Wednesday, September 28, 2011

Gamification: Using Game Mechanics To Enhance ELearning

Maybe you've heard of the term "gamification," and perhaps you're wondering what it is and how it can be applied to eLearning. In short, gamification is the use of gameplay mechanics for non-game applications. Almost as important, as a definition of what it is, is a definition of what it's not. Gamification is not the inclusion of stand-alone games in eLearning (or, whatever gamification is being applied to). It also has very little to do with art-styles, themes, or the application of narrative. Rather, game mechanics are the construct of rules that encourage users to explore and learn the properties of their possibility space through the use of feedback mechanisms. With gamification, these "possibility spaces" have been expanded beyond just games into other areas like marketing, education, the workplace, social media, philanthropy, and the Web, just to name a few. As a game designer now making eLearning software, I've found that much of what is used to build engagement in games can also be applied to other interactive material such as eLearning.

In the 15 years I've been making video games, a frequently discussed topic in the game industry has been on ways to engage users; a theme that I've found is enthusiastically discussed in the eLearning space. Since the primary reason to apply gamification to eLearning is to engage learners, the focus of this article is on describing gameplay mechanics that have been proven to be engaging.

What is Engagement?

First though, let's talk about engagement in a general sense. For our purposes, I am defining engagement as simply "occupying the attention or efforts of a person." This seems pretty straightforward, but I think a more pertinent question is, when does engagement occur? I first heard this specific question addressed in Tom Chatfield's TED talk on "," where he states that engagement occurs when the brain is rewarded, and that for something to be perceived as rewarding, it must evoke positive emotions in a person. Essentially, there are two components to the perception of something being rewarding: wanting and liking. Without both wanting and liking, people won't find something rewarding. For instance, if somebody wants a job, but doesn't like it, they won't find it rewarding. Conversely, when somebody gets to a point where they are willing to admit that their addictive behaviors are problematic, they are at a point where they like the effect of the addictive substance or behavior, but they no longer want it. An addict will always like whatever they are addicted to, but when they can acknowledge it as an addiction, they will often struggle with wanting it, and therefore, no longer find the addictive substance or behavior to be rewarding. , a University of Michigan neuroscientist, has studied this concept of wanting and liking being necessary components of a rewarding perception. In fact, he has found that wanting and liking occur in two separate parts of the brain, and he is looking for ways to utilize this in the treatment of addictions. So, for the purposes of developing engaging eLearning, we need to look at how we are rewarding our learner's brains by giving them compelling reasons to want the material, and to work on developing systems that they will like.

If we are going to focus on developing software that our users want and like, it's essential that we know and understand our audience, not just the subject matter. I would suggest that you research the brands, hobbies, and media (television, films, games, websites, etc.) that your target audience enjoys. This should give you a better idea of the aesthetics and interactions that your learners like and want. In addition, if you are designing material that is branded, make sure that you don't stray from the brand's identity and that you also become familiar with the brand's target audience if it's different than the demographic of the end user. These brands have spent a lot of time and money tailoring an image, and you should respect it.

Let's get to some specific game mechanics that can help to make your eLearning more engaging.

Setting Goals and Objectives

This topic covers the overall structure of an interactive product, rather than individual achievements that learners can earn (rewards are discussed later in this article). Games are generally structured so that players have various "layers" of goals. That is, they have the long-term goal of completing the game, the medium-term goal of completing the levels in the game, and the short-term goal of completing the missions in the levels. (Sometimes these missions are even broken up further into additional tasks.) Generally, the requirements of each goal "layer" in a game get increasingly harder as you move from short-term to long-term goals. That is, the final challenge in a game (sometimes called the "boss battles") will always be harder than the short-term missions. This allows players in games to learn and practice skills, prior to having to demonstrate mastery of those skills in the most challenging parts of the game.

Similarly, when designing eLearning material to minimize cognitive fatigue, instructional designers should break up their products into short-term, medium-term, and long-term goals. For instance, before completing a course learners must complete several modules. To complete a module, several topics must be completed. In order to complete a topic, several objectives must be finished. And finally, each objective requires several goals to be completed. Structuring your eLearning this way, allows users to learn new skills incrementally, and then practice those skills before demonstrating mastery of those skills in assessment exercises. This increases the likelihood that learners will remain in the "flow" state Mihaly Csikszentmihalyi describes in his book Flow: The Psychology of Optimal Experience.

If your eLearning material is setup for your users to navigate through it linearly, you could visualize your goal structure this way (see Figure 1):

Figure 1: Linear Flow of Goals. (Adapted from an illustration by Sebastian Deterding)

With the exception of casual games, most modern games follow a nonlinear progression. Casual games, such as Angry Birds or Plants vs. Zombies (PvZ) are typically distinguished by simple rules and a lack of required commitment. Nonlinear progression gives the player choices in how they proceed through the game. In many cases, these games are setup in what's called a "hub" system. The reason for this name is because if you imagine a wagon wheel, the center, or hub (sometimes referred to as the overworld, a carryover from "dungeon crawlers" like Diablo where players emerged from underground to access other dungeons), represents the area where all other areas are accessed. The spokes of the wagon wheel represent the connections to all other areas. In some cases, the areas represented on the rim of the wheel can be used to access other adjacent areas. In some games, if players progress from area to area around the "rim" of the wheel, rather than returning to the "hub" between areas, the experience can actually feel rather linear. You could visualize this type of nonlinear structure this way (see Figure 2):

Figure 2: Nonlinear Goal Progression

In the preceding illustration (Figure 2), any of the solid lines could be eliminated, as long as there is some other line connecting to a point.

Giving your learner choices by designing nonlinear eLearning can help engage your user. However you'll need to be aware that designing software that allows for this type of flexibility drastically adds to the complexity of the development.

I mentioned "flow" state earlier. Below is the diagram commonly used to illustrate this (see Figure 3):

Figure 3: Flow Channel

Essentially, as the challenge of an experience rises, the skill of the participant must also grow in direct proportion. If a user's skill exceeds the challenge of the experience, they will become bored. And, if the challenge exceeds the participant's skill, they will suffer anxiety. In the graph, an optimal user experience is illustrated in the "Flow Channel" as the squiggly line. This line demonstrates the experience described above where a user is challenged to a high degree with new experiences, and then given an opportunity to demonstrate and master the skill of that experience, before given a completely new challenge to conquer.

In games, the flow channel of the game challenges could be illustrated this way (see Figure 4):

Figure 4: Flow Channel for Games

Generally in games, players are given goals and objectives that get increasingly more difficult as they approach a boss battle (analogous to a test), which occur at the end of levels (similar to modules or sections in eLearning). The challenge of the boss battle is almost always higher than any of the challenges presented prior to it. After a boss battle, the challenge of the goals and objectives that the player is given don't ramp up, rather the player is given the opportunity to master their skills before the challenge ramps again prior to the next boss battle. This keeps the player in the flow channel, thus engaging them in the experience.

With eLearning, the structure of challenges needs to be different than in games.

Figure 5: Flow Channel for eLearning

With learning, the challenge is ramped up immediately after an assessment with the introduction of new material. The learner is presented with new material, which gets increasingly more complex. They are then given a chance to master those new challenges as their skills increase, and after that they are given an assessment that demonstrates the knowledge of that material.

