Presentation on theme: "Monitoring Compliance with HIPAA Privacy"— Presentation transcript:
1Monitoring Compliance with HIPAA Privacy HIPAA Summit VIISession 1.059/15/03Patricia Johnston, CHP, FHIMSSTexas Health Resources
2Session ObjectivesDefine the purpose of Compliance Monitoring in a Privacy ProgramIdentify monitoring targets, metrics and methodsPresent a model for compliance monitoringProvide examples of monitoring tools and reportsBasic Assumption for this session: Privacy Program, including policies, procedures and training, is already in place.
3Agenda Why Privacy Compliance Monitoring? The Monitoring Process A Monitoring ModelExamplesQ&A
4Texas Health Resources Profile one of the largest faith-based, nonprofit health care delivery systems in the United States.serves more than 5.4 million people living in 29 counties in north central Texas.13 acute-care hospitals with 2,405 licensed hospital beds, 1 million annual admissions.more than 17,000 employees, more than 3,200 physicians with active staff privileges.
5Privacy Program Organization System Compliance(System Privacy Officer)Design &DevelopSystemPrivacy/SecurityCommitteeCoordinate &CollaborateDiscuss how policies, systems and training was developed at a system level for deployment across the 13 hospitals using entity-specific processes and procedures.Entity Privacy OfficersImplement &MonitorEntity Privacy Committees
6Why Privacy Compliance Monitoring? To ensure program goals for confidential protection of health information are achieved.To determine if policies, procedures and programs are being followed (protect our investment).To minimize consequences of privacy failures through early detection and remediation.To provide feedback necessary for privacy program improvement.To demonstrate to the workforce and the community at large, organizational commitment to health information privacy.We’ve all spent a lot of time and money on this, but it won’t achieve the desired result unless we stay on top of it.List the reasons.The last reason - demonstration of commitment - will have a great impact on organizational behavior. Showing that compliance will be monitored and evaluated, and that non-compliance will have consequences, is critical.
7The Monitoring Process Establish goals& objectivesWhat?Define targetareas for reviewHow?Define metrics& methodsWhen?EstablishfrequencyRead the stepsAs you can see, results of the actual monitoring will potentially drive modifications or changes to how the monitoring is performed. The loop needs to be closed, so that the monitoring process along with the overall Privacy Program is refined and improved based on feedback from the monitoring results.PerformmonitoringAct onresults
8The Monitoring Process Many options for target areas and populations, metrics and methods of measurement.Monitoring must be designed to demonstrate the implementation and achievement of the privacy program goals.Cost/benefit balance must be achieved.bullet two: for example, depends on if your goals are to be compliant versus to demonstrate best practicebullet 3: the value of the measurements must be worth the investment it takes to perform the measurements.Degree of RiskCost to Monitor
9The monitoring process Establish goals and objectivesIdentify monitoring goals based on privacy program objectives, risk assessment, feedback from incident reporting system, and cost/benefit analysis.Determine the baseline (risk assessment).Identify the desired outcomes (where do we want to be?).Most original risk assessments and gap analysis identified the required policies and processes that need to be in place. This may or may not be an adequate baseline for measuring actual compliance with developed policies and processes. Most of us don't have baseline data on privacy breaches, for example. We may be developing our baseline this first year, against which future progress will be measures.
10The monitoring process Establish goals and objectivesBroad goalsPHI is secured using appropriate physical and technical security techniques.Privacy program will be a differentiator with our customers.Specific goals100% of PC placement is in compliance with workstation guidelines.No more than 3 privacy complaints filed per quarter.It is difficult to set goals around complaints. In a sense, a high number could be considered a positive indicator that the process is working and people know how to address their complaints. Might be better to establish goals around numbers of verified privacy breaches decreasing, or measuring response time to patient complaints.
11The monitoring process Define target areas to review (what?)Identify high risk areasIf not properly performed, pose a high probability of a breach and/or consequences are of high magnitude (e.g., release of information areas, high profile patients).Identify high volume areasLaw of averages says there is potential for problems here (e.g., emergency departments)Identify problem-prone areasComplex functions that are difficult to achieve (e.g., accounting of disclosures).one of our high risk areas is the OR, due to the amount of third parties present, as well as the urgent nature of its operations.Another problem-prone area is identity verification over the telephone.Can you think of other high risk, high-volume or problem-prone areas, from your experience?
