Arguably, personal health information (PHI) is one of the crucial data in a healthcare setting. As a result, a healthcare administrator needs to provide safe and secure data for all health information. In case of a personal health information breach, a patient has a right to sue the organization that has leaked the data. However, implementing an electronic health record (EHR) system can help in securing health information. This paper will focus on HIPAA training model for employees. Ideal training approach will be discussed. Also, the financial impact of implementing an electronic health record system in a healthcare setting will be discussed. Besides, it will discuss ways of developing an appropriate training plan for all clinical and non-clinical staff members.
Planning, Organizing, Directing, and Controlling A HIPAA Training Model
HIPAA is a legislation in the United States that ensures there are data security and privacy to safeguard medical information. So, a healthcare administrator needs to educate hospital employees on HIPAA rules and regulations. To ensure effective teaching of the rules and regulations in question, the administrator should use interactive teaching approaches to keep the learners engaged. In this training method, the learners can be divided into various discussion groups. As a result, they will be able to engage freely and complete the tasks assigned as a group. Also, the administrator should use flexible learning tactics that address various learning styles of the staff members. Besides, social interactions involved with group learning should be encouraged.
Delegate your assignment to our experts and they will do the rest.
Healthcare workers need to discuss patient’s health information to enhance better care. For instance, medical practitioners need to share the patient's medical records before making a clinical judgment. Additionally, the documents in question help the healthcare workers to monitor and track the effectiveness of the patient's treatment (Agris & Spandorfer, 2016). Likewise, the patient's demographics data is another PHI type shared between the hospital staff. Patient's insurance information is another type of data that hospital workers should share. It is essential for the hospital's financial records.
One way of safeguarding personal health information in a hospital is by sharing it in the right facility. For example, medical practitioners can share the data in question in a private room. Also, the information can be transferred using electronic medium. Health Information Management (HIM) director is one of the individuals who use or disclose patient’s PHI. Their responsibilities include record completion and processing, the release of information, transcription, abstracting, clinical documentation improvement, and information coding. Since a medical officer manage all aspects related to patient care and supervise clinical trials, they can use or disclose PHI. Such information is essential to them for complex diagnosis verification and treatment plan facilitation. One of the responsibilities of a nursing director is to communicate with the patient's families and residents. So, they can use or disclose a patient's PHI to the family.
Penalties Associated with Breaching Patient Information
As a way of enforcing HIPAA compliance, there are various measures set in place. Consequently, breaching patient information can result in financial penalties. For instance, violating HIPAA unknowingly can have a penalty range of $100-$50,000 per violation, with a maximum of $25,000 annually for repeat violations. HIPAA violation with a reasonable cause, the penalty can range from $10,000 to $50,000 per violation, with a maximum of $250,000 annually for repeat violations (Tariq & Hackert, 2020). The level of violation is the main determinant of the fine. The fines for breaching patient information increase depending on the amount of negligence and the number of patients. In some cases, the charges can result in a prison and jail term for the offender. Therefore, fines
Ways to Secure Data from One Working Shift to Another, Using HIPAA Guidelines
The HIPAA security rule necessitates healthcare organizations to safeguard PHI using appropriate physical, technical, and administrative techniques. As a result, implementing security controls, including encryption and access control lists, is one way of securing data from one working shift to another. Such measures are essential in ensuring information confidentiality (Cohen & Mello, 2018). Also, hospitals can use a hash or a digital signature to protect information from one working shift to another. Such measures are vital in ensuring data integrity, hence ensuring there is no alteration of information between the two shifts, hence the observation of the HIPAA guidelines.
An Internal Audit Plan of All Security Measures
Arguably, the health information management department is the most suitable to oversee the hospital's audit in this scenario. HIM directors supervise the integrity of all financial and clinical data due to their adequate knowledge on information management. While conducting the audit in question, PHI sign-out sheets are some of the security practices that the audit should review. The PHI sign-out sheet is crucial since it facilitates accurate information transfer about a patient's state and their plan of care (Manaseer & Alawneh, 2019).
Secondly, a review of the PHI record location is another security practice that the audit should focus on. Personal health information should be well secured to avoid any breach. Additionally, the audit should review the network structure (Manaseer & Alawneh, 2019). Such assessments are essential in identifying potential security gaps in enterprise networks. The audit reviews help in minimizing information breaches.
Potential Changes That Can Address the Audit Results
Security practices audit is vital for providing a security report. However, the audit results can be addressed by the organization conducting various changes. For instance, additional employee education is one of the changes that can help improve the audit result. The staff members in an organization can be breaching protected health information unknowingly. As such, employee training is essential in ensuring that patients' health information is safe and secure.
Additionally, implementing data usage controls can also help a hospital address the audit report. Lack of data usage control in an organization can expose the patients' data to unauthorized individuals (Lammers & McLaughlin, 2016). Therefore, the hospital must implement the controls in question as a way of enhancing data privacy.
