they may be under contract, or they may simply admit or refer patients to a health care facility. Several of the sites visited by the committee noted that the historical role of physicians made it difficult to require them to attend training; at least one site proposed requiring even nonemployee physicians to participate in training activities in exchange for access to the facility's computer system. Physicians often view training as a disruptive and unnecessary intrusion into an already busy schedule with competing demands, but organizations that tie training tightly to policy on privacy and security can both emphasize its value and accommodate cultural and scheduling conflicts (Box 5.3).
Most sites using a standard training module for new employees (lecture, handouts, film) reported that such modules are not at all effective in either capturing physician interest or imparting lasting information. To help spark physician interest in the importance of data security, a different form of system training is needed. Innovative training methods have been evaluated in studies on changing clinical practice behaviors and may be of use for training in confidentiality and security as well.17 Among the types of techniques that might be incorporated in confidentiality and security training is the use of grand rounds in health provider organizations in which cases or vignettes involving inappropriate disclosure of health information are examined in detail and adjudicated by medical staff. Physicians could also be encouraged to enroll in continuing medical education courses focused on confidentiality and security issues. Another possible technique used effectively by drug companies—detailing—might be customized to present one-on-one training to individual physicians or small groups of physicians. No matter which training techniques are developed for physicians, it is imperative that the leadership of the medical staff, both chairs of clinical departments and the chief of staff, be involved in their development and act as champions of and models for patient privacy.
Often, the most effective training occurs in spontaneous or unintended ways. One of the sites visited by committee members relied more on socializing new employees into an organizational culture that stressed the "highest moral, ethical, and legal standards" than it did on orientation and training programs. Nevertheless, this practice can backfire unless the