The Brody School of Medicine at East Carolina University (ECU), like other institutions covered by the Health Information Portability and Accountability Act (HIPAA), has to make sure that anyone handling electronic patient records is properly trained to ensure compliance with the HIPAA Security Rule. The rule does not specify any technology or programs that institutions must use to achieve the training objectives.

In ECU’s case, Information Technology & Computing Services (ITCS), led by the IT Security Office, was charged by the campus HIPAA Steering Committee with evaluating and implementing training for the HIPAA Security Rule. Participating in the decision-making were representatives of clinical and IT departments as well as privacy and security personnel.

The goal was to ensure that all employees (including doctors and upper management) would know their roles and responsibilities with regard to HIPAA compliance, such as what security threats and vulnerabilities to watch out for when handling data and how to report and respond to security incidents. Similarly, students would be included because they would have to be educated on basic security awareness while participating in clinics.

The ITCS team had numerous training options to choose from, including instructor-led sessions, purchasing developed online training, developing an in-house Web link providing presentation materials, developing training on CD-ROMs, and creating custom online training using course-management software the facility had already licensed, which was called the Blackboard Academic Suite™. Here’s a look at how the team made its decision and how it’s working.

ECU’s Brody School was established in 1975 by the North Carolina General Assembly to undertake a three-fold mission: train physicians in primary care, provide access to medical education for minority and disadvantaged students, and enhance the health status of the residents of eastern North Carolina. As a healthcare provider with more than 300 practitioners, the Brody School of Medicine is considered a healthcare-covered entity or provider and must follow HIPAA.

ECU has long taken advantage of electronic medical records, and the affiliated University Health Systems of Eastern Carolina has been named one of the nation’s “most wired” hospitals and health systems by Hospitals and Health Networks magazine. While that technology affords the opportunity to provide better healthcare by making large amounts of data electronically accessible to practitioners, it also opens the door to potential threats and vulnerabilities.

Who to Train

Before deciding how to deliver the training, ITCS had to determine how many people the training program would need to serve.

An electronic report was created to capture and list the individuals in the departments who were identified as in need of training. It was determined that a total of 2,159 employees out of approximately 5,000 were required to complete an overview of the HIPAA Security Rule. Additionally, 147 departmental and system administrators were identified as responsible for maintaining or assisting with critical systems that house electronic health information.

Not everyone had identical training needs, so in addition to determining who would get the training, management had to decide which tiers of training were required for each individual. For example, it was decided that the system administrators should be given more specialized training on how to effectively provide solutions on protecting the organization from possible security incidents. 

How to Train

In deciding what training technology or methodology to select, the team considered a number of factors. First was cost. It was essential to meet the institution’s needs at the lowest reasonable cost.

Another factor was adaptability. The training had to be flexible to accommodate busy doctors, nurses, students, and system administrators. Additionally, the system would have to measure the effectiveness of the training and verify training efforts.

In light of these considerations, instructor-led sessions were ruled out. The major alternatives that were looked at included purchasing HIPAA training software from a third-party or developing an internal solution on Blackboard Inc.’s course-management tool.

Although there were not many HIPAA security and privacy training courses available at the time, ECU evaluated training options.  The vendor solutions that did exist included both Web-based and

offline software, and both entailed buying a set number of client licenses or training software that could be loaded onto workstations. This option also required that the clients learn how to navigate the third-party software. ECU would need to purchase annual updates to the software, and it would have to pay maintenance fees to the vendor.

 The third-party software sometimes consisted of up to five courses on various topics surrounding the HIPAA Security Rule. One problem with the courses was that it was difficult to interpret which ones were necessary for which personnel. 

The option of third-party HIPAA-training software was generally rejected as something that would require too many resources to install. Also, administration was too expensive.  

Additionally, the third-party training materials did not appear to provide for customization to address specific items or issues relating to ECU.

If the training could be customized, it could be made more concise in addition to being more specific. Unlike the off-the-shelf packages, it would minimize the time required by trainees. That was a big issue because the institution wanted to avoid taking time away from clinical healthcare practices (or system administrative support time for those maintaining the healthcare systems with electronically protected health information). 

