Home  >  Learning Circuits  >  2003  >  An LMS Helps Meet HIPAA Compliance

An LMS Helps Meet HIPAA Compliance

By Samuel P. Jenkins

 

Like every other health-care provider in the United States, the U.S. Military Health System, a global network of 540 military hospitals, clinics, and treatment facilities, has been working to comply with the 1996 Health Insurance Portability and Accountability Act. HIPAA mandates standards for the treatment and transference of patient records, with a focus on security and privacy. The act requires that any organization dealing with patient records must have rules ensuring confidentiality. The statutory deadline for all workers to be trained in those rules was April 13, 2003.

 

The Military Health System, also known as TRICARE, has a large number of employees to train and patients to protect, so HIPAA compliance requires a systematic approach. With a staff of 131,000 worldwide, we provide medical care to 1.5 million active-duty service members and 1.4 million reservists. Including retirees and family members, our beneficiary population is almost 10 million.  That’s a lot of medical records.

 

First, TRICARE wrote a comprehensive Department of Defense regulation governing HIPAA privacy at our facilities, specifying requirements and policies for disclosing records, processing claims, training workers, and monitoring HIPAA compliance. Then, we decided on a Web-based system for delivering and tracking the training. TRICARE opted to use an online solution for several reasons. For example, our workers move to a new facility every one to three years.

 

Another issue, facing us was that the Army, Navy, Air Force, and Marines have their own training structures. We had to decide whether each should develop its own HIPAA module or buy an off-the-shelf product customized to its needs.

 

Once all the requirements were outlined and issues addressed, TRICARE called for bids on a rapidly implemented commercial LMS. After viewing six demonstrations, we decided to work with Booz Allen Hamilton on an integrated solution. The underlying LMS was built by Plateau Systems, which has experience with federal agencies and highly regulated industries, and the course modules were supplied by QuickCompliance, a HIPAA content specialist. An additional Web-based application was used to incorporate all relevant local and national HIPAA-related policies and procedures at individual facilities, prompting onsite managers about requirements and showing any compliance gaps. The two tools for training and compliance monitoring work together.

 

How it works

 

The LMS has several advantages, such as staying current as the rules changed and proving compliance to regulators. The LMS alerts employees by email when deadlines approach and refreshes their HIPAA training requirements annually. When employees transfer to new facilities, their training records automatically transfer with them. When HIPAA rules change, a revision feature built into the Plateau 4 LMS lets TRICARE roll out training adjustments by revising the appropriate modules, which will trigger new alerts and deadlines to all affected employees and ensure that training is completed.

 

The LMS provides a central repository for all training records, combined with an audit trail of training histories that managers can unspool for regulators. The LMS has been configured to allow documentation of the workforce’s training compliance, either system-wide or at specific facilities. Those features are key to showing compliance to such authorities as the Department of Health and Human Services’ Office of Civil Rights, which has national HIPAA enforcement duties; the Joint Commission on Accreditation of Healthcare Organizations, which oversees industry standards; and the Office of Inspector General for each of the armed services.

 

The modules are organized into hierarchical levels. The 100-level module is a basic HIPAA 101 that all employees must take. The 200 level consists of job-specific modules for physicians, nurses, executives, and support staff. Job categories determine the specific HIPAA training. When an employee signs into the LMS, it assigns the required modules and deadlines. If a worker changes job categories, the LMS automatically updates his or her training profile to match the new job requirements. Employees have completed the 100- and 200-level training by the April 14, 2003 deadline. TRICARE also is developing 300-level modules that will consist of recorded presentations on particular HIPAA topics. These will be posted on the LMS as Web seminars—often as just-in-time training that employees can view over the Web for credit, either voluntarily or when assigned by a manager.

 

The job-specific training is significant because of the different ways privacy concerns affect certain roles in a hospital or clinic. The focus on disclosure of information is a central element of HIPAA. Because of possible abuses, it’s crucial to identify those who seek patient records and send them only what they must have.

 

HIPAA permits 14 different forms of disclosures; after April 13, each must be accounted for properly. Under the act and in certain circumstances, a patient can request a record of every time his or her data was released to anyone in the past six years. To help track and report such disclosures, TRICARE has purchased another web-based tool that can be readily and easily adapted to our current system.

 

 

Samuel P. Jenkins is privacy officer for the U.S. Department of Defense’s TRICARE Management Activity; sam.jenkins@tma.osd.mil.

 

 

 

 

 
 
Request more information or report issues with this page.
To add pages to your ASTD Favorites you must be logged in.
VIVID_LC1

Kineo_LC2