A Real-Life Project Experience: Consulting
Thielen Student Helath Center (TSCH) Online
HIPAA Training
Yasemin Demiraslan
Farrah Dina Yusop
CI 603 Advanced Instructional Systems Design
Iowa State University of Science and Technology
05/03/2007
1
Table of Contents
1. Project description
3
2. Situation/context of the project
3
2.1 Problem description
3
2.2 The current HIPAA and ISU policies training
3
3. Problem(s) addressed
4
3.1 Needs analysis
4
3.2 Findings from the interview
5
4. Proposal
8
5. Course of actions
9
6. Reflections
10
7. Future Recommendations
10
Appendixes
11
Project contract
11
Interview questions
13
Final compilation of case studies for TSHC
14
Acknowledgement Letter
15
Closing letter
16
2
1. Project description
This project is about developing an online training on Health Insurance Portability and
Accountability Act (HIPAA) and ISU Health Information Privacy and Security Policy for the new
employees at the Thomas B. Thielen Student Health Center (TSHC), Iowa State University,
Ames, IA.
The main purpose of the training is to provide the employees, especially the new employees at
the Center, with the necessary information to protect patients’ personal health care and financial
information according to HIPAA and ISU policies.
2. Situation/context of the project
2.1 Problem description
Previously, the Health Insurance Portability and Accountability Act (HIPAA) and ISU Health
Information Privacy and Security Policy training were conducted by our primary contact, Ms.
PMC on one-to-one and face-to-face basis with the Center’s new employees as part of 3 series
of training (The other 2 trainings are Safety Issues in Healthcare Environment and Handling
Patients’ Complaints). Each of these training sessions takes between 30 to 50 minutes
depending on the employees’ previous background working in healthcare environment, their
work needs and positions in the center. The training must be conducted within the first 5 days of
employment date and before the employees have direct contact with the patients.
2.2 The current HIPAA and ISU policies training
The HIPAA and ISU policies training, which is the main focus of this project, is the most
important and most challenging training experienced by the client due to several reasons:
1. frequent changes in HIPAA policies
Under the law, every person working in the healthcare environment needs to follow and
apply the HIPAA policies in their everyday task. Since the HIPAA requirements changes
frequently, it is difficult to keep pace of the current HIPAA policies. In addition, there is
no standardized content on HIPAA policies, which made it difficult to be explained for
employees who work at different sections in the Center.
3
2. no specialized HIPAA training
Since there is no standardized content of the HIPAA policies, the client had difficulties to
train each new employee at the Center according to their specific sections. For instance,
HIPAA training for clerical tasks will be different from the medical record people. Thus
the client ended up with applying general HIPAA policies that will apply to all of the
sections in the Center.
3. employees’ prior knowledge on HIPAA
Employees’ prior knowledge on HIPAA is another challenge for the client. An employee
with prior knowledge on HIPAA and has experience working in healthcare environment
will not need to be trained so much on HIPAA policies, thus the client will concentrate
more on training him/her in ISU policies compliant with the HIPAA policies. However, for
an employee who has no prior knowledge on HIPAA and does not has prior experience
working in healthcare environment, the training will take more time as the client needs to
explain both HIPAA and ISU policies.
4. no further references
Our needs analysis with the new employees on HIPAA and ISU policies also revealed
that there are lack opportunities for them to refresh their HIPAA and ISU policies after
the training. Even though printed manuals are provided in the Center for references, they
seldom use it. Instead, most prefer to update their knowledge on HIPAA based on
mouth-to-mouth approach, i.e. asking from someone who has more experienced in the
section for guidance if they need help on something related to patients’ privacy issues.
3. Problem(s) addressed
3.1 Needs analysis
To better understand the client’s and her employees’ needs, we have conducted 2 types of
needs assessment:
a. Client’s needs assessment
4
2 meetings were arranged between us and the client. The first meeting was to explore
the scope of the project which was also attended by Vanessa Preast, our primary
instructor of this project. During the second meeting, we attended and recorded an
actual HIPAA and ISU policies training session conducted by our client with one of the
Center’s new employees. The second meeting was really helpful to help understand the
not only the scope of the project but also the challenges that the client face in her
everyday training.
b. Employees’ needs assessment
Based on our client’s suggestions, we contacted 6 newly employed employees who had
gone through the training on HIPAA and ISU policies conducted by our client. 4 of the
interviewees are in the administrative positions at various sections of the Center, 1 is a
clerk working with the Center’s Directors and 1 is a 10-hour working student who is
assigned to work at the Medical Records section. All of them have prior knowledge on
HIPAA policies and had previous experience working in healthcare environment.
2 focus group and 1 individual interview sessions were conducted with the center’s new
employees on Feb. 23rd, 26th and 27th at the Center. The purpose of these interviews
was to understand the effectiveness of the training conducted by our client from the
employees’ perspectives and to solicit feedback on how we can better address their
needs. The interview questions are attached.
Focus group methods was selected to conduct the interviews with the employees due to the fact
that this method triggers opinions of each participant as we saw in our interview sessions, thus
lead more effective and valuable information regarding with the needs and interests of different
people in the sessions. In addition, the way of interviewing 2 or 3 people together helped both
us and the employees save time.
3.2 Findings from the interview
The initial findings revealed valuable information and suggestions that are critical in helping us
to develop the online training as stated in the Proposal section. Table 1 shows some key points
acquired from the analysis of interview sessions with the employees.
5
Table 1: Interview sessions
Current job and
roles
Session 1
Date
Marlene
Previous
training on
HIPAA &ISU
privacy policy
Learning
preferences
: Marlene, Pat and Mary
: Friday Feb 23, 2007 at TSHC







