Storyline 360 · Compliance

When Knowing Isn't Enough: A Scenario-Based HIPAA Compliance Module

A 94% quiz pass rate. A 22% spike in incidents. The quiz was measuring the wrong thing — and this module was designed to fix that.

Gretchen Lautenschlager
Storyline 360, Canva, Google Forms
30–45 minutes
Healthcare clinic staff
Portfolio Demonstration
Kirkpatrick L1–4

Live Course Demo

Try the module

This is the published Storyline 360 module in Articulate Review. Click below to open it — fully interactive, exactly as a learner would experience it.

Know. Decide. Act. — HIPAA Compliance Module

Storyline 360 · 30–45 min · Opens in Articulate Review →

Launch Module

The Problem

94% pass rate. Incidents up 22%. The quiz was measuring the wrong thing.

Northgate Family Clinic had a compliance training problem hiding in plain sight. Their annual HIPAA training carried a 94% quiz pass rate. Staff could define protected health information, recite the minimum necessary standard, and identify the six patient rights under the Privacy Rule. On paper, it looked like success.

Then the incident reports came in — a 22% increase in the quarter following the most recent training cycle.

Employees knew the rules. What they didn't know was how to act when a real situation unfolded in real time — a coworker asking about a patient in the hallway, a family member demanding records at the front desk, a fax sent to the wrong number at 4:47 on a Friday afternoon.

Knowledge and performance are not the same thing. A click-through slide deck with a 10-question quiz at the end will never close that gap. That distinction — knowledge versus performance — is where this project begins.

My Role

Sole designer. Full system.

I served as the sole instructional designer on this project — responsible for root cause analysis, scenario scripting, Storyline 360 development, performance support card design in Canva, and a Kirkpatrick L1–4 evaluation plan.

For this portfolio project, I grounded every scenario in the most commonly reported HIPAA violation categories: unauthorized verbal disclosure, improper sharing with family members, and misdirected fax breach response. Three situations that account for a significant proportion of real-world clinic incidents. The scenarios are fictional. The failure modes are not.

My Educator Reframe

I know what it feels like to be in these situations.

Before describing my process, I want to name something explicitly — because it belongs in this case study.

Fifteen years in education means fifteen years of high-stakes human interactions: difficult parent conversations, student mental health disclosures, colleague conflicts, administrative pressure. I have spent years learning how to read a room, de-escalate tension, hold a boundary with empathy, and make the right call when the social pressure in the room is pushing toward the easier wrong one.

That is precisely the behavior this module is designed to build. Every scenario is a moment of social pressure — a friendly coworker, a distressed family member, a Friday afternoon when it would be easier to wait until Monday. I didn't just design these situations academically. I know what it feels like to be in them. That experiential knowledge made me a better scenario writer.

The Process

Step 1 — Reframing the problem.

The first design decision was also the most important: I resisted the instinct to build better content and instead asked a harder question — what do employees need to be able to DO, and what is stopping them from doing it?

The needs assessment revealed that the existing training had no knowledge gap at all — staff could pass the quiz blindfolded. The gap was entirely in application: employees didn't have a practiced mental model for making compliance decisions under social and time pressure. More information would not fix that. Only practice in context could.

This reframe eliminated an entire content module from my initial outline. No HIPAA definitions slide. No regulation overview. The module opens directly in scenario — because the learner doesn't need more knowledge, they need a different kind of experience.

The Process

Step 2 — Branching script design.

I wrote the full branching script before opening Storyline 360. Each of the three decision points follows the same four-beat structure:

Decision

Consequence

Coaching

Return to Flow

The three scenarios cover a spectrum of violation types:

Decision Point 1 — The Hallway Conversation

Minimum Necessary Standard. Tests whether learners can decline a peer's friendly but unauthorized request without being rude or evasive.

Decision Point 2 — The Family Member at the Front Desk

Patient authorization. Tests whether learners can hold a privacy boundary empathetically with a distressed and emotionally compelling person.

