Follow five rules to make your HIPAA training program shine

CLICK to Email
CLICK for Print Version

When Community Health and Counseling Services (CHCS) assigned her the title of chief privacy officer in 2003, Rhonda Edgecomb, RHIT, CHP, welcomed several additional responsibilities.

Among them was the daunting task of training more than 1,000 employees at more than 40 offices across Maine from the base office in Bangor. Overnight, Edgecomb morphed into what she calls “the HIPAA Queen”—ruler of all things related to privacy and security.

But what she didn’t realize was that she’d also have to become Billy Crystal or Robin Williams—a comedian talented enough to make the driest training material captivating.

“Let’s face it. I wasn’t given the greatest material to work with,” Edgecomb says. “I had to get creative and make legal language interesting somehow.”

Five years later, Edgecomb believes her laid-back, humorous training presentation, “HIPAA Privacy Simplified,” has helped her organization manage the demands of HIPAA and other state and federal laws governing the maintenance and control of healthcare information.

The HIPAA road show

Protecting privacy and security is a serious matter, but Edgecomb knew right away that serious isn’t always attention-grabbing. So in 2003, the HIPAA Queen took off on a road trip to many of the CHCS sites from Central Maine to the Canadian border.

“I affectionately referred to it as ‘the HIPAA road show,’ ” Edgecomb says.

It was through the road show that Edgecomb conducted initial training of all staff members.

But her goal wasn’t simply to recite the rules; it was to explain the rules in such an articulate, down-to-earth manner that the finer points of HIPAA law would resonate with staff members.

Before each training session, Edgecomb lays out the “royal” rules for the attendees, including general etiquette requests (e.g., pagers and cells phones must be off and sidebar conversations aren’t allowed).

Next comes the rules that she has created for her own presentation style.

1. Make them laugh. A joke here and there keeps staff members awake and alert. “The material can be so boring that you need to use humor,” Edgecomb says.

2. Make it interactive. Edgecomb understands that in this field, everyone has a tale to tell.

“Always leave time for people to give examples of inappropriate disclosures of patient care,” she says. “Everyone has his or her own relevant story to tell, so I try to keep it interactive. It’s important for people to participate.”

Staff members will have trouble focusing when someone is simply lecturing them, especially about a topic as mundane as HIPAA, so make your training more of a discussion.

3. Use lots of examples. Don’t be afraid to use pop culture or some other strategy to engage the audience and make your point at the same time.

“I try to use examples of episodes of sitcoms I know people have seen,” says Edgecomb. “Like the Seinfeld episode when Elaine has the rash and sought the assistance of her family physician for relief.”

In that episode, Elaine grows increasingly concerned about a medical record entry made by her physician that labels her as a “difficult” patient.

For the remainder of the episode, Elaine becomes obsessed with the need to delete the entry and even recruits Kramer to pose as a physician to steal the entire medical record.

Edgecomb explains that under the HIPAA privacy rule, Elaine would not only hold the right to request access to the medical record, but that she would also have the opportunity to request an amendment to the entry that she found so disturbing.

“It’s all about making them remember the main points of my presentation,” she says. “If I can do that through laughter, that’s the route I’d prefer to take.”

4. Be entertaining. Like a live entertainer, Edgecomb has good performances and bad ones.

“Sometimes, I can really tell that I am engaging them. But some are tougher audiences than others,” she says. “I truly feel that I am a stand-up comedian. You have to modify your examples sometimes to get their attention. You have to be adaptable.”

5. Don’t forget the HIPAA oath. The oath asks staff members to agree to take on protecting privacy and security as a part of patient care, Edgecomb explains.

“It doesn’t start and end with direct contact with patients,” she says. “It lasts until even after you leave the organization.”

Since CHCS is a behavioral health organization in a small community, staff members often run into patients outside of work.

“We are seeing people in the middle of the ER, or at bus stations, or sometimes on top of a bridge when they are threatening suicide,” she says. “Our work environment is a little more challenging than most.”

Since CHCS services include behavioral health and provide the majority of services in the actual community or patient home, its privacy challenges are even more complex.

“HIPAA standards are acute-care focused in nature; they don’t generally account for the person who is being seen at a bus station, homeless shelter, or even in their own home,” Edgecomb says. “Our service environment is very unique, and staff need to be educated enough to know how to handle the real-world situations that they can expect to encounter day to day.”

The reviews are in

Following their initial training, staff members raved. Many said they didn’t expect to laugh so much or be as engaged when they reluctantly sat down for a mandatory two-hour HIPAA training session, Edgecomb says.

“It’s my firm belief that when you are laughing and having a good time, you are going to learn better,” she says. “So if you are entertaining the people, they are going to retain things better.”

But it’s not entirely about exchanging information and educating staff members, because scenarios with gray areas will inevitably pop up. That’s when you need to trust that you have provided your staff with the tools to make the right decisions.

Edgecomb says she feels she has succeeded in becoming not just the recognized expert, but a friendly, approachable one too. “I believe it’s important to not only be an expert, but be visible,” she says. “People are not going to come to you and ask you for advice unless they know you and can talk to you.”

Edgecomb also wants staff members to feel comfortable asking questions ahead of time. “Ideally, you really want them to ask the question before the risk arises,” she says. “It’s always easier to prevent the fire than to put it out.”

Constant reminders make compliance a reality

In a perfect world, Edgecomb would take the HIPAA presentation on the road more often, perhaps annually.

But with gas prices on the rise, many miles between offices, and because additional training is only required by the privacy rule when a substantial change is made, she addresses ongoing education and monitoring in a different manner.

“I send out friendly e-mails reminding them of common areas that are overlooked in terms of privacy; just a ‘thought for the day,’ ” she says.

Because CHCS is so decentralized, Edgecomb’s office is far away from many of the clinicians in her healthcare system. So Edgecomb invites herself to management meetings, gets on the agenda, and reminds people that HIPAA is a part of patient care, as well as federal laws.

“Those are the only ways to consistently stay in contact with them,” she says. “As long as CHCS continues to foster a strong HIPAA environment, I don’t anticipate any problems.”

Insider source

Rhonda Edgecomb, RHIT, CHP, chief privacy officer, Community Health and Counseling Services, Bangor, ME, 207/947-0366, Ext. 5606;

HIPAA online library

The following are five great reasons to check out HCPro’s new online library for HIPAA training:

  • It’s role-based
  • It’s built on experience
  • It’s customizable
  • It’s portable
  • It’s blended learning

Visit for more information.