Started to work
one month ago
Medical records
supervisor
Applying HIPAA
guidelines for
medical records
Transcribing
health history
and
immunization
information of
the patients
Interviewing,
hiring the team
of medical
records
Enforcing safety
and HIPAA
guidelines in
medical records
Do not have a
direct contact
with the patients






Pat
Suggestions to
improve online
training


Started to work
9 months ago
Administrative
assistant

Worked 3

years in a
physician
office

Worked with
HIPAA
regulations
and ISU
privacy policy
(student ID,

Social
security
number etc.)
Remembered
more things
about the
training
because of
taking the
training a few
weeks ago
Training was
appropriate
her work
needs
Learned most
of the things
about HIPAA
and ISU
policy by
experience
Training
expectations
were met (the
training was
very through)
Worked 3
years as a
clerk in an
emergency

Questionsanswers
(FAQ)
Brief quiz at
the end of
the training
to show what
and how you
understand
Bring
additional
questions to
the current
trainer can
be helpful
(blended
approach)




Not linear but 
provide a
flexible
navigation

Comfortable
with using
computer
Have internet
access at
home
Checking out
CD takes
more time,
online is
preferable
Online tour on
the web site
can be
interesting
Comfortable
with using
computer
Have internet
6




Being the front
desk for the
administer,
taking care of
his calendar
Hiring a new
employee
(human
resources
functions)
Doing paper
work for the
advertising
press
Do not have a
direct contact
with patients (do
not handle
students’
records)




Mary


Started to work
6 weeks ago
(early January)


hospital

Well know
about HIPAA
because of
her
experience in 
ISU for ten
years
Did not get a
comprehensi
ve training
due to her
position in
the center
(training was
specific to the
position of
the people in
the center)
Could not
recall
anything
specific about
the previous
training
Different
policies and
procedures
should be
available
online in case
you forget the
information
Found
current
training very
clear, got a
good
understandin
g
Can ask
another
person if she
does not
remember a
policy or
procedure



Online
checklist
showing
what you
done
Printing the
sign form


access at
home
Do not know
the benefits of
using which
system
The online
training should
be towards
employees
(temporary
passwords to
access the
training)
Audio+visual
can be really
helpful
10 question
post test
Printing the
certification
at the end of
the training
7
Session 2
Date
Ray
: Ray Rodriguez & Lori
: Monday Feb 26, 2007 at TSHC



