An LMS helps meet HIPAA compliance: a vendor-provided case study

T+D, March, 2003 by Cmdr. Sam Jenkins

Like every other health-care provider in the United States, the U.S. Military Health System, a global network of 540 military hospitals, clinics, and treatment facilities, has been working to comply with the 1996 Health Insurance Portability and Accountability Act. HIPAA mandates standards for the treatment and transference of patient records, with a focus on security and privacy. The act requires that any organization dealing with patient records must have rules ensuring confidentiality. The statutory deadline for all workers to be trained in those rules--April 13, 2003--is fast approaching. Health-care providers and vendors are scrambling to meet it.

The Military Health System, also known as Trare, has a large number of employees to train and patients to protect, so HIPAA compliance requires a systematic approach. With a staff of 131,000 worldwide, we provide medical care to 1.5 million active-duty service members and 1.4 million reservists. Including retirees and family members, our beneficiary population is almost 10 million. That's a lot of medical records. We wrote a comprehensive Department of Defense regulation governing HIPAA privacy at our facilities, specifying requirements and policies for disclosing records, processing claims, training workers, and monitoring HIPAA compliance.

TriCare decided on a Web-based system for delivering and tracking the training, considering that our workers move to a new facility every one to three years. The Army, Navy, Air Force, and Marines have their own training structures, so we had to decide whether each should develop its own HIPAA module or buy an off-the-shelf product customized to its needs. TriCare called for bids on a rapidly implemented commercial LMS and after seeing six demonstrations, chose a solution from Booz Allen Hamilton, in which the course modules were supplied by QuickCompliance, a HIPAA content specialist. The underlying LMS was built by Plateau Systems, which has experience with federal agencies and highly regulated industries. An additional Web-based application will incorporate all relevant local and national HIPAA-related policies and procedures at individual facilities, prompting onsite managers about requirements and showing any compliance gaps. The two tools for training and compliance monitoring work together.

TriCare saw several LMS advantages that matched its challenges in managing the training, staying current as the rules changed, and proving compliance to regulators. The LMS alerts employees by email when deadlines approach and refreshes their HIPAA training requirements annually. When employees transfer to new facilities, their training records automatically transfer with them. When HIPAA rules change, a revision feature built into the Plateau LMS will let TriCare roll out training adjustments by revising the appropriate modules, which will trigger new alerts and deadlines to all affected employees and ensure that training is completed.

The LMS provides a central repository for all training records, along with an audit trail of training histories that managers can unspool for regulators. The LMS has been configured to allow documentation of the workforce's training compliance, either system-wide or at specific facilities. Those features are key to showing compliance to such authorities as the Department of Health and Human Services's Office of Civil Rights, which has national HIPAA enforcement duties; the Joint Commission on Accreditation of Healthcare Organizations, which oversees industry standards; and the Office of Inspector General for each of the armed services.

The modules are organized into hierarchical levels. The 100-level module is a basic HIPAA 101 that all employees must take. The 200 level consists of job-specific modules, such as for physicians, nurses, executives, and support staff Job categories determine the specific HIPAA training. When an employee signs into the LMS, it assigns the required modules and deadlines. If a worker changes job categories, the LMS automatically updates his or her training profile to match the new job requirements. Employees will complete the 100- and 200-level training by the April deadline. TriCare is also developing 300-level modules that will consist of recorded presentations on particular HIPAA topics. They will be posted on the LMS as Web seminars--often as just-in-time training for certain needs, such as the training required for using the tools. People will view them over the Web for credit, either voluntarily or when assigned by a manager.

The job-specific training is significant because of the different ways privacy concerns affect certain roles in a hospital or clinic. The focus on disclosure of information is a central element of HIPAA. Because of possible abuses, it's crucial to identify those who seek patient records and send them only what they must have.

HIPAA permits 14 different forms of disclosures; after April 13, each must be accounted for properly. Under the act and in certain circumstances, a patient can request a record of every time his or her data was released to anyone in the past six years. To help track and report such disclosures, TriCare is seeking another Web-based tool that can be readily and easily adapted to our current system.