Decision Point 3 — The Misdirected Fax

Breach response. Tests whether learners know that the Privacy Officer is the first call — not the last — and that the clock starts at discovery, not Monday morning.

Each decision point offers three options: one clearly correct, one plausible-but-wrong, and one well-intentioned-but-procedurally flawed. The third option is the most instructionally important. The "I meant well" failure mode is the one that generates actual incidents — and it's the one a simple correct/incorrect quiz will never surface.

The Process

Step 3 — Storyline 360 development.

The module is built across 18 slides using a clean, clinic-appropriate visual design: slate blue headers, warm white backgrounds, and amber consequence layers that signal — visually, immediately — that the stakes have shifted.

Slide layers for branching

Each decision slide uses Storyline's layer system rather than separate slides. Keeps the file clean, reduces development time, and makes revision straightforward — a practical skill hiring managers notice.

Variable-based scoring

A numeric ComplianceScore variable tracks correct choices across all three decision points. The Results slide delivers one of three personalized coaching messages — not a generic score screen.

Character states

Storyline's built-in character state system (Neutral → Concerned → Relieved) adds emotional realism without custom animation or extended development time.

Consequence layer amber tint ★ Deliberate design signal

Every consequence layer shifts the background to amber — training the learner's eye that something real has happened before they read a single word of feedback.

No timer, no forced linear path

Learners can read at their own pace within each slide. The only constraint is that they must make a choice before advancing — because that choice is the learning event.

Slide architecture

Slide

Content

Storyline Element

1

Title / Hook

Text over image, auto-advance 5 sec

2

Scenario intro

Text + character image, button advance

3

DP1 Setup

Character dialogue + scene background

4

DP1 Choice

Button interaction (3 buttons)

5–7

DP1 Consequence + Coaching

Slide layers triggered by each button

8

DP2 Setup

New character + scene

9

DP2 Choice

Button interaction

10–12

DP2 Consequence + Coaching

Slide layers

13

DP3 Setup

Scene shift to fax machine visual

14

DP3 Choice

Button interaction

15–17

DP3 Consequence + Coaching

Slide layers

Design Artifact

Step 4 — Performance support card.

The companion Canva performance support card is a 4×6 laminate-style card designed for two use cases: a physical card kept at a workstation, and a digital PNG pinned in a team communication channel.

It contains exactly three things — and deliberately nothing else:

1. 3-Question Compliance Check

Three yes/no questions that function as a decision gate before any patient information is shared.

2. Breach Response Sequence

Four steps to take in the first minutes after a potential disclosure, including the Privacy Officer's direct extension.

3. Clear Escalation Signal

"When in doubt, call Sandra before you act" — naming the specific person and the specific moment to call.

The card deliberately does not reproduce HIPAA rules or regulation summaries. It is not a reference document — it is a decision tool. The moment of need is not the moment to read. It is the moment to act.

HIPAA Quick Reference card — Before sharing patient information and who can receive it
HIPAA Quick Reference card — Breach response: act now

Evaluation Plan

Step 5 — Kirkpatrick L1–4.

I designed a full Level 1–4 evaluation plan, with Levels 1 and 2 implemented directly in the module and Levels 3 and 4 structured as a post-launch organizational commitment.

L1

Reaction

Five-question Google Forms survey delivered via link on the Results slide. Questions measure perceived relevance, confidence, and usefulness. Target: ≥ 4.0/5.0 average on scaled items. Qualitative themes from Q5 feed into v2 design.

Survey Questions

  1. The scenarios in this module reflected situations I actually encounter at work.
  2. After completing this module, I feel more confident handling privacy situations on the job.
  3. The feedback after each decision helped me understand what to do differently.
  4. This training was a better use of my time than previous HIPAA training I've completed.
  5. What is one thing you'd change about this training to make it more useful? (open text)
L2

Learning

The Storyline ComplianceScore variable, captured by the LMS on completion. Target: ≥ 80% pass rate on first attempt. Retake data tracked separately — a gap between first-attempt and retake scores signals which decision point needs redesign.

