Reflective Practice Worksheet

Summary: This worksheet is intended to help you reflect on the work you carried out on all aspects of the
privacy and security assessment plan, audits and access policy throughout the course. You will identify three
specific aspects of your activity that could be improved upon using the Reflection Template tables, and then
you will indicate a corresponding goal for each using the Action Plan Template table.

Overview: Reflective practice is the process of studying one’s experiences in order to improve how one
works. Upon reflecting on one’s experiences, action plans are developed and implemented to improve the
thoughts, perceptions, and actions related to one’s processes.

Reflective practice can be beneficial in:

 Increasing an individual’s ability to be self-aware in given situations, tasks, and activities.
 Improving the quality of one’s work.
 Assisting individuals in carrying out self-improvement and self-awareness techniques in order to
improve interpersonal interactions.
 Improve work activities requiring individuals to collaborate to accomplish a unified goal.

There are several models for carrying out reflective practice, such as: Gibbs’ reflective cycle, Johns’ model,
and Atkins and Murphy. Johns’ model was developed for nursing practitioners and is based on five core
questions that enable you to break down your experience and reflect on the process and outcomes. This
worksheet uses a modified version of Johns’ model that is more suited to health care informatics.

Reflection Template
Use the tables provided below to complete three reflections on specific aspects of your activity during the
privacy and security assessment plan, audits and access policy that can be improved upon. An example
reflection has been provided below. Use the blank reflection tables to complete your reflections.

Below are instructions on how to fill out each section.

1. Description – Write a brief statement that addresses the following:
 Write a description of the specific aspect of your activity that can be improved upon.
 What key issues do you need to pay attention to in relation to this aspect?

2. Reflection – Write a brief statement that addresses the following:

 What were you trying to achieve?
 Why did I act as you did?
 What are the consequences of your actions for the project success or outcome, for yourself, or for
the people you work with?
 How did you feel about this experience when it was happening?

3. Influencing Factors – Write a brief statement that addresses the following:

 What internal factors influenced your decision making and actions?
 What external factors influenced your decision making and actions?
 What sources of knowledge influenced or should have influenced your decision making and
actions?
 Could you have dealt with the situation better?
 What other choices did you have and what would be the consequences of these other choices?
 What people, devices, or situations impacted your decision making?

4. Learning Point – Write a brief statement that addresses the following:

 How can you make sense of this experience in light of past experience and future practice?
1
  How do you feel about this experience now?
 Have you taken effective action to support others and yourself as a result of this experience?
 How has this experience changed the way you act or how you perceive or think about the event?
 How would you change systems, devices or strategies the next time you encounter the situation?

5. Miscellaneous – This area is for additional information you would like to add that does not relate to
the other sections of the table.

EXAMPLE REFLECTION
Description Reflection Influencing Learning Point Miscellaneous
Factors
Lack of I was trying to Instructor feedback In performing a The regulatory
understanding of understand the on access policy desk audit for environment is
HIPAA led me to case study in terms demonstrated my HIPAA continually evolving
have difficulty in of small practice lack of knowledge compliance, I and requires
successfully requirements of basic HIPAA gained an flexibility and
completing the compliance understanding of prudence in
desk audits I didn’t understand the regulatory reviewing policy
the extent and requirements for and regulatory
complexity of small practices changes
HIPAA regulations

Reflection 1

Description Reflection Influencing Learning Point Miscellaneous

Factors
Insufficient I was trying to Extensive research In performing the The technology is
knowledge of ePHI understand ways on HIPAA desk audit, I ever-evolving and
data while in transit how ePHI could be regulations learned the requires
led me to have breached while in concerning importance and cybersecurity
complications in transit, how can the encrypted data the power of experts to stay
completing the practice know of the demonstrated my encrypted data, informed of any
audit. breach, and whether lack of knowledge which benefits changes in policy,
the information was of various breaches small practices. regulations, and
compromised if it and required the latest
was stolen. safeguards to breaches.
satisfy essential
I did not understand HIPAA
what is permissible compliance.
under HIPAA
regulations for
healthcare
organizations.