Provide Frequent Feedback

Have you ever used an interactive product, be it eLearning, a game, or a website, and felt lost or confused? It happens to everybody, and it's really frustrating. Maybe you are asked to recall some information that you swear you were never told (or, that you were previously told and you've just forgotten), and you don't even know where to look to find it. Perhaps you didn't know how to progress; you don't know what to do, where to go, or you simply can't find a UI item like a button. Or, maybe you find out that there's an assumption that you need some prerequisite knowledge or experience to even understand the basic principles of what you're doing, and you had no idea you needed this, and you have no idea where to get that knowledge or experience.

As a designer, your job is to make your users feel smart or clever. Especially if what you're designing is a learning exercise. If a learner feels lost or confused, you're essentially telling them that they're stupid, and you're not doing your job as a designer.

With navigation users should know exactly what they need to do next, or what options they have available to them at any given moment in an eLearning product. When you're looking at the screen at any point in your product, take a moment to ask yourself, "If my learner walked away from their computer for several hours, would they know what to do when they returned?" If you look at your eLearning navigation in this light, it's a little easier to find systems that keep your user informed of what to do.

To support information transference, provide links back to essential information previously referenced in your learning or links to supplemental material that is prerequisite knowledge for the current learning. During assessments, explain why answers are correct or incorrect, or provide links to where the appropriate information can be found. Never just say, "That's wrong. Try again."

Measure Progress

An important part of providing feedback to users in games or eLearning is to let them know how much progress they've made. There are many ways to represent this, but the most effective are always represented graphically. Use progress bars instead of percentages or fractions, and feel free to get creative with the visual representation of the bar. For instance, you could use an outline of a head, and as you complete the eLearning exercises, the outline fills in with a graphic of a brain.

It's also important to measure progress at multiple levels. If your eLearning course consists of several modules, and within each module there are several topics, show progress at each of these levels. This can even be done in the same progress bar. For instance, if your course has five modules, you could initially show five star outlines to represent incomplete modules. As the learner completes the topics in each module, the star representing the current module would begin to fill up to a solid color. That way, you're showing progress within the module with each star, and total progress in the course with each filled star.

Something to note on progress bars, you don't necessarily need to display them continuously. In fact, if you show them only when progress is made (when the progress bar changes) the learner's advancement through your eLearning can feel more like a reward (especially if it's displayed with some fanfare), and ultimately the progress bar is more effective. However, if you do this, users should be able to access the progress bar somewhere at any time (perhaps in a top-level, or pause menu).

Character Upgrades

One of the most effective ways to show progress in games is through character upgrades. Look at the characters below (see Figure 6), and it's pretty easy to see the general progress that a player would make with these characters.

Figure 6: Character Upgrades (Image courtesy of Mike Henry of Big Menace Industries.)

For now, this isn't as easy to replicate in eLearning, though I'm hoping someday we'll have better tools to take advantage of this powerful measure of progress. I like to use virtual coaches in eLearning. So, I'd love to have a system that allows learners to earn new virtual coach characters, outfits, and accessories, after completing sections or modules; and they are also given the option to choose the virtual coach that is used in their eLearning along with the option to dress that coach. This character upgrade scenario sets up the basis for a system where users are given virtual goods and characters that they want, and they get to change them in the way they like, which as stated at the beginning of this article are the main components of rewards that engage learners. I believe this system would tap into our natural instinct to collect stuff, and would be an effective motivator to engage learners.

Reward Effort (not just success)

Earlier I suggested highlighting progress bars whenever the learner advances through your eLearning—this is a type of reward. Even though it takes no extraordinary effort on the part of the user to make progress, people generally want to be acknowledged for their work. And if it's presented in a way which is interesting, your learners will feel rewarded, and thus, engaged. One hundred small rewards are better than one big one. However, you should try to scale the reward in proportion to the effort, or risk, that it takes to get the reward. For instance, if you used an animated fireworks graphic to congratulate a learner for a perfect score on a test, you wouldn't want to use that same graphic to recognize that they entered their name into a text field. You may have noticed I also mentioned risk. If appropriate, allow your learners to take some risks, and reward them if they're willing to do so. For instance, if you provide some supplementary material, give your learner a special reward if they take the time to go through it.

Reward Schedules

When thinking about when and where to recognize your learner with rewards, use reward schedules to make sure you're giving them out consistently, and throughout your course. A reward schedule is the timeframe and delivery mechanism through which rewards (pop-ups, points, prizes, level-ups, etc.) are delivered. There are three main components in a reward schedule:

  • Prerequisite; what needs to occur to receive the reward

  • Response; the presentation of the reward

  • Reinforcer; the appropriate reward for the prerequisite (these are either momentary or persistent)

Within any game or eLearning course, multiple types of reward schedules can be utilized either throughout the product, or in limited parts. There are two primary types of reward schedules, Interval and Ratio.

Interval Reward Schedules. Rewards are given based on time. There are two types of interval reward schedules.

  • Fixed: Rewards are given at a fixed amount of time. Generally, this type results in a low level of engagement immediately after the reward that increases as the next reward approaches (e.g. the sunflowers produce sun pick-ups every 24 seconds in PvZ).

  • Variable: Rewards are given at different times; however these times are roughly in the same time period (e.g. the marigolds in PvZ produce a coin, either gold or silver, on average every 24 seconds, at variable time periods).

Ratio Reward Schedules. Rewards are given after a number of actions are completed. There are also two types of ratio reward schedules.

  • Fixed: Given after a set number of actions, including after every action (e.g. in PvZ every fifth level is a bonus level that unlocks a mini-game upon completion).

  • Variable: Given randomly, after roughly the same number of actions (e.g. in PvZ there's a slot machine that gives one of nine reward types each time it's used. For any individual reward, there is a random chance that you will get it on each use. However, each type of reward is weighted so it is given either commonly, uncommonly, or rarely).

As mentioned earlier, there are two general types of rewards: momentary and persistent. Momentary rewards are given immediately upon completing the prerequisite of the reward, and are not tracked. These can be as simple as popping up a "Great Job!" message, or could be as complex as elaborate animations or special effects. Persistent rewards are tracked over the entire product, or even over many products (i.e. courses or games). These rewards can be as simple as points, or can be more elaborate such as unlockable content, or collectable items. Currently, there is a trend to use collectible badges or achievements as a persistent reward. With persistent rewards, you can choose beforehand to show that these rewards are available to unlock, or you can choose to not show them ahead of time. Likewise, if you decide to show which persistent rewards are available to earn, you can either show what is required to unlock the reward, or you can merely let the user learn that there is a reward to earn, but not specify what it takes to get it.

Peer Motivation

From the dawn of mankind, perhaps the most effective motivator known to us is the approval of our fellows. I believe the overwhelming success and influence of social media in our modern-day society, speaks volumes of the power that other people's opinion have on our lives. Especially, when these people are those we respect. Certainly, those that have reaped the success of social media games understand the power of peer motivation. People naturally feel a sense of obligation to their friends and colleagues; if you spend any time on Facebook, you have surely received a Farmville request. And, the makers of social media games have based their entire business on this powerful motivating force.

