Flash-forward to April 2003. An employee sends an e-mail and unwittingly commits a confidentiality breach that could be punishable by law under HIPAA. If employees cannot recognize protected health information, or if they lack the know-how to safeguard it
by David Vance
March 4, 2003
The patient privacy rule is one of the most daunting regulations under the Health Insurance Portability and Accountability Act (HIPAA). It specifies requirements for the use and dissemination of protected health information (PHI) and generally applies to health plans, clearinghouses and health-care organizations that use, store, maintain or transmit PHI in any form.
Education is essential to upholding these requirements. “Every new Health Services employee signs an agreement promising to keep customer data confidential. This obligation is reinforced during new employee orientation and periodically thereafter,” said Greg Warner, chief privacy officer for Siemens Health Services.
To ensure that employees can recognize and protect PHI, Siemens provides privacy compliance training. Working with the education services department, Warner and other stakeholders defined several objectives for Siemens’ privacy compliance course. First, employees must be able to recognize PHI. Second, they must know the appropriate policies and procedures to follow to keep it confidential. Third, they must be aware of the consequences of privacy violations and be able to report any witnessed violations. Finally, employees must be able to demonstrate their knowledge in a way that could be documented. “It’s important that this training be documented, to serve as proof that we have followed our own policies,” Warner explained.
The following parameters were also defined:
- Employees must pass an exam to receive credit for the education. Warner explained, “The exam establishes an employee’s baseline awareness of his or her responsibilities, which cannot later be repudiated if disciplinary measures are warranted due to mishandling of PHI.”
- The course must be no longer than 30 minutes.
- The education must be delivered via Siemens’ education Web site, SiemensMedicalAcademy.com.
Web-based delivery was chosen for several reasons:
- Online reporting capabilities enable stakeholders to easily monitor completion.
- Course updates are immediately available.
- Everyone receives the same message, and the education can be re-used for new employees.
- Many individuals can be educated in a short amount of time and can complete the education at their own convenience.
The course material was designed to be relevant to the Siemens workplace. In a particularly effective exercise, employees examine the contents of documents strewn around a virtual employee workstation and decide which is PHI. Upon completion of the exercise, the employee’s decisions are displayed with the correct answers for comparison. The results tend to surprise employees and help them appreciate the prevalence of PHI in certain areas of the Siemens workplace.
To date, more than 3,000 Siemens employees, consultants and contract employees have completed the privacy compliance course. The rollout has been staggered “to avoid potential network/bandwidth problems that might have occurred had all employees taken the course at once,” said Warner. “It also gave us an opportunity to receive feedback on content and usability. Fortunately, all feedback has been positive, and we have had no reported problems with the course.”
Elizabeth L. Brock is a senior instructional designer and e-learning developer for Siemens Medical Solutions Health Services Corp. in Malvern, Pa. She has played a key role in the development of the company’s HIPAA training and education offerings.