1 / 33

Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy

Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy. Yale New Haven Health System Who We Are. Three Member Delivery Network Multiple Clinical Affiliations Affiliated with Yale University Destination Hospital for Patients Throughout the United States

nhung
Download Presentation

Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Karen Sunderland, CHPSSenior Auditor, Electronic Information Privacy

  2. Yale New Haven Health SystemWho We Are • Three Member Delivery Network • Multiple Clinical Affiliations • Affiliated with Yale University • Destination Hospital for Patients Throughout the United States • Currently Going Through an Affiliation and Acquisition Period

  3. Facts & Figures • Medical staff 5675 • Employees 18,435 • Total Licensed Beds 2130 • Inpatient Discharges 93,923 • Outpatient Visits 1,397,632 • Software Applications ……

  4. Enterprise-Wide Clinical Systems

  5. Auditing…Where the rubber meets the road Privacy, Security, and Meaningful Use

  6. Meaningful Use Stage 1 & 2 Audit Logging - Privacy and Security Many regulatory responsibilities depend on the availability of audit logs for systems that access ePHI.  Meaningful Use Stage 1 (2011-2012) & Stage 2 (2013-2014) set a firm foundation for audit controls by specifying the availability of audit logs: • Meaningful Use Stage 1 (2011-2012) • Certified EHRs must produce audit log • Specification of required data elements • Human readable form • Meaningful Use Stage 2 (2013-2014) • EHR audit logging must be enabled by default • EHR audit log integrity • Tamper proof • Alterations detected • Network time protocol (NTP) and event ordering • Controlled administration for enabling & disabling • Patient portal access review

  7. Protecting Patient InformationBalancing Act • Reactive • Required as a Detective Control • Proactive • Can be Risky for Patient Care • Most non-Clinical Systems (HR, Finance etc.) • Most Clinical Systems

  8. Access Audit ProgramUp Until 2011 • Random Audits • Family Members • Co-workers • VIPs • News • Known Community Leaders • Neighbors • Manual • One System at a Time • No Correlation of Events • Between Various Systems • With HR Data • Dependent on Staff Skills

  9. 2011 • Decision made • Key Requirements • Correlation with HR Data • Multiple System • FairWarning®

  10. Implementation Plan • Management Buy In • Resource Allocation • User Communication • Audit Policy Review • Sanctions Policy Review • System Feeds • Different systems have different requirements • Log Formats are different • Data Validation / QA • Complaint Driven Audits • Proactive Audits • Random Audits

  11. User Communication • Management • Medical Records Committee • Compliance Committee • Newsletters • Email Blasts • Special Mandatory Training Module • Annual Mandatory Training • Presentations to Target Groups • Nursing Council, Leadership Forum, Physician Advisory Board

  12. Proactive vs. Reactive Audits Complaint Driven Audits Proactive Monitoring and Alerts

  13. Process • Investigation, coordination with Managers, HR, OPCC, University HIPAA Privacy/Security and Physician practices • If inappropriate access is confirmed • Breach Notification Risk Assessment based on the NCHICA Tool/Template (need to revise) – low probability test • Identify policy violation, HIPAA violation, breach • If breach is determined: notify patient(s), HHS and media as necessary • Report Out

  14. Grey Areas With Release of Information Prior to or post access Self Family Curbside Consult

  15. Eliminating False Positives

  16. DeterrentLogin Banner

  17. DeterrentBreak the Glass

  18. Lessons LearnedResource Requirements • Dedicated & Skilled Team • Collaboration with application DBAs & analysts • Source system data definitions • Extract data validation is imperative • Must be able to eliminate false positives • FairWarning® is only the 1st step in the process • Roles & Responsibilities of Related Departments • Legal, Compliance, HIM, Security, HR, Patient Relations • YNHHS Managers/Supervisors • Co-ordination with Yale University (Privacy, Security, Legal) • Co-ordination with contracting organizations (YNHHS acting as the BA)

  19. Lessons Learned • No Such Thing as Enough User Communication • Sanctions Policy • Q/A (quality assurance) between FairWarning® extracts and clinical applications audit log data • Integration of multiple authoritative user sources (YNHHS & University HR, multiple credentialing sources) • Scalability • Log Data Grows QUICKLY • Processing Power • Track Metrics from Day 1

  20. Wish ListFuture of Our Audit Program • Optimized & Closed Loop Auditing • Integration with Other Security System • Security SIEM • Integration with other incident management systems • ComplyTrack • Governance, Risk & Compliance (Modulo) • Real Time Alerts • When bad things happen • When SIEM learns about it • When Someone takes Action • Resources to manage the volume of real-time application level alerts