There are many ways that you could use your learner's peers to motivate your users. Try setting up a closed or private Facebook group and start a community between users of your product. If you'd prefer not to use Facebook, and all of your users have a common email extension, setup a Yammer group. Get your users talking to one another, and give them a common goal or reward; especially if that reward is predicated on group participation, you'll find that your learners will participate.

I mentioned earlier the trend to use achievements and badges. If you decide to use these persistent rewards, I'd suggest you allow your learner's peers to see when they collect these rewards. These types of extrinsic rewards are much more effective if people can use them for bragging rights, rather than just having some extra trophy graphic that nobody else will see.

Other Suggestions

The following are additional suggestions to improve your eLearning that I've drawn from my experience as a game designer, though aren't specifically game mechanics.

Have a Hook. Something that we talk a lot about in the game industry when talking about game concepts is "the hook." That is, the most compelling and unique aspect of your game that can be summed up in less than a paragraph (in most instances, a single sentence). In the game industry, developing the hook is often the very first thing that a designer does in conceiving a game. What's important about this, and how it relates to eLearning, is that you should know what will make your eLearning engaging, before you ever begin production of it, or for that matter, before you even design it. Spend some time putting together an "elevator pitch." That is, a short statement or summary of your eLearning material that outlines all of the high-level features of it, and specifically, what will make it engaging.

Improve Your Presentation. At times, I'm shocked by how some in the eLearning industry think that presentation and art are so unimportant. There are many sources of good creative-commons and royalty-free artwork. However, hiring somebody to produce good quality custom art doesn't need to cost a lot, and the results are often much better. You can hire an agency, but you will pay a lot of overhead. So, I'd suggest working directly with an artist. Most digital artists have a page on where you can register for a free account and find an artist that matches a style your target audience will like. Generally, it's fine to contact these artists through their page and ask them if they are available to do some work. Another good source of cheap artwork are the university art and design programs.

When contracting with an artist, make sure you ask to see a portfolio. You need to make sure that the artist is capable of creating art in the same style that your target audience will like. Each artist has their own style, and it is rare to find an artist that can work well in multiple styles. So, don't assume that just because they've created some great artwork in one style, that they'll be able to create custom work with an entirely different look. Also, if you do hire an artist, you should ask to sign-off on their work incrementally. You should be checking their work early and often, so you can make changes early. Once an artist gets to the late stages of their work, it's difficult or impossible to make changes.

Paper Test. Very often in designing games, developers will mock-up entire sections of the game on paper. There are many ways that we put pencil to paper to test our games: drawing out maps, checking line of sight with rulers, testing enemy placement and movement, or using dice as a random number generators to calculate possible damage scenarios. These are just a few examples of how we test game systems on paper, but one of the most common, and most directly applicable to eLearning design, is paper testing interface design.

When you sit down to design the interface for your eLearning material, sketch out several different design layouts. Take those UI sketches to people in your target audience, and talk them through your eLearning product, asking them to touch your screen mock-ups anytime that you'd require user input. When you do this, pay attention to how long it takes them to make the correct input, and watch their eyes to see where they look first on your screen mockups.

Test Early and Often. Whether you decide to begin your design on paper, or directly on the computer, always test your eLearning as early as possible. Don't make assumptions about how your target audience will use your product; get it in front of them, watch them use it (with no guidance from you), and have them document the experience. Some of the most effective testing I've seen involves putting a member of the target audience in a room alone with a webcam aimed at the tester's face, and another aimed at the keyboard and mouse, accompanied by a screen capture of all input. This gives you a true perspective on how your users interact with your product, and it captures their emotional state as they use it so you can tell whether they actually like it (as opposed to just telling you if they like it). Plus, it takes away the temptation to guide them through frustrating parts.

Another important part of testing is that when you fix a problem, it's really important that you retest it to see if you've actually fixed the problem, and also whether you've introduced new problems. As obvious as this seems, it's incredible how often we'll let something slide under the assumption that the problem has already been addressed.


Hopefully you've found some of these suggestions useful. There are many other ways that game mechanics can be used to enhance eLearning, though I think the suggestions in this article are the most important, and are general enough that they can benefit most eLearning material.

About the Author

Since 2008, Rick Raymer has been designing and managing the production of eLearning software, games, and simulations for the North Carolina Community College System's BioNetwork organization. BioNetwork provides workforce training and education to the biotechnology, pharmaceutical and life science industries. Raymer has designed videogames professionally since 1996; and has produced more than 40 games with titles on every major gaming platform including consoles, PCs, handheld devices, and mobile phones. Before entering the game industry, he created computer animations for engineering, marketing, and training purposes. Raymer has a degree in Industrial Design.

Wednesday, September 21, 2011

HIPAA vs The Cloud

HIPAA Compliance: The objective behind

Sensitivity in maintaining individual health record of every person is too significant and this is what gets ensured under HIPAA security compliance, which aims at protecting an individual’s information to be obtained, created, used and maintained electronically at a specific healthcare unit or hospital. As a result of this rule, the healthcare unit is responsible for taking every measure to keep this information confidential, secure, reliable and free from any electronic interference. But healthcare units usually find it tough to meet the expectations of this security rule & it requires a more technical approach in abiding by the directives of the security rule.

Healthcare unit’s responsibility in ensuring HIPAA security compliance

Under HIPAA security compliance, each of the three aspects, namely administrative, technical and physical, has to be adhered to by implementation specifications. These specifications specify the modus operandi for meeting the three aspects. A healthcare unit or hospital has to either implement a security measure to achieve this objective, execute the given implementation specifications or, may not put into practice either one of the two. But as part of HIPAA compliance, the body has to document whichever choice it wants to implement and this document should additionally comprise of basis of the evaluation on which this decision has been arrived at. Outcome of all this can be visibly noticed in the form of a challenge for IT professionals working in health sector.

Shouldering HIPAA compliance responsibility with cloud computing vendor

No surprise, emergence of cloud computing looked like easing the scenario but with enough caution, given that an outside agency in the form of cloud providing associate is involved besides the healthcare unit. Because of this vendor-client partnering, the ultimate responsibility to abide by HIPAA compliance resting with the healthcare unit gets pooled with the vendor, since implementation gets carried out at the vendor end. Thus, there is much room for the sensitive information getting trickled at the remote location where cloud model has been setup. In this situation, the healthcare unit will have to adhere to all the security aspects and implementation specifications as discussed above, so as to satisfy the HIPAA security rule. In the process, the healthcare unit will have to extend its interference and control at the cloud computing associate’s location in terms of integrity, encryption, data transfer & management, etc., which this body earlier left up to business associate due to contractual limitations or budget constraints.

Documentation of roles

Obviously, the healthcare unit has an opportunity this way to allot even responsibility to its cloud computing business associate and keep it under the scanner, as if HIPAA compliance is not just the healthcare unit’s liability, but is as much an accountability of that vendor. The documented modus operandi of this body can well include the extent to which it has involved vendor and along with, ask the vendor to document its procedures and practices in following the technical requirements and the HIPAA compliance as a whole.

While cloud computing can be the technical answer for healthcare IT professionals to successfully satisfy HIPAA security compliance, the organisations in healthcare can well ensure strict adherence of HIPAA rules by shouldering equal responsibility with their cloud computing business associates.

