Presentation is loading. Please wait.

Presentation is loading. Please wait.

Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy 1.

Similar presentations

Presentation on theme: "Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy 1."— Presentation transcript:

1 Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy 1

2 Yale New Haven Health System Who We Are Three Member Delivery Network Multiple Clinical Affiliations Affiliated with Yale University Destination Hospital for Patients Throughout the United States Currently Going Through an Affiliation and Acquisition Period 2

3 Facts & Figures 3 Medical staff5675 Employees18,435 Total Licensed Beds 2130 Inpatient Discharges93,923 Outpatient Visits1,397,632 Software Applications……

4 Enterprise-Wide Clinical Systems 4

5 Auditing… Where the rubber meets the road Privacy, Security, and Meaningful Use 5

6 Meaningful Use Stage 1 & 2 Audit Logging - Privacy and Security Many regulatory responsibilities depend on the availability of audit logs for systems that access ePHI. Meaningful Use Stage 1 (2011-2012) & Stage 2 (2013-2014) set a firm foundation for audit controls by specifying the availability of audit logs: Meaningful Use Stage 1 (2011-2012) – Certified EHRs must produce audit log – Specification of required data elements – Human readable form Meaningful Use Stage 2 (2013-2014) – EHR audit logging must be enabled by default – EHR audit log integrity – Tamper proof – Alterations detected – Network time protocol (NTP) and event ordering – Controlled administration for enabling & disabling – Patient portal access review 6

7 Protecting Patient Information Balancing Act 7 Most non-Clinical Systems (HR, Finance etc.) Most Clinical Systems Proactive Can be Risky for Patient Care Reactive Required as a Detective Control

8 Access Audit Program Up Until 2011 Random Audits Family Members Co-workers VIPs – News – Known Community Leaders Neighbors Manual One System at a Time No Correlation of Events – Between Various Systems – With HR Data Dependent on Staff Skills 8

9 2011 Decision made Key Requirements – Correlation with HR Data – Multiple System FairWarning® 9

10 Implementation Plan Management Buy In Resource Allocation User Communication Audit Policy Review Sanctions Policy Review System Feeds – Different systems have different requirements – Log Formats are different Data Validation / QA Complaint Driven Audits Proactive Audits Random Audits 10

11 User Communication Management – Medical Records Committee – Compliance Committee Newsletters Email Blasts Special Mandatory Training Module Annual Mandatory Training Presentations to Target Groups – Nursing Council, Leadership Forum, Physician Advisory Board 11

12 Proactive vs. Reactive Audits 12 Complaint Driven Audits Proactive Monitoring and Alerts

13 Process Investigation, coordination with Managers, HR, OPCC, University HIPAA Privacy/Security and Physician practices If inappropriate access is confirmed – Breach Notification Risk Assessment based on the NCHICA Tool/Template (need to revise) – low probability test – Identify policy violation, HIPAA violation, breach If breach is determined: notify patient(s), HHS and media as necessary Report Out 13

14 Grey Areas 14 Self Family With Release of Information Prior to or post access Curbside Consult

15 Eliminating False Positives 15

16 Deterrent Login Banner 16

17 Deterrent Break the Glass 17

18 Lessons Learned Resource Requirements Dedicated & Skilled Team – Collaboration with application DBAs & analysts Source system data definitions Extract data validation is imperative – Must be able to eliminate false positives – FairWarning® is only the 1 st step in the process Roles & Responsibilities of Related Departments – Legal, Compliance, HIM, Security, HR, Patient Relations YNHHS Managers/Supervisors Co-ordination with Yale University (Privacy, Security, Legal) Co-ordination with contracting organizations (YNHHS acting as the BA) 18

19 Lessons Learned No Such Thing as Enough User Communication Sanctions Policy Q/A (quality assurance) between FairWarning® extracts and clinical applications audit log data Integration of multiple authoritative user sources (YNHHS & University HR, multiple credentialing sources) Scalability – Log Data Grows QUICKLY – Processing Power Track Metrics from Day 1 19

20 Wish List Future of Our Audit Program Optimized & Closed Loop Auditing Integration with Other Security System – Security SIEM Integration with other incident management systems – ComplyTrack – Governance, Risk & Compliance (Modulo) Real Time Alerts – When bad things happen – When SIEM learns about it – When Someone takes Action – Resources to manage the volume of real-time application level alerts 20

21 Wish List Real Time Alerts Access Happens & Is Logged Log Sent to SIEMSIEM Processes Someone Takes Action 21 Monday 8AMTuesday 6AMTuesday 5PM?? 24 – 48 Hours Delay

22 1996 HIPAA (Health Information Portability and Accountability Act) 2002 FISMA (Federal Information Security Management Act) 44 State CT HIPAA Security Breach Disclosure Laws —CT 05-148 An Act Requiring Consumer Credit Bureaus To Offer Security Freezes Red Flag Rule (Identity Theft) Various State PII (Personal Identifiable Information) or SSN laws —CT 08-167 An Act Concerning the Confidentiality of Social Security Numbers 22 Legislation