Moreover, regular risk assessments help in identifying security gaps at the right time. Consequently, it makes it easier for a health care center to secure the patient's information. However, a risk assessment plan is vital for adequate assessment.
A Risk Assessment Plan to Identify Future Security Breaches
| Vulnerability | Risk description | Threat source | Controls present | Occurrence likelihood | Risk level |
| Describe the weakness in your data securities that can result in a breach. | Describe the harm that can be caused if the vulnerability is exploited. | Describe the threats that can be caused this vulnerability | Describe the controls in place to reduce this risk |
High Medium Low |
High Medium Low |
The risk assessment plan should be completed biannually as that will help in identifying the risk in time. The HIM director will be conducting the assessment in question because of their internal auditing role. While conducting this assessment, any vulnerability detected will be filled in the blank space. Similarly, the risk will be described on the blank box of the risk description. The source of the treat, present control, occurrence level, and the risk level will be indicated in the relevant blank boxes.
Financial Impact of a New Electronic Health Record (EHR) System
The high cost is one of the risks that a hospital may face while implementing an EHR system. Apart from it being relatively expensive, the hospital employees may not have the required skills and knowledge to use the system. Subsequently, extra training and support may be necessary, thus increasing the cost. Although most EHR systems are secure and safe, there can still be data breaches caused by ransomware, among other cybersecurity hacks (Koppel & Lehmann, 2014). Data migration can be another risk of implementing the electronic health record system. After installing the EHR software, the patient's records on papers need to be transferred into the new system. This transcribing process can be time-consuming. Besides, some information may be lost through the process in question. However, there are various benefits of implementing the EHR system in a hospital.
EHR systems enable physicians and nurse practitioners to access patients' information from various computer network locations. As a result, the techniques in question assist in enhancing data privacy. Also, they help in time-saving since the information is made available from different points. The EHR software makes it easier to regulate access to confidential and sensitive patient data. While using this system, only authorized individuals can access certain information. Besides, the EHR systems help in improving patient's care coordination since their past information is readily available (Ajami & ArabChadegani, 2013). As such, this system helps in improving diagnostics and patient outcomes as well. Therefore, an electronic health record system should be invested in and implemented.
While purchasing an electronic health record system, the nursing director should be part of the decision-making process. They have a better understanding of the benefits that the system will bring to the hospital due to their frequent use of health records.
The director of support services should also be a part of this decision making. Their contribution on hospital management is crucial in enhancing service delivery.
Additionally, the health information management director should also be consulted as they understand the organization's finances available.
Lastly, the chief of medical officer should be part of this decision-making team as well. The system is essential in enhancing the chief medical officer's job of ensuring the doctors provide safe and effective medical services.
However, while implementing the EHR system, some CMS requirements should be met. For instance, a patient's care summary should be provided by the provider who refers the patient to another medical care provider or another care facility. The summary in question includes lab results, medications, demographics, vitals, care plan, and problem list, among other things (Lammers & McLaughlin, 2016). Another CMS requirement is that a critical access health care provider receiving patients must carry out medical reconciliation on the patient.
Hardware Components Required for the EHR System
Primary storage is one of the hardware components required for the new system. It is vital in storing the program's data and instructions. It includes EPROM, PROM, ROM, and RAM. Secondly, output and input devices, including printers, monitors, and keyboards, are crucial components for the EHR system (Koppel & Lehmann, 2014). Similarly, secondary storage is another essential component of this new system. In comparison, secondary storage can accommodate more data than primary storage and is less volatile. The central processing unit (CPU) is the main component of this system. It should have one terabyte hard disk and 3GHZ processor to enhance efficient handling of EHR system
The approximation cost for the new EHR system implementation would be about seven million dollars. It would cater for full employees' training, billing integration, the entire EPIC system, technical and support assistance.
The Best EHR System for Our Organization
EPIC Tier 2 is the ideal system for our organization. Although it is expensive, it caters to a wide range of needs. As such, its implementation will ease the pressure from IT staff and managers. Besides, this system is robust, thus enabling it to achieve its meaningful use. The EPIC Tier 2 system is the solution we need since it a one-source approach for our medical records handling.
Applications That Need to be Incorporated
Online analytical processing equipment is one of the components that we need to incorporate into our EHR system. It takes on a broad amount of data and assists clinicians in their daily decision-making. The organized inflow of data collected can be used for future clinical decision-making purposes as well. Computerized provider order entry is another critical application that we should incorporate in our new system. It enables the healthcare providers to directly input orders required for a patient into the system. Lastly, we also need to include the pharmacy system component into this system (Koppel & Lehmann, 2014).