About emPower eLearning

emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit

Tuesday, September 20, 2011

SeaWorld trainers' safety questioned by OSHA during hearing

A weeklong hearing that could determine the future of SeaWorld Parks & Entertainment's world-famous killer-whale shows opened Monday with lawyers for the federal government arguing that the company's animal trainers cannot work safely while in close contact with the world's largest ocean predator.

"Killer whales are large, powerful and non-domesticated animals. They have the potential to cause serious physical harm or death to people who get near them," John Black, a U.S. Department of Labor attorney, said during opening arguments in the case, which pits SeaWorld against the department's Occupational Safety and Health Administration.

"SeaWorld's killer-whale training program doesn't change the essential facts that harm or death to people is possible," Black said. "Their program doesn't eliminate what SeaWorld itself recognizes as a calculated risk."

SeaWorld countered that the tragedy that triggered the case — the Feb. 24, 2010, death of SeaWorld Orlando trainer Dawn Brancheau, who was pulled underwater and killed by a six-ton killer whale named Tilikum — was an isolated tragedy. SeaWorld said Tilikum, who was involved in two human deaths before Brancheau's, had never before given any indication that he would attempt to pull someone into his tank.

SeaWorld lawyers argued that prohibiting trainers from ever again swimming with killer whales would undermine the company's ability to care for the animals. A top company official even testified that a whale that died last fall of an illness might have been saved if trainers had been working in the water with the animal, as they had done for many years before.

Brancheau's death "was a truly unfortunate event. It was a life-changing event to many people. It affected SeaWorld deeply," said Carla Gunnin, a lawyer representing SeaWorld. "But I think the bigger issue is the efforts that SeaWorld had made prior to that time to ensure trainer safety."

At issue is a citation issued by OSHA Compliance after a six-month investigation into Brancheau's death. In it, the agency accuses SeaWorld of committing a willful safety violation for not adequately protecting its killer-whale trainers. More significantly, the agency recommends trainers never again have close contact with the animals without a physical barrier or an equivalent level of protection — something that could effectively make it impossible for trainers to return to what SeaWorld calls "water work."

SeaWorld is challenging OSHA's findings before an administrative-law judge. The hearing in Sanford is expected to last all week.

Only one witness was called Monday: Kelly Flaherty Clark, curator of animal training at SeaWorld Orlando. A veteran manager in charge of all animal-training operations at the Central Florida marine park, Flaherty spent more than four hours under questioning, including direct queries from Judge Ken S. Welsch, who is overseeing the proceedings.

Much of the day's back-and-forth centered on how SeaWorld's killer-whale trainers themselves are trained. Trainers are taught to recognize aberrant behavior, or "precursors," from the whales that might indicate a potentially dangerous situation is coming — and they are expected to react accordingly.

OSHA, which noted that trainers are required to sign a quasi-waiver recognizing the inherent risk of working with killer whales, called it a woefully thin line of defense.

"SeaWorld trains its trainers how to recognize and how to avoid potential risk. And then, in effect, it tells them, 'Be careful,'" Black said.

Black argued that the approach leaves "gaps" through which trainers are exposed to danger. They might, for instance, fail to observe a negative precursor or they might make a mistake while reacting to it in real time. The agency also argued that trainers could be hurt without any warning at all.

"Harm could happen even if the trainer doesn't make a behavioral judgment error, right?" Black asked Flaherty Clark at one point.

"Yes," Flaherty Clark responded.

But SeaWorld said its training protocols were far more sophisticated than implied by OSHA. Flaherty Clark said all killer-whale trainers undergo 18 months to two years of training before they come into close contact with a whale, which she defined as within five feet. They also train at least three years before they directly interact with the animals.

The company noted that multiple trainers are involved in every interaction — including a "control trainer" working directly with the animal and a "spotter trainer" observing the entire interaction and acting as a second set of eyes for negative precursors. It said the whales themselves also undergo training to encourage desirable and safe behaviors, which it said goes "hand-in-hand" with the instructions given to the trainers.

The company didn't dispute that there are risks inherent to a killer-whale trainer's job. But it said mistakes are rare.

"The frequency of a trainer making a bad call or missing a behavioral cue is minimal," Flaherty Clark said. "In 25 years, I've reviewed one behavioral incident that did not show something that I would have done differently, that there weren't behavioral cues."

That one incident, Flaherty Clark said, was Brancheau's death.

Tilikum had been involved in two other human deaths before Brancheau was killed: the 1991 killing of a trainer at a British Columbia facility, and the 1999 killing of a man who sneaked into SeaWorld Orlando's killer-whale enclosure after hours. As a result, the company had developed a separate set of protocols for working with the animal, which included prohibiting anyone from getting in the water with him.

But trainers were allowed to work with Tilikum from shallow underwater ledges built into the sides of the park's pools — as Brancheau was doing when she was pulled into the water.

"Tilikum had never given us any indication that he would pull somebody into the water with him," Flaherty Clark said.

Another important point of contention that emerged Monday was whether OSHA's recommendation that trainers be protected at all times by a physical barrier should apply only to their work during public performances or at all times.

OSHA said its citation applies only to work during performances. But SeaWorld said it is impossible to draw a line between show behaviors and other behaviors, because so much of the work overlaps. Flaherty Clark noted that trainers will often use performances to continue training whales on specific behaviors that are necessary for certain husbandry procedures, such as obtaining gastric samples.

It's a crucial point, because SeaWorld can better argue that OSHA's recommendations are untenable if it can show that they would interfere with medical procedures or other husbandry work.

The concern about the effect on husbandry led to one of the day's most surprising claims: Flaherty Clark testified that she thinks a whale that died of an illness last year might have been saved if trainers had been working with the animal in the water. She said trainers might then have noticed sluggishness or other aberrant behavior in the whale, a 25-year-old female named Kalina, even before it was diagnosed by veterinarians and before it had progressed to a point beyond saving the animal.

"We would have picked up on it if we'd been in the water with her," said Flaherty Clark, who choked up while discussing the whale. "I think we might not have lost Kalina if we were able to be as close with her today as we were on Feb. 23rd."

Future of Obama education program cloudy

Two years ago, Race to the Top, the Obama administration's signature education policy, was just a line in the massive federal stimulus bill. Now applications have been issued for the third round of the sweepstakes program, which has begun to establish itself as the nation's de facto model for how students should learn and teachers should teach.

But after a lengthy planning process in legislatures around the country, many states only now are implementing the changes that won them money in the program's first two rounds, and not everyone is happy with the results.

The program — in which states vie with one another for tens of millions of dollars in education grants — has faced criticism from teachers unions and state governments for its competitive nature and tight deadlines, as well as arguments that it amounts to federal interference in education policy.

One state, South Carolina, which was a finalist in the first two rounds of the program, decided in May that it no longer would participate because state education officials opposed a top-down approach to education from Washington.

Jay Ragley, the director for legislative and public affairs for state education superintendent Mick Zais, said that while state officials supported many of Race to the Top's goals, they'd prefer change to be initiated at the state level.

Zais' "reason for not participating was because there are strings attached to programs for federal money," Ragley said. "And you must continue funding them after they run out."

Ragley said officials didn't want to start new programs that they'd have to shut down if they lost funding down the road.