L3

Behavior ★ Most deliberate artifact in this plan

Manager observation checklist administered at 30 and 60 days post-launch. Five observable behaviors drawn directly from the scenarios — not generic "follows HIPAA rules" language. Target: ≥ 85% "Yes" across all five behaviors at 60-day check.

Observable Behavior

Observed?

Declines unauthorized information requests without escalating unnecessarily

Yes / No / N/A

Does not discuss patient information in non-private areas

Yes / No / N/A

Verifies authorization before sharing records with family members

Yes / No / N/A

Reports potential breaches to Privacy Officer within same business day

Yes / No / N/A

Uses performance support card or equivalent reference at point of decision

Yes / No / N/A

A rising quiz score alongside a flat incident rate would tell me the module is measuring recall, not behavior — and would trigger a redesign. The checklist is what prevents that false positive.

L4

Results

Compliance officer incident log data pulled at six months post-launch, compared to the six-month pre-launch baseline. Target: 15% reduction in reported HIPAA incidents — a return to pre-incident-spike baseline.

Anticipated Impact

A module alone is an event. A system is a solution.

The final deliverable set functions as a system. The Storyline module builds practiced decision-making. The performance support card extends those decisions to the moment of need — no LMS login required. The evaluation plan creates the data loop that tells the organization whether behavior actually changed.

Metric

Baseline

Target

Timeline

HIPAA incident reports

+22% post-prior training

15% reduction

6 months post-launch

Scenario quiz pass rate (L2)

N/A (no prior scenario training)

≥ 80% first attempt

Immediate

L3 behavior observation score

N/A

≥ 85% correct decisions

60 days post-launch

Learner confidence (L1 Q2)

N/A

≥ 4.0/5.0

Immediate

Retake rate

N/A

< 20% require retake

Immediate

The metric I'd watch most closely is not the quiz pass rate — it's the gap between first-attempt and retake scores by decision point. That gap is the diagnostic. It tells me which scenario, which choice architecture, or which consequence layer isn't doing its job.

ID Theory

Why scenarios work: the theory behind this design.

I want to be transparent about the theory driving every decision in this project, because naming your rationale is what separates an instructional designer from a content builder.

Scenario-based learning works because it creates practice in context — not exposure to content. When a learner makes a wrong choice and experiences a realistic consequence, they build a mental model of the situation that information transfer alone cannot create. The emotional activation of seeing a consequence — even a simulated one — engages memory encoding in a way that a highlighted correct answer never will.

This is why the module opens in scenario rather than content. It's why every consequence layer shows something real happening — a compliance officer appearing, a patient filing a complaint, a law firm calling on Monday morning — before the coaching feedback explains why. Consequence first. Explanation second. That sequence mirrors how real learning from experience works.

The entire system — module, card, evaluation plan — is organized around one question: what does this person need to do differently when a real moment arrives? That question is the difference between compliance training that generates incident reports and compliance training that prevents them.

My Reflection

What I'd do differently.

"If I were to iterate on this module, I would conduct structured interviews with the clinic's compliance officer and at least three frontline staff members before finalizing the scenarios. My three decision points are grounded in documented HIPAA violation categories, but real incident data from this specific clinic would sharpen the scenario details and make the consequences feel undeniably local — which dramatically increases transfer. I would also add a fourth decision point addressing digital privacy: texting patient information, responding to a phishing email, or accessing records from a personal device. These are the fastest-growing HIPAA violation categories and my current scenario set doesn't address them. Finally, I would explore whether a brief 'What just happened and why' reflection prompt — a single open-text box between each consequence and coaching layer — increases learner engagement and retention over passive reading of the coaching text alone."

← New Hire Success Next: Microlearning Suite →