12The monitoring process Define target areas to review (what?)Define minimum standards for routine monitoring in order to reinforce compliance (e.g., each department reviewed annually).Determine the ability to readily collect the needed data (may not be feasible or cost-effective to measure).If results for a target area are always good, measure something else.Incident reporting should identify key targets.Regardless of high-profile target areas, all departments need a minimum amount of monitoring. If nothing else, it keeps everyone on their toes and prevents complacency from setting in.As you start tracking privacy incidents the data will help point you to key target areas for review.
13The monitoring process Define metrics and methods (how?)Target Metric MethodCompliance with Notice PolicyRequired workforce trainingProviding patients with access to their PHISigned Acknowledgment of receipt of Notice% of workforce trainedNumber of access requests fulfilled within timeframesChart audits or computer system documentationLearning management system reports or class rosters.Document all requests processed in ROI system; or file request forms and perform periodic sampling.monitoring training can focus on total completion rates, on completion within certain timeframes (within 30 days of hiring, for example) or on demonstrated effectiveness/comprehension (average training test scores, for example).
14The monitoring process Define metrics and methods (how?)Chart audits (required documentation)Computer system audit reports (access controls)Walkthroughs (observations of compliance)Surveys and interviews (workforce awareness, patient satisfaction)Drills (hypothetical issues presented to staff)“Mystery Shoppers” (try to “break the system”)
15The monitoring process Establish frequency (when?)Ongoing (high risk areas)Quarterly (past problem areas, new policies and procedures)Annually (departmental reviews)Informally (e.g., workstation placement)Formally (e.g., business associate contracts)Perform Monitoring
16The Monitoring Process ReportingDocument resultsCompare results to objectivesIdentify non-compliant areasHighlight areas for root cause analysisDocument areas for special attention in future monitoringIdentify trends
17The monitoring process Act on results (so what?)If no analysis and action, monitoring is a waste of timeIf results consistently meet expectations, monitor something elseMonitorActAnalyze
18The monitoring process Act on resultsThings that can cause problems include:Unclear policies and proceduresInconsistent (or non-existent) enforcement of policies and proceduresIneffective trainingLack of employee motivation
19The monitoring process Act on resultsTake corrective actionRevise policies and proceduresRefine or focus trainingRedesign processesTighten supervisionModify monitoring programRe-monitor for compliance within 2 to 4 weeks after corrective action is taken.Continue quarterly monitoring for some period, or flag for future monitoring reviews.Often, the corrective action will translate into important refreshers and reminders to be communicated to the workforce at large. We compile information from our monitoring into helpful hints to be sent to specific audiences to increase awareness and compliance.
20A Monitoring Model What How When What How When What How When What How Monitoring goals& targetsMetrics &MethodsFrequencyWhatHowWhenComplianceWith P&PChart auditsObservationSurveysVariablePoliciesWhatHowWhenTrainingAll workforcetrainedTraining ReportsMonthlyNow let's take these principles and apply them to a monitoring model. In this particular model, we have decided to monitor compliance with some of our key policies, with our training goals, and wil the safeguards that have been put into place for Privacy Rule compliance.For each area, the what/how/when questions were asked and answered.WhatHowWhenSafeguardsImplementedSafeguardsWalkthroughQuarterlyAnnually
21A Monitoring Model Compliance with Policies Monitoring the organization’s compliance with its own policies, not whether or not the policies are compliant with the Privacy Rule.This is a key point. Determining if you have adequate or compliant policies is one issue. Determining if your organization is compliant with your policies is another issue entirely.
22Request an accounting; reconcile with chart A Monitoring ModelWhatHowWhenMonitoring goals& targetsMetrics &MethodsPoliciesFrequencyWhatHowWhenAccountingOfDisclosuresAll requireddisclosures aretrackedRequest an accounting; reconcile with chartQuarterlyNotice ofPrivacyPracticesWhatHowWhenAcknowledgmntsignedChart AuditQuarterlyHere we have determined that three key policies that are potentially problem-prone include the accounting of disclosures, Notice of Privacy Practices and Role-Based Access.Review each one ...WhatHowWhenRole-BasedAccessNeed-to-knowAccess onlySystem audit logsVariable
23Monitoring Model Role-based access Utilize information system audit capabilities.Determine criteria for audit:RandomBy patientBy staff roleSensitivity of dataHigh-profile patientsAll new employees during first 60 days
24Monitoring Model Role-based access Requires maximization of system auditing capabilities.Consider the vulnerabilities of the system when deciding how stringent controls should be.Must determine audit log retention needs.Assignment of responsibility is key.