In July 2009, Congress created Race to the Top as a way to inspire states to propose education revisions with the promise of millions of dollars in prize money. Education Secretary Arne Duncan's program was meant to be a short-term boost of revenue, which was why the Obama administration included the money — $4.35 billion — as part of the $787 billion stimulus package known as the American Recovery and Reinvestment Act of 2009.

Duncan argued that investing in education would stimulate the economy by promoting long-term productivity. However, it was a long-term concept tucked into a stimulus package that was expected to produce immediate results.

There were four basic ideas: better preparing students for college, creating measurements for student and teacher improvement, recruiting the most effective teachers and reforming underperforming schools.

"Not every state will win and not every school district will be happy with the results," Obama said at the time. "But America's children, America's economy and America itself will be better for it."

Forty states and the District of Columbia applied for grant money in the program's first phase. In March 2010, the administration announced the first two recipients: Tennessee, which won $500 million, and Delaware, which was granted $100 million, to carry out aggressive revisions over the next four years.

The two states just now are pushing past the planning stages and rolling out new programs. It's been more than a year since the announcement of a second group of winners, totaling another $3.3 billion in grants. And with the stimulus funds having been spent, there's no more money envisioned for the program.

Saturday, September 17, 2011

Patients get direct access to lab results under government proposal

Patients across the country would be able to obtain their lab results directly from laboratories under new regulations proposed by the Department of Health and Human Services (HHS). The enhanced access to test results is designed to bypass laws in several states that require patients to get the data from their physicians.

The proposed rules would amend the patient privacy provisions of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under CLIA, labs may release results to the treating provider, the referring lab, and "authorized persons," as defined by state law. The new amendment explicitly states that the patient is an authorized person under federal law.

"We believe that the advent of certain health reform concepts [for example, individualized medicine and an individual's active involvement in his or her own healthcare] would be best served by revisiting the CLIA limitations on the disclosure of laboratory test results," the notice of proposed rulemaking states.

The HIPAA privacy rule also impedes the ability of individuals to obtain their own test results. To avoid conflict with the CLIA rules, the HIPAA law granted CLIA labs an exception to the right that HIPAA confers on patients to access their own medical records. The new proposal would rescind that exemption.

HHS Secretary Kathleen Sebelius announced the proposed lab regulations Monday as part of a patient "empowerment" package that, according to the Secretary, will lead to better health and healthcare.

"When it comes to healthcare, information is power," Sebelius said. "When patients have their lab results, they are more likely to ask the right questions, make better decisions and receive better care."

Left unanswered was the question of how physicians feel about their patients being able to see lab results before they do. Many doctors prefer to view the results first so they can present important ones to their patients in a meaningful way.

Also unveiled at the HHS press conference was a personal health record privacy notice. This creates "an easy-to-read, standardized template allowing consumers to compare and make informed decisions based on their privacy and security policies and data practices about PHR products," according to an HHS press release.

HHS has made consumer empowerment a cornerstone of its health IT policy. The Office of the National Coordinator for Health IT (ONC), an HHS agency, recently launched a new website that educates consumers about the benefits of health IT and provides health education materials.


Clinic says North Dakota Blues violate HIPAA law

Mid Dakota Clinic of Bismarck has opted out of a major initiative by Blue Cross Blue Shield of North Dakota that involves sharing patient records with an outside consultant and cites patient privacy concerns as the reason.

The program, MediQHome, is a “medical home” partnership between the health insurer and teams of medical providers aimed at better managing patients, especially those with chronic diseases, such as diabetes or asthma, to improve outcomes and reduce costs.

The initiative, which involves more than seven of every 10 primary care clinicians representing 75 percent of the North Dakota Blues’ members, requires providers to share patient information with an outside health quality consultant, MDdatacor, a firm located in suburban Atlanta.

Jeff Neuberger, the chief executive officer of Mid Dakota Clinic, said Friday that all patients should be contacted in advance to get their permission before their medical information is sent to a third party for review.

The clinic’s legal counsel, he said, concluded that failure to get individual patients’ express approval would violate a federal law protecting patient privacy, the Health Information Portability and Accountability Act, often called HIPAA.

“HIPAA doesn’t allow us to send information on everybody” without the patient’s permission, Neuberger said. “It’s very clear on that. We’ve said (to Blue Cross Blue Shield) you have no right to do that.”

The contract given to providers specifies they get “all appropriate” releases from patients, Neuberger said. But the contract language contradicts what Blue Cross Blue Shield executives have said about patient permission not being necessary, Neuberger said.

Representatives of Blue Cross Blue Shield of North Dakota said the information-sharing under the MediQHome program complies fully with HIPPA and protects patient privacy.

“We have remained 100 percent consistent with all providers that there is no requirement to receive permission from patients in order to participate in MediQHome,” Denise Kolpack, a Blue Cross Blue Shield vice president said in a statement to The Forum, highlighting “no requirement” in bold to emphasize the point.

She went on to say, however, that the contract includes language to allow a provider to participate in the health quality program “even if that provider has their own, stricter requirements around patient permissions and authorizations.”

Most of the major medical providers in North Dakota participate in the MediQHome program, which began in 2009, including Sanford Health and Essentia Health in Fargo.

The top lawyer for Sanford Health said the initiative both helps to improve patient care and complies fully with federal privacy laws.

“The partnership with BCBSND is one example of efforts we are undertaking as a health care system to improve quality and reduce the cost of health care overall for all consumers in our service area,” said Paul Richard, Sanford’s chief legal officer.

“All releases of patient information to MDdatacor by Sanford Health are in compliance with HIPPA,” he added, including a section of the law he said supported his position.

Kevin Pitzer, chief administrative officer of Essentia Health in Fargo, said the health system’s standard release of information form, for both hospital and clinic patients, includes authorization to release information of the kind it sends to MDdatacor.

“We do get permission from patients to release that information,” he said, adding that Essentia consulted both with in-house and outside legal counsel before embarking on the MediQHome program two years ago.

Participating medical providers send data on all their patients to MDdatacor “to identify clinical opportunities for improved health care delivery to all their patients with chronic diseases,” said Dr. David Hanekom, chief medical officer for Blue Cross Blue Shield of North Dakota.

Dr. Robert Roswick, medical director of Mid Dakota Clinic and a family practice physician, said it is improper – and illegal – to send medical information from all patients to the health quality consultant without prior patient approval.

He offered himself as an example of what he views as a breach of patient confidentiality.

A private pilot, Roswick must get annual physical checkups to keep his license current. He gets his exam at Trinity Health in Minot, which participates in MediQHome.

Aware of that, and the program’s protocol calling for providers to share information for all Blue Cross Blue Shield of North Dakota patients, he asked Trinity if his medical records were sent to the outside health quality consultant, MDdatacor.

The answer Roswick received from Trinity, after writing several letters, was yes. Roswick, who said he had not given his approval to do so, said the release was inappropriate and illegal – especially considering he is not covered by Blue Cross Blue Shield and does not have a chronic medical condition.

“It’s a blatant HIPAA violation,” Roswick said, adding that he has filed a complaint with the federal government and is still waiting for a response.

A spokesman for Trinity Health declined to comment on Roswick’s complaint.