Security and Privacy Components of the EPIC Tier 2 Systems
Access control is one of the security and privacy components of the system in question. This control includes PINs and passwords that are required for a person to access the information. Consequently, this control helps secure the patient's data since only the individuals with the correct passwords can access it. Encrypting the stored data is another security and privacy component for this system (Rodriguez, 2011). This element ensures that the information can only be read and understood by individuals who can decrypt it, thus requiring the use of a unique "key."
A Training Plan for All Clinical and Non-Clinical Staff
Approximately 12 hours are adequate for clinical staff to learn EHR system. The system is not complicated, thus no much time required to learn. The teaching can be done in four modules of three hours each, to allow for smooth patient care. Non-clinical officers can be trained in two modules of three hours each, thus making six hours.
Logistics Required for Training All Employees on All Shifts
Of approximately 150 day-shift employees, about 100 of them are clinical officers, while about 50 of them are the non-clinical staff. The clinical staff requires four sessions for the entire training. But, since they are relatively many, they need to be divided into twenty clinical officers. Therefore, there will be four groups requiring four sessions each, thus making the total number of training sessions for clinical officers to be sixteen sessions. Similarly, non-clinical officers require four training sessions, as well. However, they need to be sub-divided into two groups of 25 members each. Since each group will require four sessions, the two groups will need eight sessions. In addition to the 16 sessions of clinical officers, the total number of training sessions for all 150 day-shift employees is 24.
The night shift has approximately 50 employees, 40 are clinical officers, and 10 are the non-clinical staff. Due to the high number of clinical staff, they should be sub-divided into two groups of 20 members. Each group needs four training session, thus making the total number of training sessions for clinical staff to be eight. Since the number of non-clinical staff is relatively small, they do not need to be sub-divided into small groups. Also, they require two training sessions instead of four, due to their small number. Therefore, the total number of training sessions for night-shift employees is 10.
The clinical officers' training requires 12 hours, while that of non-clinical officers involves six hours for a day-time shift. The organization has 100 clinical officers and 50 non-clinical officers, and the training cost is an average of $21 per hour. The night shift has 40 clinical officers and ten non-clinical officers. Clinical officers are divided into two groups, which require four training sessions of 3 hours each. So, the total number of hours for night shift training is 12 hours. Non-clinical officers are in one group that requires two training sessions of 4 hours each. Therefore, the total number of training hours for non-clinical staff is 8 hours, making the total number of training hours for the night shift 20 hours.
Therefore, the training cost for clinical officers will be:
Average wage per hour * total number of training hours * total number of employees
$21*12*100= $25,200.
The training cost for clinical officers will be:
$21*6*50= $6300.
The total cost for day-shift training will be:
$25,200+$6300= $28,500.
Training cost for night shift employees will be:
$21*20*50= $21,000.
So, the total training cost will be:
21,000+28,500= $49,500.
A Training Plan for 75 Physicians
| The training will take six weeks, and our physicians will be divided into eight groups. The training will be conducted half day and half night shift. Every session will be mirrored on the night and day shifts to enable physicians to attend during their regularly scheduled shifts. | |||||||||||
| Week 1/2 | Week 3/4 | ||||||||||
| G1 | Physicians 1-9 | G4 | Physicians 30-39 | ||||||||
| G2 | Physicians 10-19 | G5 | Physicians 40-49 | ||||||||
| G3 | Physicians 20-29 | G6 | Physicians 50-59 | ||||||||
| Week 5/6 | |||||||||||
| G7 | Physicians 60-69 | ||||||||||
| G8 | Physicians 70-75 | ||||||||||
| G | Reinforcement/Make up session if necessary. | ||||||||||
| Week 1 | Physicians Groups 1,2.3 | ||||||||||
| Sun | Mon | Tue | Wen | Thu | Fri | Sat | |||||
| AM | G1 – Part 1 | G2 – Part 1 | G1 – Part 2 | G3 – Part 1 | |||||||
| PM | G1 – Part 1 | G2 – Part 1 | G1 – Part 2 | G3 – Part 1 | |||||||
| Week 2 | Physicians Groups 1,2.3 | ||||||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | |||||
| AM | G3 – Part 2 | G2 – Part 2 | G1 – Part 3 | G2 – Part 3 | G3 – Part 3 | ||||||
| PM | G3 – Part 2 | G2 – Part 2 | G1 – Part 3 | G2 – Part 3 | G3 – Part 3 | ||||||
| Week 3 | Physicians Groups 4,5,6 | ||||||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | |||||
| AM | G4 – Part 1 | G5 – Part 1 | G4 – Part 2 | G6 – Part 1 | |||||||
| PM | G4 – Part 1 | G5 – Part 1 | G4 – Part 2 | G6 – Part 1 | |||||||
| Week 4 | Physicians Groups 4,5,6 | ||||||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | |||||
| AM | G6 – Part 2 | G5 – Part 2 | G4 – Part 3 | G5 – Part 3 | G4 – Part 3 | ||||||
| PM | G6 – Part 2 | G5 – Part 2 | G4 – Part 3 | G5 – Part 3 | G4 – Part 3 | ||||||
| Week 5 | Physicians Groups 7, 8, G | ||||||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | |||||
| AM | G7 – Part 1 | G8 – Part 1 | G7 – Part 2 | G – Part 1 | |||||||
| PM | G7 – Part 1 | G8 – Part 1 | G7 – Part 2 | G – Part 1 | |||||||
| Week 6 | Physicians Groups 7, 8, G | ||||||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat | |||||
| AM | G – Part 2 | G8 – Part 2 | G7 – Part 3 | G8 – Part 3 | G – Part 3 | ||||||
| PM | G – Part 2 | G8 – Part 2 | G7 – Part 3 | G8 – Part 3 | G – Part 3 | ||||||
Train-The-Trainer Program for the New Employees
To provide adequate support and training for the new employees, the hospital will use the "Super Users" to conduct on the job training for the new employees. There will be five "Super Users" selected based on their performance. Only the best performing employees will be chosen in every department. They will then attend two weeks of intense training on EHR systems to train the other employees.