Started: 7 month
ago
Health cocoordinator
(administrative)
Conduct
workshops and
training
(education) eg.
Stress
management,
drug, fitness etc
Lori
Session 3
Date
: Megan
: Tuesday Feb 27, 2007 at TSHC
Megan
4. Proposal
To help overcome the problems presented above, we proposed the development of an online
training module specifically for the Health Insurance Portability and Accountability Act (HIPAA)
and ISU Health Information Privacy and Security Policy for the new employees.
The proposed online training will have specific features that will eliminate, or at least to
minimize, the current problems that the client is experiencing. The suggested features are:
c. Online-based training – our needs analysis revealed that online module is more
preferable than any other types of training, for instance, print-based materials
and CD. The interviewees stressed that online module will enable them to access
the training at anytime at anywhere at their own convenient. It will also provide
the employees with an effective way to recall the information they forget or need
later.
d. Interactive elements – Our needs analysis also suggested that the online training
to include interactive elements such as videos, audios and animations to be
included, not only to motivate the employees to take the training but also to help
8
them better understand how HIPAA and ISU policies looks like in real life
situations.
For instance, the employee needs to they can not leave the patients’ files on their
desks at anytime during the working hours to avoid other patients and staff
looking at it, even accidentally.
e. Online quizzes – Since learning about policies and regulations could be long and
tiresome, we decided to include short quizzes in the online training. This element
is needed not only to test the employees’ understanding on the content, but also
to ‘wake them up’.
f.
Breaking down the modules – Based on the needs analysis, we plan to break
down the training modules into sub-modules. Each sub-module will take only 20
to 30 minutes time for motivational and easiness purposes, especially for
employees who would like to take the training during their lunch break.
5. Course of actions
We plan to conduct the needs assessment, design and development works, and usability testing
within this timeline:
Activity
Start Date
End Date
1. identify client’s needs (Needs assessment)
29 Jan 2007
5 Feb 2007
2. conduct needs analysis (Needs assessment)
5 Feb 2007
26 Feb 2007
3. design content and online module
26 Feb 2007
19 March 2007
19 March 2007
9 April 2007
5. pilot test and revise the module (usability testing)
9 April 2007
23 April 2007
6. disseminate the online module
23 April 2007
3 May 2007
(Design and development)
4. develop the prototype of the online module
(Design and development)
9
6. Reflections
Based on our experience working with the client in specific and with the Center in general, we
found out that they are cooperative and attended to our needs as much as they can. Thus, our
relationship with the client was smooth. The client was helpful and cooperative, shared
materials and eager to help.
-
there was a time when we did not get response from the client.. it turned out that
she was sick at the time
-
we learned that we need to employ other methods of communication other than
e-mails including phone calls
In addition, it is clear to see that many employees in the center has positive thoughts about
online training and find it effective in learning. They also mentioned a special need and interest
to take the training online in order to get necessary information and skills to combat such an
important issue in their workplaces.
7. Future Recommendations
Accompanying these findings is a set of recommendations to improve the effectiveness of the
online training.
1. An online quiz can be added not only to test the employees’ understanding on the
content, but also to ‘wake them up’.
2. The development of “Test” and “FAQs” sections can be another mini-project by itself.
3. Site navigation:
I. An presentation to orient the employees (can also be put on TSHC website)
II. A help button can be added with some text explaining the structure of the website
with suggestions about navigation through the website.
10
APPENDIXES
1. Contract with the client
PROJECT CONTRACT
Overview
The Thomas B. Thielen Student Health Center (TSHC) wants to implement online training on
Health Insurance Portability and Accountability Act (HIPAA) and ISU Health Information Privacy
and Security Policy for the new employees. This training is intended to educate the employees
on their responsibilities to protect patients’ personal health care and financial information
according to HIPAA and ISU policies and will be carried out within five working days of their first
day of employment.
This contract constitutes an agreement between Ms Penni McKinley and Ms Yasemin
Demiraslan and Farrah Yusop regarding the development of the ‘Handling Patients’ Privacy and
Security Issues’ module of this training program. This document will serve as a reference point
for discussion about the project and will set forth the expectations of both the client and the
consultant. The contract is meant to be a continuously negotiated document that sets the