23 Stimulus Legislation: American Recovery and Reinvestment Act/Health Information Technology for Economic and Clinical Health of 2009 (ARRA/HITECH 2009) requires government audits – meaningful use requirements for stimulus dollars. HIPAA HITECH Final Rule: On January 17th, 2013, HHS released its Omnibus Final Rule which modifies provisions of HIPAA, the HITECH Act, and GINA. The Omnibus Final Rule became effective on March 26, 2013. Although, the first compliance deadline is not scheduled until later this year (September 23, 2013). Government Enforcement – KPMG auditing (150 random covered entities) FTC Consumer Protection (unfair/deceptive) Attorney General pre- breach 23 Legislation (continued)

24 Security / Privacy Breach —Notification, not required in HIPAA, now required within 60 days Penalties and Audits —Unknown: $100 to $50,000 per violation; max $1.5M by type —Reasonable Cause: $1,000 to $50,000 per violation; max $1.5M by type —Willful Neglect (Corrected within 30 days): $10,000 to $50,000 per violation; max $1.5M by type —Willful Neglect (Not corrected): $50,000; max $1.5M by type —Civil and monetary penalties can be levied against individuals, including possible imprisonment —State’s Attorney General authorized to file suit on behalf of residents —Health and Human Services to conduct periodic audits (KPMG) Business Associates (BAs) —Subject to administrative, physical, and technical safeguards under HIPAA —Subject to civil and criminal penalties Accounting Requirements —Accounting of disclosures of (PHI) in EHR system for 3 years prior to request Access to Electronic Health Record (EHR) —Patients rights to electronic format of record if covered entity uses or maintains EHR Incentive aid (Meaningful Use) for EHR estimated at $17B+ 24 ARRA / HITECH 2009

25 Financial costs —Average breach cost in the range of $7.2 million (Ponemon Institute] —Sample breach response costs  $287.00 per medical record  Credit monitoring and protections —Reimbursing direct costs of identity theft —Increase in business insurance —Fines and penalties Less quantifiable costs —Public reputation and lost business —Lost productivity responding to breach —Increased regulator scrutiny —Compliance plan/consent decree costs may exceed direct legal penalties —Jail time —Loss of employment 25 Cost of a security incident

26 Impact of HITECH Final Rule “Significant risk of financial, reputational or other harm.” Harm test is gone, and must not be used after September 23, 2013. Presumption of reportable breach unless low probability that PHI has been compromised after risk assessment. – Low probability test Nature and extent of the types of PHI, and likelihood of re-identification Who received the PHI improperly Whether PHI was actually acquired or viewed Extent risk is mitigated Business Associate security requirements – BAs and subcontractors must be fully compliant with all new rule requirements, including full Security Rule compliance, by September 23, 2013. – Definition of BA clarified – New BAA template Starting March 26, 2013, for any new relationships, or when existing contract runs out, you must apply the new rule – Subcontractors to BAs Held to same standards as BA 26

27 Information Security in Healthcare 27 Availability Security Availability Security Information Availability o Quality of Patient Care o Most of the Time Trumps Security and Confidentiality

28 Protecting Patient Information Balancing Act II 28 Proactive High Maintenance Risky Reactive Time Consuming Resource Intensive Required to Detect Most Industries Err on the Side of Access Controls Healthcare is Opposite What if ……

29 Access Audit Program Self Audit Family Members Co-workers VIPs – News – Known Community Leaders Neighbors Random Odd Pairs – Pediatrician looking @ Adult Male Record High volume / one-offs 29

30 Audit Process 30 Metrics Tracked in True and Tested Excel Notification and reporting if breach is identified If HR Needs to Get Involved, They Enter Information in HR Database Information Entered Into Incident Management System Manager Completes the Form & Email it Back Email Managers/Supervisors Incident Response Form to Complete Eliminate false positives Open a Case in Incident Management System Complaint Driven or Proactive Audit

31 Awareness and Training Objective: Create an awareness and training program consisting of the following: —Awareness and Training Plan Design —Awareness and Training Material Development —Program implementation - including options for delivery methods (web-based, on-site presentations, class room, video, articles, etc…) and establishing metrics —Post-implementation – monitoring effectiveness and achieving established metrics (AKA Audits, Phishing tests) —Modify Training methods and content based on audit results 31

32 Training vs. Awareness Training is direct and measurable. It strives to produce relevant and needed security skills and competencies. The following are examples of possible training methodologies: —HealthStream modules (this is the primary training strategy for YNHHS) —Presentations —Classes/Work shops Awareness is subtly changing people over time. Awareness is not training. The purpose of awareness is simply to focus attention on security and is intended to allow individuals to recognize IT security concerns and respond accordingly. Much more difficult to measure. The following are examples of possible methods to achieve awareness: —Email reminders —Videos —Posters —Contests —Articles —Screen savers —Web Site/Intranet 32

33 Questions? 33

Download ppt "Karen Sunderland, CHPS Senior Auditor, Electronic Information Privacy 1."

Similar presentations

Ads by Google