The Transition Plan for Employees from the Old EHR System to the New EHR System
While transitioning from the old EHR system to the new one, the patients' data should be preserved and protected. Additionally, we must maintain continuity of care during the transition period. Therefore, the implementation will be done in phases to ensure the safety and care continuity in question. After the training, we will have to measure if employees have demonstrated competence with the new system. As a result, the staff will be given a test after every training session.
According to the records, on Tuesday, the hospital usually has the lowest patient census. As such, it is the most appropriate day of the week to initiate the new system transition. This transition should be done at 8 am. The shift change can take place at 7 am to give super users adequate time to be deployed to their training sites by 8 am.
The chief medical officer, the director of support services, and the health information management director should be on site for the transition period. One of the principal medical officer duties is to ensure efficient medical services to the patients. So, their presence during the transition ensures continuous and smooth running of the hospital.
The director of support services ensures that the staffs utilize safe practices and procedures on their work. As such, their presence during the transition will help them execute this responsibility.
Lastly, the HIM director is in charge of all organization's data. Therefore, their company during the change in question is essential in ensuring the safe transfer of data.
An Appropriate Approach to Reward the Staff for Successfully Learning and Transitioning to a New EHR System
After three weeks of smooth use of the system, the organization will have a celebration to reward the staff. Meals will be provided in the event. Also, the staffs will engage in various fun games. Lastly, there will be massage chairs for those who enjoy it. Also, the staff that did well during the training program will be rewarded. The reward system will be based on the grades in the training tests. The administration team will collaborate in planning for this event. The necessary shift changes will be made to accommodate most workers.
References
Agris, J., & Spandorfer, J. (2016). HIPAA compliance and training: A Perfect storm for professionalism education? Journal of Law, Medicine & Ethics , 44(4), 652-656. https://doi.org/10.1177/1073110516684812
Ajami, S., & ArabChadegani, R. (2013). Barriers to implement electronic health records (EHRs). Materia Socio Medica , 25 (3), 213. https://doi.org/10.5455/msm.2013.25.213-215
Cohen, I. G., & Mello, M. M. (2018). HIPAA and protecting health information in the 21st century. JAMA , 320 (3), 231. https://doi.org/10.1001/jama.2018.5630
Koppel, R., & Lehmann, C. (2014). Implications of an emerging EHR monoculture for hospitals and healthcare systems. Journal of The American Medical Informatics Association, 22(2), 465-471. https://doi.org/10.1136/amiajnl-2014-003023
Lammers, E. J., & McLaughlin, C. G. (2016). Meaningful use of electronic health records and Medicare expenditures: Evidence from a panel data analysis of U.S. health care markets, 2010-2013. Health Services Research , 52 (4), 1364-1386. https://doi.org/10.1111/1475-6773.12550
Manaseer, S., & Alawneh, A. (2019). On cyber security auditing awareness: Case of information and communication technology sector [Ebook]. Retrieved 11 January 2021, from https://www.researchgate.net/publication/334736637_ON_CYBER_SECURITY_AUDITING_AWARENESS_CASE_OF_INFORMATION_AND_COMMUNICATION_TECHNOLOGY_SECTOR .
Rodriguez, L. (2011). Privacy, security, and electronic health records - Health IT Buzz . Health IT Buzz. Retrieved 10 January 2021, from https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/privacy-security-electronic-health-records
Tariq, R., & Hackert., P. (2020). Patient confidentiality [Ebook]. Retrieved 9 January 2021, from https://www.ncbi.nlm.nih.gov/books/NBK519540/ .