groundwork for the project, and not a rigid set of guidelines that cannot be modified.
Personnel
The client for the project is Penni McKinley, the Quality Improvement Coordinator for the
Thomas B. Thielen Student Health Center. She is currently the trainer of the face-to-face
orientation for the ‘Handling Patients’ Privacy and Security’ training program.
The consultanst are Yasemin Demiraslan and Farrah Yusop, PhD students from Curriculum and
Instructional Technology Department of Iowa State University. This project is undertaken by the
consultants to fulfill the requirements of the CI 603 – Advanced Instructional Systems Design
course. Yasemin and Farrah will work with Penni during the course duration spanning 29
January 2007 to April 26.
Goal
To develop an online training module on the ‘Handling Patients’ Privacy and Security Issues’ for
the TSHC new employees.
Objectives
1.
2.
3.
4.
5.
To identify learners’ needs
To identify learning objectives of the training
To analyze and scope the content of the training
To develop the online training
To pilot test the online training
Expectations and tasks
The client expects the consultants to:
11
a.
b.
c.
d.
Provide expert advice regarding the use of instructional methods and strategies
Manage the instructional product development process
Share problems and concerns about the project with the client
Adhere to agreed project deadlines, unless negotiated otherwise
The consultants expect the client to:
a. Work collaboratively with the consultants for the project
b. Share problems and concerns about the project with the consultants
c. Provide content expertise and appropriate learning materials for the project
d. Locate resources (inclusive of human, financial, material) necessary for the project
e. Adhere to agreed project deadlines, unless negotiated otherwise
Resources
The client will provide:
 materials for the online training
 resources for data collection and disseminating the online training
The consultants will provide:
 data on the requirements of the online training
 expertise in the instructional design of the online training
Work Schedule
Activity
Start Date
End Date
7. identify client’s needs
29 Jan 2007
5 Feb 2007
8. conduct needs analysis
5 Feb 2007
26 Feb 2007
9. design content and online module
26 Feb 2007
19 March 2007
10. develop the prototype of the online module
19 March 2007
9 April 2007
11. pilot test and revise the module
9 April 2007
23 April 2007
12. disseminate the online module
23 April 2007
3 May 2007
Renegotiation
Any part of this agreement may be revised at any time by mutual consent.
12
2. Interview questions
1. Demographic background
a. Can you briefly describe your current job and roles in this center?
b. previous knowledge on HIPAA & ISU privacy policy
 Did you ever heard about Health Insurance Portability and
Accountability Act (HIPAA)? What do you know about it?
 How does it relate to your job?
2. Training
a. previous training on HIPAA & ISU privacy policy
 have you taken the training? Where and when?
b. Training expectations
 What were your expectations? Did the training meet your expectations?
 What do you know now about protecting privacy of health information that
you wish you knew at the time of training?
 What was particularly helpful about the training you received?
3. Suggestion to improve training
We are developing new online training about protecting privacy of health information.
 What advice would you give us to make this training more effective and
enjoyable for trainees?
4. Learning preferences
 Are you comfortable using computers?
 Do you have access to computer and internet?
 If you were given options to take the training online, print-based, CD which one
would you prefer? Why?
5. Could you write one or two questions about protecting privacy of health information that
you really want to learn the answers?
13
3. Final Compilation of case studies for TSHC
Module
2.2
PHI
basics
Case
I work in the TSHC Medical Record section. A friend of mine
who works in the Yellow Pod section told me that she just saw
her ISU Teaching Assistant get on to the TSHC. My friend is
curious about this person. She read in the Iowa State Daily
paper that the TA has cancer. My friend asked me if I could find
out the TA’s medical records and show it to her.
(Adapted from University of California, San Diego’s Department
of Psychiatry at
http://psychiatry.ucsd.edu/forms/HIPAA%20Mandatory%20Train
ing.pdf)
2.3
PHI use
and
disclosure
Passing through a check-in area, Nurse Betty overhears Adam,
the clinic check-in clerk telling a patient on the phone that he
needs a follow-up appointment because his HIV test just came
back positive. She notices waiting patients are listening intently
to the phone conversation.
(Adapted from UNC School of Medicine at
http://www.med.unc.edu/ois/hipaa/training/genprivacy_mod1/sli
de15.html )
2.2.c
Disclosing
PHI to
family &
friends
Joe McCleod, who is a junior, was seen by a doctor at the
TSHC for treatment of a broken leg. He is 19 years old.
Unable to learn what is happening with their son, Mr. & Mrs.
McCleod ask their friend, Betty, who works in the Business
Office, to review Joe's records. Betty reviews the records and
informs Joe's parents that Joe broke his leg in two places after
