Caring for Patients' Records

By Carol Davis

Who to Train

Before deciding how to deliver the training, ITCS had to determine how many people the training program would need to serve.

An electronic report was created to capture and list the individuals in the departments who were identified as in need of training. It was determined that a total of 2,159 employees out of approximately 5,000 were required to complete an overview of the HIPAA Security Rule. Additionally, 147 departmental and system administrators were identified as responsible for maintaining or assisting with critical systems that house electronic health information.

Not everyone had identical training needs, so in addition to determining who would get the training, management had to decide which tiers of training were required for each individual. For example, it was decided that the system administrators should be given more specialized training on how to effectively provide solutions on protecting the organization from possible security incidents. 

How to Train

In deciding what training technology or methodology to select, the team considered a number of factors. First was cost. It was essential to meet the institution’s needs at the lowest reasonable cost.

Another factor was adaptability. The training had to be flexible to accommodate busy doctors, nurses, students, and system administrators. Additionally, the system would have to measure the effectiveness of the training and verify training efforts.

In light of these considerations, instructor-led sessions were ruled out. The major alternatives that were looked at included purchasing HIPAA training software from a third-party or developing an internal solution on Blackboard Inc.’s course-management tool.

Although there were not many HIPAA security and privacy training courses available at the time, ECU evaluated training options.  The vendor solutions that did exist included both Web-based and

offline software, and both entailed buying a set number of client licenses or training software that could be loaded onto workstations. This option also required that the clients learn how to navigate the third-party software. ECU would need to purchase annual updates to the software, and it would have to pay maintenance fees to the vendor.

 The third-party software sometimes consisted of up to five courses on various topics surrounding the HIPAA Security Rule. One problem with the courses was that it was difficult to interpret which ones were necessary for which personnel. 

The option of third-party HIPAA-training software was generally rejected as something that would require too many resources to install. Also, administration was too expensive.  

Additionally, the third-party training materials did not appear to provide for customization to address specific items or issues relating to ECU.

If the training could be customized, it could be made more concise in addition to being more specific. Unlike the off-the-shelf packages, it would minimize the time required by trainees. That was a big issue because the institution wanted to avoid taking time away from clinical healthcare practices (or system administrative support time for those maintaining the healthcare systems with electronically protected health information). 

The alternative was for ITCS to design and implement a customized training program using the Blackboard online course management solution that ECU already used for other purposes.

Blackboard Academic Suite ™ is a group of software products used by more than 2,000 schools to enable Web-based learning and class management. It was determined that using Blackboard for HIPAA training would, like the third-party Web-enabled options, allow the users to complete the training anywhere and at any time with minimal resources. However, from the development and maintenance side, it offered a better option for ECU.

The Blackboard licenses were already purchased for all faculty, staff, and students, so no new licenses were required for the training. Many individuals were already familiar with Blackboard, so the training was minimal. Since the tool was already available, there were no additional implementation costs and the annual maintenance was paid at the campus-level. Further, annual updates were already coordinated, organized, and communicated by the Blackboard administrator at the campus level.

In addition, Blackboard offered the means to measure the effectiveness of the training by using tests and surveys, and it automatically kept a record of an individual’s training, which ECU could print out or keep electronically. Most important, the training could be customized to ECU-specific policy requirements.

All that remained was course development and the designation and granting of access to those individuals who required training.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.