Caring for Patients' Records

By Carol Davis

Course Development

The school had already developed HIPAA privacy training for clinical work force members and the clinical students. It now had to update it to include basic information about the HIPAA Security Rule.

Rather than merely translating the new rule, the training was broken down into five Microsoft PowerPoint modules that would be easier for participants to absorb. The school avoided the official jargon that the rules are typically written in. Instead, the training was customized to demonstrate how HIPAA security is applicable to the Brody School of Medicine and what is required of ITCS to ensure compliance with the rule.

For example, one training module is entitled “ITCS Safeguards” and is specific to what ECU’s ITCS team has done to make data secure. Rather than a vague IT overview, this is unique to the school and thus resonates more with participants.

Additionally, the unit covering security incidents provides a practical description of how to report any incidents that might occur in a timely manner.

The other modules are: overview and structure of HIPAA (general understanding of HIPAA); HIPAA security rule principles (ongoing needs used to protect electronic healthcare information under the administrative safeguards, physical safeguards, and the technical safeguards); and security awareness (industry best practices). Each of these PowerPoint modules is saved as a Web file to be zipped and loaded in Blackboard.

When people sign in, they are free to complete the training at their own pace since it’s online. 

Assessing comprehension. A multiple-choice quiz was developed to assess and reinforce learning. The test was intended to ensure that the course content was understood and that the training had been effective. It is completed following the training, and a score of 70 percent is required to pass. If an individual fails, he or she is contacted and asked to complete the training and quiz again.

Providing access. The employee names were automatically registered and populated in the course for the required participants to have access. A registration process was also developed through the portal so that other individuals could request  access.

Testing the system. A pilot group of about 50 system administrators reviewed the course content. They completed a diagnostic paper test prior to participating in any training. The tests were graded, and the pilot group then completed the online training and quiz, and the results were compared to the initial tests to assess the efficacy of the training.

The pilot group’s test scores increased after completing the online training. The group also provided an integral critique of the training. For example, some felt that certain parts of the modules were too wordy, and changes were made to them where possible.

Additionally, several members of the pilot group asked how the information applied to them specifically, and a new slide was composed to address this question. Quiz questions were also reworded for clarity, based on a pilot test suggestion.

After the pilot run was completed, the training went live. It is now an annual requirement that the training be completed by April 21st of each year.

All participants are encouraged to complete the course evaluation survey in order to provide feedback for continual improvement of the training.


The training program has now been in existence for three years. An IT internal auditor conducts an annual check, including a look at the training program, in accordance with a set of IT best practices called Control Objectives for Information and related Technology. One of the auditor’s findings included a recommendation to direct personnel not to e-mail patient-identifiable information unless the information is encrypted. This suggestion was then incorporated into the training. Additionally, content and tests continue to be modified as new information is available.

Without training, there is a greater likelihood of misunderstandings or divergent interpretations of HIPAA security requirements. There is also the likelihood of potential fines, increases in security incidents, lawsuits, and criminal charges, all of which can result in a loss of client confidence and business. Having a training program to ensure compliance with HIPAA is good for security and good for business. 

Carol Davis is a business and technology support specialist in Information Technology and Computing Services at East Carolina University.




The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.