Professional Documents
Culture Documents
Summary: This worksheet is intended to help you reflect on the work you carried out on all aspects of the
privacy and security assessment plan, audits and access policy throughout the course. You will identify three
specific aspects of your activity that could be improved upon using the Reflection Template tables, and then
you will indicate a corresponding goal for each using the Action Plan Template table.
Overview: Reflective practice is the process of studying one’s experiences in order to improve how one
works. Upon reflecting on one’s experiences, action plans are developed and implemented to improve the
thoughts, perceptions, and actions related to one’s processes.
There are several models for carrying out reflective practice, such as: Gibbs’ reflective cycle, Johns’ model,
and Atkins and Murphy. Johns’ model was developed for nursing practitioners and is based on five core
questions that enable you to break down your experience and reflect on the process and outcomes. This
worksheet uses a modified version of Johns’ model that is more suited to health care informatics.
Reflection Template
Use the tables provided below to complete three reflections on specific aspects of your activity during the
privacy and security assessment plan, audits and access policy that can be improved upon. An example
reflection has been provided below. Use the blank reflection tables to complete your reflections.
5. Miscellaneous – This area is for additional information you would like to add that does not relate to
the other sections of the table.
EXAMPLE REFLECTION
Description Reflection Influencing Learning Point Miscellaneous
Factors
Lack of I was trying to Instructor feedback In performing a The regulatory
understanding of understand the on access policy desk audit for environment is
HIPAA led me to case study in terms demonstrated my HIPAA continually evolving
have difficulty in of small practice lack of knowledge compliance, I and requires
successfully requirements of basic HIPAA gained an flexibility and
completing the compliance understanding of prudence in
desk audits I didn’t understand the regulatory reviewing policy
the extent and requirements for and regulatory
complexity of small practices changes
HIPAA regulations
Reflection 1
2
Reflection 2
Description Reflection Influencing Learning Point Miscellaneous
Factors
Lack of Leaving the Every health care In performing the Adhering to
understanding of computer on for 15 organization sets desk audit, I HIPAA
why the computer minutes could be specific security realized that the regulations is
screens risky, especially if precautionary employees spent crucial, especially
automatically log unauthorized regulations based most of their time when workstations
out after 15 minutes personnel modifies on their needs while behind the desk contain ePHI.
of inactivity. Why patient information complying with and 15 minutes of Employees need
was the time frame or obtains ePHI HIPAA; therefore, computer to log off every
set to 15 minutes copies illegally. my limited inactivity became time they step
and not 7? experience insignificant. away from the
demonstrated a lack desk to avoid any
of knowledge of breaches.
what is appropriate.
Reflection 3
Description Reflection Influencing Learning Point Miscellaneous
Factors
Lack of knowledge If cybersecurity The practice I gained The practice
as to why experts do not requires Business knowledge of how prohibits any
employees allowed monitor personal Associates and often audits are personal devices
to access the EHR devices, ePHI is subcontractors to conducted and that to be connected to
via a web more prone to be sign a policy there is an the workstations
application on their breached. agreement electronic trace for the safety of
personal devices led regarding adhering left behind after ePHI. Even
me to have to HIPAA each employee though ePHI is all
difficulty in regulations before that accessed ePHI encrypted, the
completing the access to PHI is at any given point practice is taking
audit. granted. in time. extra precautions
Additionally, to avoid any
practice monitors breaches within
and audits all user the clinic.
access every three
months. I had
inadequate
knowledge of the
monitoring process
of the ePHI.
3
Action Plan Template
Now that you have identified three aspects of your privacy and security activity that can be improved upon,
you need to create an action plan by establishing goals and actions to achieve them. Your action plan must
include a reflection goal for each of the three reflections you completed in the Reflection Template. An
example action plan has been provided below. Use the table on the last page of this worksheet to complete
your action plan.
4
Action Plan
Reflection Goal Actions I will implement Possible Obstacles How I will know I’ve Target to meet
achieved my goal goal/Review date
Sign a contract with a When the practice signs a Establish 1 year as the
Understand HIPAA company to assist with The practice might hesitate contract to have target goal and a review
compliance regarding tracking encrypted data to sign a contract with a cybersecurity insurance date every 6 months.
ePHI data while in transit. while in transit to help company to provide cyber implemented in the clinic.
determine if ePHI has been insurance if the rates are Establish 6 months as the
Establish a better time accessed, altered, or too high. The timeframe will be target goal and review date
frame for an automatic log deleted. reduced to 7 minutes for in 3 months.
off when a workstation is the screen to log off when
no longer in use. Speak with PSO regarding Management might oppose it is inactive.
revising policy to reduce the change based on the Establish 1 year as the
Familiarize what devices the timeframe from 15 history of no prior The cybersecurity experts target goal and a review
the practice allows minutes to 7 minutes breaches. will start to monitor date every 6 months.
employees to utilize while before a computer screen mobile phones for any
at work. automatically logs off after unauthorized breaches.
inactivity. The practice might have
insufficient funds to
allocate for mobile phones.
5
6