“Patient privacy is important to us, and we strive to comply with all regulations involving patient privacy,” said Randy Schwan, a Trinity vice president.

Mid Dakota Clinic’s Neuberger and Roswick said medical providers in North Dakota have strong financial incentives to participate in MediQHome and therefore to send information of their patients covered by Blue Cross Blue Shield of North Dakota to MDdatacor, which could not be reached for comment Friday, for analysis.

In response, Hanekom said BCBSND is revamping their reimbursements to providers in a broad ongoing effort to reward better quality of care.

This article was originally posted at

New OSHA Directive Tackles Workplace Violence Concerns

In the last 15 years, deaths resulting from workplace violence have ranked among the top four causes of occupational fatalities in American workplaces. In response to this serious threat to worker safety, OSHA released a new compliance directive on Sept. 8 that offers procedures for agency staff who respond to workplace violence cases or complaints.

The directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, also establishes procedures for conducting inspections in industries such as late-night retail workplaces and health care and social service settings, which may be at a higher risk of workplace violence. A new Web page that focuses on preventing workplace violence offers additional help to employers working to address workplace violence issues.

“Research has identified factors that may increase the risk of violence at worksites,” the directive states. “Such factors include working with the public or volatile, unstable people. Working alone or in isolated areas may also contribute to the potential for violence. Handling money and valuables, providing services and care, and working where alcohol is served may also impact the likelihood of violence. Additionally, time of day and location of work, such as working late at night or in areas with high crime rates, are also risk factors that should be considered when addressing issues of workplace violence.”

More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 nonfatal workplace injury cases was reported annually during this time.

Taking Precautions, Protecting Workers

A recent OSHA inspection of a Maine psychiatric hospital found more than 90 instances in which workers were assaulted on the job by patients from 2008 through 2010. OSHA cited the hospital for not providing its workers with adequate safeguards against workplace violence and proposed a fine of more than $6,000. The agency also has recently cited facilities in New York and Massachusetts where employees have been killed as a result of assaults.

“These incidents, and others like them, can be avoided or decreased if employers take appropriate precautions to protect their workers,” said OSHA Administrator Dr. David Michaels.

Studies by the National Institute for Occupational Safety and Health and other organizations show that employers who implement effective safety measures can reduce the incidence of workplace violence. These measures include training employees on workplace violence, encouraging employees to report assaults or threats and conducting workplace violence hazard analyses. Other methods, such as using entrance door detectors or buzzer systems in retail establishments and providing adequately trained staff, alarms and employee “safe rooms” for use during emergencies in health care settings, can help minimize risk.

This article was originally posted at

Tuesday, September 13, 2011

Bolstering Security Education

By John Wagley

Many security managers say end-user education is a central part of IT security. More regulations are also requiring that organizations demonstrate that they’re conducting such training.

Increasingly, organizations are looking to automated, Web-based educational solutions. Pemco Insurance, located in Seattle, implemented a solution from the vendor Cosaint several years ago. Pemco wanted a way to bolster employee security education in a manner that would reduce administrative costs, says Marc Menninger, security manager. He also wanted a way to make security education easier and to have access to reports on education to show auditors, he says.

One reason Pemco chose Cosaint was its wealth of information security courses, which range from “mobile device security” and “information retention and destruction” to “avoiding identity theft.”

Most lessons are presented in easy-to-follow PowerPoint presentations, he says. Menninger also says he found Cosaint easy to use and relatively low-priced.

Setting up the solution mainly entailed creating a core Pemco information security module, Menninger says. During the implementation process, which involved taking Cosaint material and tailoring it towards Pemco’s policies and needs, Pemco received considerable assistance from the vendor, he says.

Much of the material was aimed at teaching employees to develop strong passwords and to avoid phishing e-mails, which can contain malicious links or attachments. One goal in creating and editing the new module was to make sure the material would be at a fairly high level, he says. At the same time, he didn’t want the lessons to be too onerous or time-consuming. Pemco didn’t have to install any software or browser plug-ins to use Cosaint, Menninger says.

Menninger e-mails employees to tell them they need to review and electronically sign the security policy module. Menninger can then track who has taken courses; the system automatically sends out reminder e-mails to employees who have yet to take them.

Menninger has been pleasantly surprised in recent years about how many employees have taken advantage of Cosaint’s numerous security courses, most of which Pemco makes optional.

Students can take a quiz after each lesson and then receive a certificate showing how well they scored. Menninger occasionally sees certificates displayed in employee work spaces, he says. Some employees may be particularly interested in security, he says, or may enjoy the challenge of the tests.

Educating users about the dangers of phishing messages may be one of Cosaint’s primary security benefits. Phishing security is heavily emphasized in Pemco’s security policy and in Cosaint’s available material.

Pemco has started using Cosaint for additional professional education in recent years, covering both security and nonsecurity related subjects. In one example, a manager wanted to educate certain staff about IT change-management procedures and policies, Menninger says. Working with Cosaint, Pemco developed an educational module that could be accessed along with other Cosaint lessons. “It worked out well for [the manager].”

The Web-based training system has reduced paperwork and administrative costs, including the need for in-person security training, Menninger says. In addition, automatically generated reports have created a convenient way to demonstrate Pemco’s training to auditors.

Many technological security solutions are far more expensive than what Cosaint offers, Menninger says. He adds that the product’s modest cost, breadth of material, and strong customer service help make it “one of the most economical security systems we have.”

This article was originally posted at

Monday, September 12, 2011

Regulatory Healthcare Entities Look for HIPAA Compliance Improvements

As many healthcare providers begin using new technology to streamline practices, lower expenditure and improve efficiency, regulatory compliance procedures become more complex. In the healthcare industry, HIPAA compliance is among the most important standards to meet, and regulatory entities have recently increased audits and general contingency checks, Mlive reports.

According to the source, the U.S. Department of Health and Human Services published a self-evaluation resource in conjunction with the American Health Lawyers Association to aid directors of medical facilities and organizations.

Recovery audit contractors who inspect Medicare claims have been increasingly employed by the Centers for Medicare and Medicaid Services to broaden its audit capabilities and inspection policies, the source adds. This strengthening of auditory practices necessitates consistent and thorough checks of compliance practices and security policies.

Since the advent of HIPAA compliance(health care compliance) and its later counterpart, the HITECH Act, new technology such as cloud computing has assisted heathcare providers with tools to comply and receive incentives for implementation and proper use of electronic health records. According to the CMS, for example, the Medicare meaningful use program offers up to $44,000 to medical professionals who meet requirements.

This article was originally posted at

Day-Long HIPAA Boot Camp Targets HIM Professionals

The 2011 annual convention of the American Health Information Management Association, Oct. 1-6 in Salt Lake City, features a series of in-depth post conference educational sessions on the 6th, including an eight-hour HIPAA Privacy and Security Boot Camp.

The camp is designed for health information management directors, other professionals with little or no privacy experience who is taking on a new role as a privacy officer or would like to, and existing privacy officers who want a better understanding of regulations and issues.

"I'm not going to assume they know too much," says Kelly McLendon, the presenter and founder of HIXperts, a Titusville, Fla.-based consultancy. "I'm not going to leave anyone behind, but at the same time will go beyond the basics."

