making large amounts of data electronically accessible to practitioners, it also opens the door to potential threats and vulnerabilities.