The alternative was for ITCS to design and implement a customized training program using the Blackboard online course management solution that ECU already used for other purposes.

Blackboard Academic Suite ™ is a group of software products used by more than 2,000 schools to enable Web-based learning and class management. It was determined that using Blackboard for HIPAA training would, like the third-party Web-enabled options, allow the users to complete the training anywhere and at any time with minimal resources. However, from the development and maintenance side, it offered a better option for ECU.

The Blackboard licenses were already purchased for all faculty, staff, and students, so no new licenses were required for the training. Many individuals were already familiar with Blackboard, so the training was minimal. Since the tool was already available, there were no additional implementation costs and the annual maintenance was paid at the campus-level. Further, annual updates were already coordinated, organized, and communicated by the Blackboard administrator at the campus level.

In addition, Blackboard offered the means to measure the effectiveness of the training by using tests and surveys, and it automatically kept a record of an individual’s training, which ECU could print out or keep electronically. Most important, the training could be customized to ECU-specific policy requirements.

All that remained was course development and the designation and granting of access to those individuals who required training.

Course Development

The school had already developed HIPAA privacy training for clinical work force members and the clinical students. It now had to update it to include basic information about the HIPAA Security Rule.

Rather than merely translating the new rule, the training was broken down into five Microsoft PowerPoint modules that would be easier for participants to absorb. The school avoided the official jargon that the rules are typically written in. Instead, the training was customized to demonstrate how HIPAA security is applicable to the Brody School of Medicine and what is required of ITCS to ensure compliance with the rule.

For example, one training module is entitled “ITCS Safeguards” and is specific to what ECU’s ITCS team has done to make data secure. Rather than a vague IT overview, this is unique to the school and thus resonates more with participants.

Additionally, the unit covering security incidents provides a practical description of how to report any incidents that might occur in a timely manner.

The other modules are: overview and structure of HIPAA (general understanding of HIPAA); HIPAA security rule principles (ongoing needs used to protect electronic healthcare information under the administrative safeguards, physical safeguards, and the technical safeguards); and security awareness (industry best practices). Each of these PowerPoint modules is saved as a Web file to be zipped and loaded in Blackboard.

When people sign in, they are free to complete the training at their own pace since it’s online. 

Assessing comprehension. A multiple-choice quiz was developed to assess and reinforce learning. The test was intended to ensure that the course content was understood and that the training had been effective. It is completed following the training, and a score of 70 percent is required to pass. If an individual fails, he or she is contacted and asked to complete the training and quiz again.

Providing access. The employee names were automatically registered and populated in the course for the required participants to have access. A registration process was also developed through the portal so that other individuals could request  access.

Testing the system. A pilot group of about 50 system administrators reviewed the course content. They completed a diagnostic paper test prior to participating in any training. The tests were graded, and the pilot group then completed the online training and quiz, and the results were compared to the initial tests to assess the efficacy of the training.

The pilot group’s test scores increased after completing the online training. The group also provided an integral critique of the training. For example, some felt that certain parts of the modules were too wordy, and changes were made to them where possible.

Additionally, several members of the pilot group asked how the information applied to them specifically, and a new slide was composed to address this question. Quiz questions were also reworded for clarity, based on a pilot test suggestion.

After the pilot run was completed, the training went live. It is now an annual requirement that the training be completed by April 21st of each year.

All participants are encouraged to complete the course evaluation survey in order to provide feedback for continual improvement of the training.

Results

The training program has now been in existence for three years. An IT internal auditor conducts an annual check, including a look at the training program, in accordance with a set of IT best practices called Control Objectives for Information and related Technology. One of the auditor’s findings included a recommendation to direct personnel not to e-mail patient-identifiable information unless the information is encrypted. This suggestion was then incorporated into the training. Additionally, content and tests continue to be modified as new information is available.

Without training, there is a greater likelihood of misunderstandings or divergent interpretations of HIPAA security requirements. There is also the likelihood of potential fines, increases in security incidents, lawsuits, and criminal charges, all of which can result in a loss of client confidence and business. Having a training program to ensure compliance with HIPAA is good for security and good for business. 

Carol Davis is a business and technology support specialist in Information Technology and Computing Services at East Carolina University.