McLendon will cover the tools of HIPAA privacy compliance, such as policy templates, spreadsheets and other forms for specific functions, such as cataloging records systems with protected health information. He'll cover expected requirements in a final omnibus HIPAA rule expected this year covering the privacy, security, breach notification and enforcement rules, and also cover privacy regulations from the HHS Substance Abuse and Mental Health Services Administration.

"This is a very deep view of HIPAA for HIM and privacy professionals, but we will start from the basics and make sure everyone understands from the ground up," McLendon says. More information on educational session 7004, "HIPAA Privacy and Security Boot Camp," which starts at 9:00 a.m., is available at

This article was originally posted at

Wednesday, September 7, 2011

New round of US grants for education innovation

The federal government is trying to make it easier to apply for one of its grants for innovative ideas to improve education, but with budget cuts there's a lot less money to give away this year.

In 2010, the U.S. Department of Education gave out $650 million to 49 school districts, charter organization, colleges, universities and other nonprofit organizations for entrepreneurial ideas with the potential of helping the nation's schools. This year, there's $150 million available for the second round of Investments in Innovation or i3 grants, the U.S. Department of Education announced Friday.

Nearly 1,700 groups applied for the 2010 grants, and Jim Shelton, assistant deputy secretary for innovation and improvement, is hoping for another flood of applications this summer. The department particularly wants to encourage innovation in rural education; science, technology, engineering and math learning; supporting effective teachers and principals; implementing high academic standards and quality tests, and turning around persistently low-performing schools.

"There's a tremendous pent-up demand in the field to share innovations that people feel have national implications," he said.

Grants of up to $25 million are being awarded for scaling up education programs with a chosen track record; grants of up to $15 million for growing a program with emerging evidence of success; and grants of up to $3 million for developing promising ideas. In 2010, grants for the same categories were given in amounts up to $50 million, $30 million and $5 million.

The program could have been completely eliminated, but Congress apparently recognized the program's success at attracting creative ideas that could potentially benefit schools across the country, Shelton said.

"The kind of support this program got from the field made it an obvious choice," he said.

The department is offering pre-application workshops and has streamlined the process and the application form to encourage more applications. They are due in August and awards will be made before the end of the year. Finalists will be chosen by independent peer review panels.

Finalists will then have to get additional dollars from another source, such as the local or state government or foundation money, equal to 5-15 percent of the grant, depending on how much is rewarded before they will get a check from the federal government. In 2010, every finalist was able to get that matching money, thanks in part to a foundation-led online grant clearinghouse.

For the second round of grants, the government promises to pay special attention to grants that help rural children and schools. Some money went to rural-focused projects in 2010, but Shelton is hoping to increase the number of rural grants in 2011.

An example of a rural project that got an i3 grant last year was a consortium of 15 school districts in Appalachia working with the Niswonger Foundation of Greeneville, Tenn., to create a college-going culture by using technology to bring more college-prep curriculum to the districts, and helping some schools partner with community colleges to offer dual-credit classes.

The Search Institute in Minneapolis included four locations in Maine in its i3 project to help schools work on non-academic barriers to learning such as truancy and drug use.

Extra points will also be given to applications that focus on improving productivity or technology, help students with disabilities and limited English proficiency, focus on early learning or increase college access and success.

TEDxOrangeCoast - Rick Warren - The 8 Nations of Innovation

Monday, September 5, 2011

The Criticality of Risk Assessments: FISMA, HIPAA, and other regs

 By Richard E. Mackey, Jr.
Dark Reading

One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments.What is a formal risk assessment?Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk.

The benefits of formal risk assessments

Conducting formal assessments within a risk management program a number of benefits.

Formal assessments: 1. Require business and technical representatives to reason about risk in an objective, repeatable, way 2. Require consistent terminology and metrics to discuss and measure risk 3. Justify funding for needed controls 4. Identify controls that provide can be eliminated 5. Provide documentation of threats that were considered and risks that were identified 6. Require business and IT to acknowledge the responsibility for ownership of risk 7. Require organizations to track risks and reassess them over time and as conditions change

Why are risk assessments so important in compliance?

There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, it stands to reason that the controls may be different.

It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk based. This approach makes sense when one standard needs to apply to everyone.

Choosing a risk management framework

If your organization needs to comply with FISMA, your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management lifecycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization.

Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that help organizations meet their security and regulatory requirements.

This article was originally posted at

How to Evaluate a HIPAA Security Compliant Data Center

If you host your healthcare data with a data center, certain administrative, physical and technical safeguards should be in place, as defined by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Although all service providers tout their data centers as secure, how do you confirm it truly is HIPAA Security Rule compliant

HIPAA sets the standard for protecting sensitive patient data. Under HIPAA there are two designations, Covered Entity and Business Associate. The Covered Entity being the provider of medical care or any entity that transmits EPHI. The Business Associate is any entity that provides services for a Covered Entity that may involve EPHI. The Health Information Technology and Economic Clinical Act (HITECH) was enacted in 2009 and raised the stakes for Business Associates in compliance to HIPAA basically putting them on par with Covered Entities. By managing servers containing EPHI, the data center hosting company is considered a Business Associate and must ensure all the required physical, network and process security measures are in place and followed.

The Minimum Safeguards

When evaluating providers, the following safeguards must be in place:

•    Physical safeguards - include limited facility access and control, with authorized access in place. All covered entities, or business associates, must have policies about use and access to workstations and electronic media. This requirement includes transferring, removing, disposing and re-using electronic media and EPHI.
•    Technical safeguards - require access control to allow only authorized personnel to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
•    Audit reports (or tracking logs) - must be implemented to keep records of activity on hardware and software. This procedure is especially useful to pinpoint the source or cause of any security violations.  Solution providers should keep very detailed records in their building monitoring system, down to the second when somebody accessed a badge reader on a door.
•    Technical policies - should also cover integrity controls, or measures put in place to confirm that EPHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are keys to ensure any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.  A HIPAA security compliant data center must ensure crucial healthcare data it handles for providers and insurers will be safe and protected in the event of a disaster.
•    Network, or transmission, security - is the last technical safeguard required of HIPAA security compliant hosts to protect against unauthorized public access of PHI. This requirement covers all methods of transmitting data, including email, Internet, or even over a private cloud network.

Turn to Audit Reports

The rapid adoption of healthcare technology and applications such as Electronic Health Records creates new challenges for Healthcare IT planners as they must undergo costly upgrades to ensure HIPAA security compliance. Outsourcing data storage to data center hosting companies can be a cost effective alternative.  The best way to evaluate the required security is in place is to review the data center’s SAS-70 (recently changed to SSAE 16) and PCI-DSS audit reports.  The audit reports should specifically cover the processes for the data center’s physical security, network security and access control to the data on the server.

A SAS-70 (statement of auditing standards) designation confirms the data center complies with established auditing controls.  The audit is conducted by an independent, third-party CPA. SAS-70 certification includes two types of audit reports:

•    Type I – The first step in the auditing process evaluates the organization’s description of their internal controls.

•    Type II – Includes the Type I report and it evaluates how the controls were operating from when the Type I audit was first conducted to six months thereafter. 

