Main Nav

EDUCAUSE Security Professionals Conference 2006.Summary: Implementing HIPAA Security Rule Training Program for Sys Admins at ECU

Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University.    Carol Davis, DRP Coordinator, East Carolina University
This session walked us through the planning and implementation process that created a training program for systems administrators at ECU for the HIPAA Security Rule.  The program was added to a privacy program that already existed but was in need of revision.  A key resource was the SANS Press HIPAA Security Implementation book.
Key questions for the planning process were
  • What is the training?
  • Who needs the training?
  • What are the overall project alternatives?
  • How will it be delivered?
  • What will the cost be?
  • What is the “completion” point?
  • How will effectiveness be measured?
  • How often must the training be taken?
  • Who will do the Public Relations on the project and what will be included?
  • Who will continue to update the training content and monitor?
The project was developed over three months using their HIPAA Committee as the key advisory group.  This committee developed the policies for the project.   Time was spent on fully understanding the rule sets: the privacy rule, the transaction and code set rule, and the security rule.  Technical safeguards and related policies were to be included in the training.  Initial options considered included purchasing a full set of modules or customizing the training using Blackboard which was already an established resource. 
Awareness training was to be included for all members of their health care workforce including management.  Visitors and students complete an abbreviated version of the training and students take a web-based quiz and take the results to their faculty.
The course objectives were:
  • Familiarity with HIPAA and the security rule
  • Understanding rule sets
  • Understanding why both Privacy and Security rules are needed
  • Understanding how the rule applies to the trainee.
  • Understanding safeguards
  • Review of security policies
  • Understanding technical security awareness
  • Understanding individual responsibility for protecting health information
The content was created in five sections:
  • Overview and structure
  • Security rule principles
  • ITCS safeguards
  • Security awareness
  • Security incident notifications
A Blackboard course was populated & information on the program was distributed
Training guidelines were provided electronically and course deadlines were included
Management helped to ensure course completion.
Current knowledge was sampled by having administrators complete the quiz before the online training and again afterwards.  The specific training assessment is a quiz of 10 questions based on HIPAA privacy but concentrating on security specifics.  Instant feedback is provided for both correct and incorrect answers.  The training and quiz can be retaken to improve learning.  Certificates are awarded for 80% or better scores.  The certificates are popular and being hung on office walls and added to resumes.
Each person taking the training is asked to complete an evaluation survey that includes the question of the application of the training to their position and a blank field for additional comments. 
The latest phase is to more fully utilize Blackboard with one training package that includes two modules and to incorporate student training into the system as well as reviewing role-based training opportunities.  HR is assisting in identifying new departments or individual positions that require compliancy or other special training.  And, of course, the training content is continually reviewed and revised when appropriate.
HIPAA Security Rule Training – presentation slides
HIPAA System Admin Training Guidelines – 4 page document – instructions for training program.

Tags from the Community