  21. Wish ListReal Time Alerts 24 – 48 Hours Delay

  22. 1996 HIPAA (Health Information Portability and Accountability Act) 2002 FISMA (Federal Information Security Management Act) 44 State CT HIPAA Security Breach Disclosure Laws CT 05-148 An Act Requiring Consumer Credit Bureaus To Offer Security Freezes Red Flag Rule (Identity Theft) Various State PII (Personal Identifiable Information) or SSN laws CT 08-167 An Act Concerning the Confidentiality of Social Security Numbers Legislation

  23. Stimulus Legislation: American Recovery and Reinvestment Act/Health Information Technology for Economic and Clinical Health of 2009 (ARRA/HITECH 2009) requires government audits – meaningful use requirements for stimulus dollars. HIPAA HITECH Final Rule: On January 17th, 2013, HHS released its Omnibus Final Rule which modifies provisions of HIPAA, the HITECH Act, and GINA. The Omnibus Final Rule became effective on March 26, 2013. Although, the first compliance deadline is not scheduled until later this year (September 23, 2013). Government Enforcement – KPMG auditing (150 random covered entities) FTC Consumer Protection (unfair/deceptive) Attorney General pre-breach Legislation (continued)

  24. Security / Privacy Breach Notification, not required in HIPAA, now required within 60 days Penalties and Audits Unknown: $100 to $50,000 per violation; max $1.5M by type Reasonable Cause: $1,000 to $50,000 per violation; max $1.5M by type Willful Neglect (Corrected within 30 days): $10,000 to $50,000 per violation; max $1.5M by type Willful Neglect (Not corrected): $50,000; max $1.5M by type Civil and monetary penalties can be levied against individuals, including possible imprisonment State’s Attorney General authorized to file suit on behalf of residents Health and Human Services to conduct periodic audits (KPMG) Business Associates (BAs) Subject to administrative, physical, and technical safeguards under HIPAA Subject to civil and criminal penalties Accounting Requirements Accounting of disclosures of (PHI) in EHR system for 3 years prior to request Access to Electronic Health Record (EHR) Patients rights to electronic format of record if covered entity uses or maintains EHR Incentive aid (Meaningful Use) for EHR estimated at $17B+ ARRA / HITECH 2009

  25. Financial costs Average breach cost in the range of $7.2 million (Ponemon Institute] Sample breach response costs $287.00 per medical record Credit monitoring and protections Reimbursing direct costs of identity theft Increase in business insurance Fines and penalties Less quantifiable costs Public reputation and lost business Lost productivity responding to breach Increased regulator scrutiny Compliance plan/consent decree costs may exceed direct legal penalties Jail time Loss of employment Cost of a security incident

  26. Impact of HITECH Final Rule • “Significant risk of financial, reputational or other harm.” • Harm test is gone, and must not be used after September 23, 2013. • Presumption of reportable breach unless low probability that PHI has been compromised after risk assessment. • Low probability test • Nature and extent of the types of PHI, and likelihood of re-identification • Who received the PHI improperly • Whether PHI was actually acquired or viewed • Extent risk is mitigated • Business Associate security requirements • BAs and subcontractors must be fully compliant with all new rule requirements, including full Security Rule compliance, by September 23, 2013. • Definition of BA clarified • New BAA template • Starting March 26, 2013, for any new relationships, or when existing contract runs out, you must apply the new rule • Subcontractors to BAs • Held to same standards as BA

  27. Information Security in Healthcare Availability Security • Information Availability • Quality of Patient Care • Most of the Time Trumps Security and Confidentiality Security Availability

  28. Protecting Patient InformationBalancing Act II • Most Industries Err on the Side of Access Controls • Proactive • High Maintenance • Risky • Reactive • Time Consuming • Resource Intensive • Required to Detect • Healthcare is Opposite • What if ……

  29. Access Audit Program • Self Audit • Family Members • Co-workers • VIPs • News • Known Community Leaders • Neighbors • Random • Odd Pairs • Pediatrician looking @ Adult Male Record • High volume / one-offs

  30. Audit Process

  31. Awareness and Training • Objective: Create an awareness and training program consisting of the following: • Awareness and Training Plan Design • Awareness and Training Material Development • Program implementation - including options for delivery methods (web-based, on-site presentations, class room, video, articles, etc…) and establishing metrics • Post-implementation – monitoring effectiveness and achieving established metrics (AKA Audits, Phishing tests) • Modify Training methods and content based on audit results

  32. Training vs. Awareness • Training is direct and measurable. It strives to produce relevant and needed security skills and competencies. The following are examples of possible training methodologies: • HealthStream modules (this is the primary training strategy for YNHHS) • Presentations • Classes/Work shops • Awareness is subtly changing people over time. Awareness is not training. The purpose of awareness is simply to focus attention on security and is intended to allow individuals to recognize IT security concerns and respond accordingly. Much more difficult to measure. The following are examples of possible methods to achieve awareness: • Email reminders • Videos • Posters • Contests • Articles • Screen savers • Web Site/Intranet

  33. Questions?

More Related