The final deliverable for the audit is commonly called the SAS 70 Service Auditor’s Report, a lengthy document which contains a multitude of information regarding the service organization, its overall control structure, framework, test of controls (if a Type II audit), along with adjunct and supporting documentation, such as the Independent Accountant (or Service Auditor’s) Report, possible exceptions noted during testing, and any additional information provided by the service organization.

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. The standards were created to prevent card holder fraud which is critical as more patients pay by credit cards. The following table shows the requirements:

Control Objectives

PCI DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

The Staggering Price of Non-Compliance

The HIPAA Security Rule went into effect in 2005 but its enforcement and the financial impact of violations have been hard to pinpoint in the past.  The HITECH act of 2009 changed that and recent cases show violations can be expensive.

Massachusetts General Hospital discovered Health and Human Services is getting serious about HIPAA violations. The hospital agreed to pay the $1 million to settle potential HIPAA violations.  Massachusetts General’s case involved the loss of electronic protected health information (EPHI) of 192 patients.  The loss works out to over $5000 per record.

Healthcare organizations must ensure their data centers meet the guidelines for the HIPAA Security Rule and have the required safeguards in place.  Although there is no widely accepted HIPAA Security certification program, the SAS-70/PCI-DSS certifications exceed the HIPAA security safeguard requirements and can help demonstrate compliance.  Staying well informed of regulatory changes will help meet requirements and avoid expensive penalties.

This article was originally posted at

Saturday, September 3, 2011

Are We Wired For Mobile Learning?

Because of the proliferation of new technologies, the younger generation today is outgrowing traditional forms of education – remember pencils, chalkboards, textbooks and graphing calculators? Whether we are in the car, on the train, at work, or in a classroom, mobile technology in particular is giving us the ability to learn on-the-go. See the infographic below to learn why we are wired for mobile learning, and how we can use mobile technologies to educate ourselves.

Via: Voxy Blog

Use This Infographic In Your Class

We think that infographics are an awesome learning and teaching tool, so our creations will always be available for you to print out, use with your students and embed on your blog!

Warm-Up Activity

Before handing out the infographic, discuss the following questions with your students.

  1. What is “mobile learning”?

  2. What are the advantages and disadvantages of using mobile technologies such as cell phones and iPads in education?

Speaking & Critical Thinking Practice

Questions to ask your students after presenting the infographic:

  1. What is the most surprising fact that you discovered from this infographic?

  2. Do you agree with the statement that today’s students “are no longer the people our educational system was designed to teach”? Why or why not?

  3. Would you consider yourself to be a “digital native”? How do you compare to other digital natives with respect to the way(s) you use mobile devices?

  4. Classroom technologies have come a long way since the end of the 19th century. In your opinion, what is the most important educational technology ever invented? Why?

  5. Many students and teachers around the world have found mobile learning to be very successful. How has mobile learning impacted your own education? Give examples.

Writing Challenge

After reviewing this infographic with your students, have them write a persuasive essay or blog post on the topic below. In addition to using the information from the infographic, students can do some independent research using the sources provided at the bottom of the graphic.

Should more teachers integrate mobile technologies into their classrooms? Why or why not?

Studies Show: Recent Research on Mobile Learning

Every day around the world, thousands of research studies are produced on every conceivable subject. So, when I checked out the Bielefeld Academic Search Engine (BASE) recently, that there were over 1,700 research items listed for mobile learning or ubiquitous learning. (BASE is free to use, and many of the articles listed are “open” and accessible. For most of the others, there is usually an abstract describing the results of the study – thanks to Stephen Downes,, for blogging about this resource).

Much of this academic research does not inform current practice in mobile learning in enterprise settings. One reason that there is little crossover between empirical research and corporate training is that academic studies are often difficult to read, are based on complex theories, or, contain lots of statistics and other forms of mathematics that are unfamiliar to the average training manager. Being a former academic who taught research methods, I propose to dip into some of this literature and review studies that I think might be useful to those who are trying to formulate new methods and approaches to mobile learning, and highlight recent studies of interest to learning and development professionals. While most of the studies that I looked at apply to higher education, there are a number that can be generalized to the training field. Here are five studies from the past two years that I found particularly applicable to enterprise mobile learning:

Akkerman, S. and Filius, R. (2011). The use of personal digital assistants as tools for work-based learning in clinical internships. Journal of Research on Technology in Education, 43(1), 325-341.
Comment: this study investigates both the perceived potential as well is the actual role of PDAs supporting a range of work-based learning activities. What is interesting here is how PDAs can be used as “boundary objects” between higher education practices and workplace practices. We all know that sometimes what is taught in university college classes is not exactly how things work in the real world. By taking college level materials into the workplace, supervisors can see what the students are being taught, and professors can see how the students act in the workplace. This can help bridge the gap between the two worlds that students inhabit.

Ardito, C., Buono, P. (2009). Enabling interactive exploration of cultural heritage: an experience of designing systems for mobile devices. Knowledge Technology and Policy, 22(1), 79-86.
Comment: given the small screens that are available for mobile learning, the role of a mobile learning designer is particularly important. This field study discusses issues around designing, developing, and evaluating mobile systems. In particular it describes the reaction of students to a mobile learning system called Explore! which is used to learn ancient history during a visit to archaeological parks. The design that was used seems to make the experience more complete and culturally rich.

Brett, Paul (2011). Students’ experiences and engagement with SMS for learning in higher education. Innovations in Education and Teaching International, 48(2), 137-147.
Comment: while graphic design is important, especially when using visual materials, often educational information can be conveyed in simple text messages. This study is an evaluation of students’ experiences and engagement with Short Message Service (SMS) messages, otherwise known as texting, for learning purposes. The study also shows that not all research has positive results – in this case, the results were mixed. Positive experiences were reported for administrative communications, learning support, and communications between students and instructors. On the other hand, students felt that SMS messages from instructors were an intrusion into their personal time, increased their phone costs, and did not have any learning benefit.

Chen, C. and Li, Y. (2011). Personalised context-aware ubiquitous learning system for supporting effective English vocabulary learning. Interactive Learning Environments, 18(4), 341-364.
Comment: there are dozens of academic studies that show the value of mobile learning for teaching English as a second language (ESL) or for teaching other languages to native English speakers. This study researched whether it made a difference in teaching English that the mobile learning system knew the location of students in order to supply them with learning materials that related to their particular geographical context. The results of this study showed that the language performance of those who used the personalized English vocabulary learning system with context awareness was superior to those who use the same system without context awareness.

Coulby, C., Hennessey, S., Davies, N. and Fuller, R. (2011). The use of mobile technology for work-based assessment: the student experience. British Journal of Educational Technology, 42(2), 251-265.
Comment: mobile-based assessment is another area where there are dozens of studies which can be reviewed. This particular study evaluated the use of competency-based assessment using personal digital assistants (PDAs) with medical students in their final work placements. The study reports that the student experience was positive, and resulted in an increased, improved level of feedback, which allowed students to improve their skills during the work placement.

The above examples are just five research studies in the thousands that are available on mobile learning. They show the range of what kind of issues come up in the research literature.

Now it’s your turn! What are your questions about mobile learning? Send them to me, and I will try to find research studies that provide answers for you in the next installments of Studies Show. You can reach me at gwoodill [at]

This article was originally posted at