http://connect.educause.edu/display/2279 http://connect.educause.edu/display/2279 http://connect.educause.edu/educause/images/e_rss.png Comments for "EDUCAUSE Security Professionals Conference 2006.Summary: Implementing HIPAA Security Rule Training Program for Sys Admins at ECU" en http://connect.educause.edu/display/2279 <span><span><div>Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University.&nbsp;&nbsp;&nbsp; Carol Davis, DRP Coordinator, East Carolina University</div><div>&nbsp;</div><div>This session walked us through the planning and implementation process that created a training program for systems administrators at ECU for the HIPAA Security Rule.&nbsp; The program was added to a privacy program that already existed but was in need of revision.&nbsp; A key resource was the SANS Press HIPAA Security Implementation book. </div><div>&nbsp;</div><div>Key questions for the planning process were</div><ul type="disc"><li>What is the training? </li><li>Who needs the training? </li><li>What are the overall project alternatives? </li><li>How will it be delivered? </li><li>What will the cost be? </li><li>What is the &ldquo;completion&rdquo; point? </li><li>How will effectiveness be measured? </li><li>How often must the training be taken? </li><li>Who will do the Public Relations on the project and what will be included? </li><li>Who will continue to update the training content and monitor? </li></ul><div>The project was developed over three months using their HIPAA Committee as the key advisory group. &nbsp;This committee developed the policies for the project.&nbsp; &nbsp;Time was spent on fully understanding the rule sets: the privacy rule, the transaction and code set rule, and the security rule.&nbsp; Technical safeguards and related policies were to be included in the training. &nbsp;Initial options considered included purchasing a full set of modules or customizing the training using Blackboard which was already an established resource.&nbsp; </div><div>&nbsp;</div><div>Awareness training was to be included for all members of their health care workforce including management.&nbsp; Visitors and students complete an abbreviated version of the training and students take a web-based quiz and take the results to their faculty.</div><div>&nbsp;</div><div>The course objectives were:</div><ul type="disc"><li>Familiarity with HIPAA and the security rule </li><li>Understanding rule sets </li><li>Understanding why both Privacy and Security rules are needed </li><li>Understanding how the rule applies to the trainee. </li><li>Understanding safeguards </li><li>Review of security policies </li><li>Understanding technical security awareness </li><li>Understanding individual responsibility for protecting health information </li></ul><div>&nbsp;</div><div>The content was created in five sections:</div><ul type="disc"><li>Overview and structure </li><li>Security rule principles </li><li>ITCS safeguards </li><li>Security awareness </li><li>Security incident notifications </li></ul><div>&nbsp;</div><div>A Blackboard course was populated &amp; information on the program was distributed </div><div>Training guidelines were provided electronically and course deadlines were included</div><div>Management helped to ensure course completion.</div><div>&nbsp;</div><div>Current knowledge was sampled by having administrators complete the quiz before the online training and again afterwards.&nbsp; The specific training assessment is a quiz of 10 questions based on HIPAA privacy but concentrating on security specifics.&nbsp; Instant feedback is provided for both correct and incorrect answers.&nbsp; The training and quiz can be retaken to improve learning.&nbsp; Certificates are awarded for 80% or better scores.&nbsp; The certificates are popular and being hung on office walls and added to resumes.</div><div>&nbsp;</div><div>Each person taking the training is asked to complete an evaluation survey that includes the question of the application of the training to their position and a blank field for additional comments.&nbsp; </div><div>&nbsp;</div><div>The latest phase is to more fully utilize Blackboard with one training package that includes two modules and to incorporate student training into the system as well as reviewing role-based training opportunities.&nbsp; HR is assisting in identifying new departments or individual positions that require compliancy or other special training.&nbsp; And, of course, the training content is continually reviewed and revised when appropriate.</div><div>&nbsp;</div><div>HIPAA Security Rule Training &ndash; <a href="http://www.educause.edu/upload/presentations/SEC06/SESS25/HIPAA%20Security%20Rule%20EDUCAUSE.ppt">presentation slides</a></div><div>&nbsp;</div><div>HIPAA System Admin Training Guidelines &ndash; <a href="http://www.educause.edu/upload/presentations/SEC06/SESS25/Blackboard%20Guidelines%20-%20HIPAA%20System%20Admin%20Training.doc">4 page document</a> &ndash; instructions for training program.</div></span></span><br /> http://connect.educause.edu/display/2279#comments HIPAA SEC06 Security Awareness Training Tue, 25 Apr 2006 14:31:00 -0500 llarsen 2279 at http://connect.educause.edu