25Monitoring Model - Training Documentation of training of workforce as of April 14, 2003Training of new employeesWithin pre-defined timeframeTraining of students, volunteers, medical staffTraining of contractorsAverage training scoresRefresher trainingIn response to privacy incidentsIn response to results of monitoringIn response to new policies or proceduresDocument, track and report
26Monitoring Model - Safeguards Monitor by “walking around”Develop checklistsFormal, informalTrack number of observances of non-complianceReward good practices
27Monitoring Model - Safeguards Areas to reviewPHI in trash or unsecured recycle binsWorkstations not logged off or securely positionedDiscussion of confidential information among staff in public areasPHI in open view in hallways, on desksPHI left on faxes, printersPHI on whiteboardsDoors propped openSharing passwordsDictation conducted in public areasBusiness visitors not badged or signed in
28Monitoring Model – Business Associates Monitor compliance from two aspectsHave you identified all of your business associates?Do you have required contract terms with your business associates?Ongoing challenge for most organizationsPeriodic sampling of invoicesReports from contract management systemsPeriodic departmental surveysRandom sampling of contracts
29Monitoring Model - Documentation Ensure that required documentation is in place:Authorizations, court orders, subpoenas, satisfactory assurancesRequests and responses for access, amendment and restrictionsDocumentation of disclosures available for accountingAccounting requests and responses
30Monitoring Model - Documentation Ensure that required documentation is in place:Complaints and resolutionsPrivacy incident investigationsMarketing and fundraising opt-out requestsMinimum necessary protocolsCurrent and past Notice of Privacy PracticesTraining recordsPolicies and procedures
31Monitoring Model - Documentation Ensure that required documentation is in place:Patient acknowledgement of receipt of NoticeDesignation of affiliated covered entityBusiness Associate contractsData Use agreementsResearch waiver requests and approvalsDefinition of designated record sets
32Monitoring Model - Documentation Ensure that required documentation is in place:Title/Office of:person responding to access and amendment requestsperson responding to complaintsprivacy officialThis requires designation of exactly where the documentation will be stored and who is responsible for it.
33Key Steps - SummaryIdentify targets for monitoring, based on program objectives, risk assessment, feedback from incident reporting system, cost/benefit analysisEstablish metrics and methodsCreate baseline and performance goalsDesign toolsConduct monitoringReport resultsAnalyze resultsTake corrective actionMonitor again
34Examples Monitoring Plan Walkthrough Checklist Survey Documentation AuditChart AuditTraining and Incident ReportsDrills and Mystery Shoppers
35Compliance Monitoring Plan This is a sample of a compliance monitoring plan, that establishes the metrics, how they will be measured, the frequency, and the performance goals.Read the details ...A compliance monitoring plan that is formally reviewed and understood is critical to the success of the Privacy Program.
36Walkthrough Checklist There are so many areas that can be reviewed. We are requiring each of our hospitals to develop an annual review schedule that ensures all departments are reviewed at least once a year. In some cases these review areas are incorporated into already established reviews such as safety reviews or environment of care reviews.Additionally, problem-prone or high risk areas, are reviewed more frequently.Read the review areas ...
37Surveys - Examples Employee Awareness Patient Satisfaction 1 2 3 4 5 Don’t CompletelyAgree AgreePatient SatisfactionI know what a privacy breach is.I know how to report a privacy breach.I can locate our privacy policies.I understand how to protect health information on my computer.I understand when I need a patient authorization to release information.I know what patient information is allowable to use for fundraising.I understand patient’s privacy rights.I am confident my health information is treated confidentially by [hospital name].I am aware of how the hospital uses my health information.I understand my rights regarding my health information.I know how to register a complaint concerning confidential treatment of my health information.I am satisfied with the protection of my health information.
42Drills and Mystery Shoppers Ask staff how they respond to amendment requests.How does an incident get reported?What documentation is required with a subpoena?What identifiers need removal to de-identify PHI?Request information over the phone.Start reviewing medical charts.Ask for a password.Pretend to be a family member with a privacy complaint.Access “secured” areas.