2
Reflection 2
Description Reflection Influencing Learning Point Miscellaneous
Factors
Lack of Leaving the Every health care In performing the Adhering to
understanding of computer on for 15 organization sets desk audit, I HIPAA
why the computer minutes could be specific security realized that the regulations is
screens risky, especially if precautionary employees spent crucial, especially
automatically log unauthorized regulations based most of their time when workstations
out after 15 minutes personnel modifies on their needs while behind the desk contain ePHI.
of inactivity. Why patient information complying with and 15 minutes of Employees need
was the time frame or obtains ePHI HIPAA; therefore, computer to log off every
set to 15 minutes copies illegally. my limited inactivity became time they step
and not 7? experience insignificant. away from the
demonstrated a lack desk to avoid any
of knowledge of breaches.
what is appropriate.

Reflection 3
Description Reflection Influencing Learning Point Miscellaneous
Factors
Lack of knowledge If cybersecurity The practice I gained The practice
as to why experts do not requires Business knowledge of how prohibits any
employees allowed monitor personal Associates and often audits are personal devices
to access the EHR devices, ePHI is subcontractors to conducted and that to be connected to
via a web more prone to be sign a policy there is an the workstations
application on their breached. agreement electronic trace for the safety of
personal devices led regarding adhering left behind after ePHI. Even
me to have to HIPAA each employee though ePHI is all
difficulty in regulations before that accessed ePHI encrypted, the
completing the access to PHI is at any given point practice is taking
audit. granted. in time. extra precautions
Additionally, to avoid any
practice monitors breaches within
and audits all user the clinic.
access every three
months. I had
inadequate
knowledge of the
monitoring process
of the ePHI.

3
Action Plan Template
Now that you have identified three aspects of your privacy and security activity that can be improved upon,
you need to create an action plan by establishing goals and actions to achieve them. Your action plan must
include a reflection goal for each of the three reflections you completed in the Reflection Template. An
example action plan has been provided below. Use the table on the last page of this worksheet to complete
your action plan.

Below are instructions on how to fill out each section.

1. Reflection Goal – In this section, you will write a goal for each reflection for a total of three goals.
Keep the goal statement brief and simple (i.e. no more than two sentences). Goals should be
actionable and measurable.
2. Actions I will implement – This section describes what actions you would take to address each issue
identified in your reflections.
3. Possible Obstacles – This section describes potential barriers or obstacles to implementing the
actions you identified for achieving your goals.
4. How I will know I’ve achieved my goal – In this section, you will indicate the tangible evidence,
acquired skills, knowledge or behaviours required to achieve your reflection goals.
5. Target to meet goal/Review date – In this section, you will indicate a target date for completing
your goals. Then, indicate a follow up review date when you will check in to ensure the goals are
continually being met.

EXAMPLE ACTION PLAN

Reflection Goal Actions I will Possible Obstacles How I will know Target to meet
implement I’ve achieved my goal/ Review
goal date
Expand knowledge Complete a Allotting time to I will have an Establish 1 year
of HIPAA government webinar review HIPAA increased level of as the target goal
regulations and on HIPAA updates updates and comfort and and a review date
compliance as they and regulations, regulations confidence in every 6 months
relate to small review monthly applying HIPAA
practice settings government Financing regulations to small
bulletins related to certification in practice settings
regulatory changes, privacy and security I will be able to
consider obtaining from AHIMA successfully obtain
certification in certification from
privacy and security AHIMA
from AHIMA
(www.ahima.org)

4

Reflection Goal
Understand HIPAA
compliance regarding
ePHI data while in transit.
Establish a better time
frame for an automatic log
off when a workstation is
no longer in use.
Familiarize what devices
the practice allows
employees to utilize while
at work.
Action Plan
Actions I will implement Possible Obstacles How I will know I’ve Target to meet
achieved my goal goal/Review date
Sign a contract with a When the practice signs a Establish 1 year as the
company to assist with The practice might hesitate contract to have target goal and a review
tracking encrypted data to sign a contract with a cybersecurity insurance date every 6 months.
while in transit to help company to provide cyber implemented in the clinic.
determine if ePHI has been insurance if the rates are Establish 6 months as the
accessed, altered, or too high. The timeframe will be target goal and review date
deleted. reduced to 7 minutes for in 3 months.
the screen to log off when
Speak with PSO regarding Management might oppose it is inactive.
revising policy to reduce the change based on the Establish 1 year as the
the timeframe from 15 history of no prior The cybersecurity experts target goal and a review
minutes to 7 minutes breaches. will start to monitor date every 6 months.
before a computer screen mobile phones for any
automatically logs off after unauthorized breaches.
inactivity. The practice might have
insufficient funds to
allocate for mobile phones.
Speak with PSO to provide
company’s mobile phones
to Business Associates that
work from home to reduce
the chances of ePHI
breach.
5
6