he fell over the curb coming out of the bars.
What we need from TSHC
 2 people from the Medical
record section:
 Talking to each other
 1 person will act
thinking of something
 1 person will looking
at the camera and
puzzle
 1 person from the front
desk (talking on the
phone)
 1 nurse (passing by the
desk)
 2-3 people waiting in the
waiting areas
 1 woman (as the mom)
 1 man (as the dad)
 1 doctor (reading the
patient’s record to the
couple)
(Adapted from UNC School of Medicine at
http://www.med.unc.edu/ois/hipaa/training/genprivacy_mod1/sli
de12.html)
3.2
Securing
PHI on
your
computer
workstatio
n
A physician leaves his tablet which is open to a patient’s visit
notes, on the counter of the back lobby. The laptop did not have
a automatic screen saver set. As the physician is on the phone,
looking away the patient intentionally looks at the information on
the laptop.
 1 person (using his/her
laptop at TSHC)
 Back lobby counter
(Adapted from UNC School of Medicine at
http://www.med.unc.edu/ois/hipaa/training/gensecurity_mod2/sli
de21.html )
14
4. Acknowledgement Letter
May 4, 2007
Farrah Dina Yusop
Yasemin Demiraslan
Center for Technology in Learning and Teaching
N031 Lagomarcino Hall
Iowa State University
Ames, Iowa 50010
Re: Online training on the Health Insurance Portability and Accountability Act (HIPAA)
and Iowa State University (ISU) Privacy Policy for Thielen Student Health Center (TSHC)
On behalf of Thielen Student Health Center (TSHC) at Iowa State University (ISU) I would like
to thank both of you for designing and developing an online training on Health Insurance
Portability and Accountability Act (HIPAA) and ISU Privacy Policy for our new and current
employees.
The online training you designed and developed is very helpful to introduce our new employees
to the HIPAA Privacy Policy, a federal law that requires every healthcare personnel to protect
patients’ personal health information and how TSHC acts in accordance with the law. At the
same time it also functions as a refreshing reference for our current employees. This is the first
time that an online training on HIPAA and ISU Privacy Policy has ever been developed
specifically for TSHC employees. The online training was very well done and we compliment
you on its professional presentation.
I appreciate the time and effort you spent assisting our organization. I also appreciated the
opportunity to get to know both of you. We look forward to future collaborations.
Sincerely,
Penni McKinley, RN, BA
Quality Improvement Coordinator
Iowa State University
2260 Thielen Student Health Center
Ames, IA 50011-2260
515.294.1059 (Work)
515.294.5457 (Fax)
15
5. Closing Letter
04/03/2007
Yasemin Demiraslan
Farrah Dina Yusop
Center for Technology in Learning and Teaching
N031 Lagomarcino Hall
Iowa State University
Ames, Iowa 50010
Penni McKinley, RN, BA
Quality Improvement Coordinator
Iowa State University
2260 Thielen Student Health Center
Ames, IA 50011-2260
Phone:15152941059 (work)
Fax:15152945457
pmckinle@iastate.edu
Dear Ms. McKinley,
You have requested developing an online training on Health Insurance Portability and
Accountability Act (HIPAA) and ISU Health Information Privacy and Security Policy for the
new employees at the Thomas B. Thielen Student Health Center (TSHC). The main purpose of
the training was to provide the employees, especially the new employees at the Center, with the
necessary information to protect patients’ personal health care and financial information
according to HIPAA and ISU policies.
The enclosed materials were designed and developed to meet the objectives of the project such
as identifying learners’ needs, identifying learning objectives of the training, analyzing the scope
and the content of the training, developing and pilot testing the online training.
The results of the interviews conducted with 6 newly employed employees revealed that online
module is more preferable than any other types of training, for instance, print-based materials
and CD. The interviewees stressed that online module will enable them to access the training at
anytime at anywhere at their own convenient. Our needs analysis also suggested that the online
training including interactive elements such as videos, audios and animations, not only to
motivate the employees to take the training but also to help them better understand how HIPAA
and ISU policies looks like in real life
situations. In addition, based on the needs analysis, we planed to break down the training
modules into sub-modules for motivational and easiness purposes.
16
These findings informed us in developing the online training which will eliminate, or at least to
minimize, the current problems in HIPAA training that you are experiencing. Accompanying
these findings is a set of recommendations to improve the effectiveness of the online training.
Please feel free to send us e-mail if you have any questions about these materials or if we can
provide any additional information to assist you in the implementation process. You may reach
us via e-mail. Our e-mail addresses are: yasemind@iastate.edu, fdyusop@iastate.edu
Thank you for this opportunity and we will be looking forward to future collaborations.
Sincerely,
Yasemin Demiraslan
Farrah Dina Yusop
17