Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monitoring Compliance with HIPAA Privacy

Similar presentations

Presentation on theme: "Monitoring Compliance with HIPAA Privacy"— Presentation transcript:

1 Monitoring Compliance with HIPAA Privacy
HIPAA Summit VII Session 1.05 9/15/03 Patricia Johnston, CHP, FHIMSS Texas Health Resources

2 Session Objectives Define the purpose of Compliance Monitoring in a Privacy Program Identify monitoring targets, metrics and methods Present a model for compliance monitoring Provide examples of monitoring tools and reports Basic Assumption for this session: Privacy Program, including policies, procedures and training, is already in place.

3 Agenda Why Privacy Compliance Monitoring? The Monitoring Process
A Monitoring Model Examples Q&A

4 Texas Health Resources Profile
one of the largest faith-based, nonprofit health care delivery systems in the United States. serves more than 5.4 million people living in 29 counties in north central Texas. 13 acute-care hospitals with 2,405 licensed hospital beds, 1 million annual admissions. more than 17,000 employees, more than 3,200 physicians with active staff privileges.

5 Privacy Program Organization
System Compliance (System Privacy Officer) Design & Develop System Privacy/ Security Committee Coordinate & Collaborate Discuss how policies, systems and training was developed at a system level for deployment across the 13 hospitals using entity-specific processes and procedures. Entity Privacy Officers Implement & Monitor Entity Privacy Committees

6 Why Privacy Compliance Monitoring?
To ensure program goals for confidential protection of health information are achieved. To determine if policies, procedures and programs are being followed (protect our investment). To minimize consequences of privacy failures through early detection and remediation. To provide feedback necessary for privacy program improvement. To demonstrate to the workforce and the community at large, organizational commitment to health information privacy. We’ve all spent a lot of time and money on this, but it won’t achieve the desired result unless we stay on top of it. List the reasons. The last reason - demonstration of commitment - will have a great impact on organizational behavior. Showing that compliance will be monitored and evaluated, and that non-compliance will have consequences, is critical.

7 The Monitoring Process
Establish goals & objectives What? Define target areas for review How? Define metrics & methods When? Establish frequency Read the steps As you can see, results of the actual monitoring will potentially drive modifications or changes to how the monitoring is performed. The loop needs to be closed, so that the monitoring process along with the overall Privacy Program is refined and improved based on feedback from the monitoring results. Perform monitoring Act on results

8 The Monitoring Process
Many options for target areas and populations, metrics and methods of measurement. Monitoring must be designed to demonstrate the implementation and achievement of the privacy program goals. Cost/benefit balance must be achieved. bullet two: for example, depends on if your goals are to be compliant versus to demonstrate best practice bullet 3: the value of the measurements must be worth the investment it takes to perform the measurements. Degree of Risk Cost to Monitor

9 The monitoring process
Establish goals and objectives Identify monitoring goals based on privacy program objectives, risk assessment, feedback from incident reporting system, and cost/benefit analysis. Determine the baseline (risk assessment). Identify the desired outcomes (where do we want to be?). Most original risk assessments and gap analysis identified the required policies and processes that need to be in place. This may or may not be an adequate baseline for measuring actual compliance with developed policies and processes. Most of us don't have baseline data on privacy breaches, for example. We may be developing our baseline this first year, against which future progress will be measures.

10 The monitoring process
Establish goals and objectives Broad goals PHI is secured using appropriate physical and technical security techniques. Privacy program will be a differentiator with our customers. Specific goals 100% of PC placement is in compliance with workstation guidelines. No more than 3 privacy complaints filed per quarter. It is difficult to set goals around complaints. In a sense, a high number could be considered a positive indicator that the process is working and people know how to address their complaints. Might be better to establish goals around numbers of verified privacy breaches decreasing, or measuring response time to patient complaints.

11 The monitoring process
Define target areas to review (what?) Identify high risk areas If not properly performed, pose a high probability of a breach and/or consequences are of high magnitude (e.g., release of information areas, high profile patients). Identify high volume areas Law of averages says there is potential for problems here (e.g., emergency departments) Identify problem-prone areas Complex functions that are difficult to achieve (e.g., accounting of disclosures). one of our high risk areas is the OR, due to the amount of third parties present, as well as the urgent nature of its operations. Another problem-prone area is identity verification over the telephone. Can you think of other high risk, high-volume or problem-prone areas, from your experience?

12 The monitoring process
Define target areas to review (what?) Define minimum standards for routine monitoring in order to reinforce compliance (e.g., each department reviewed annually). Determine the ability to readily collect the needed data (may not be feasible or cost-effective to measure). If results for a target area are always good, measure something else. Incident reporting should identify key targets. Regardless of high-profile target areas, all departments need a minimum amount of monitoring. If nothing else, it keeps everyone on their toes and prevents complacency from setting in. As you start tracking privacy incidents the data will help point you to key target areas for review.

13 The monitoring process
Define metrics and methods (how?) Target Metric Method Compliance with Notice Policy Required workforce training Providing patients with access to their PHI Signed Acknowledgment of receipt of Notice % of workforce trained Number of access requests fulfilled within timeframes Chart audits or computer system documentation Learning management system reports or class rosters. Document all requests processed in ROI system; or file request forms and perform periodic sampling. monitoring training can focus on total completion rates, on completion within certain timeframes (within 30 days of hiring, for example) or on demonstrated effectiveness/comprehension (average training test scores, for example).

14 The monitoring process
Define metrics and methods (how?) Chart audits (required documentation) Computer system audit reports (access controls) Walkthroughs (observations of compliance) Surveys and interviews (workforce awareness, patient satisfaction) Drills (hypothetical issues presented to staff) “Mystery Shoppers” (try to “break the system”)

15 The monitoring process
Establish frequency (when?) Ongoing (high risk areas) Quarterly (past problem areas, new policies and procedures) Annually (departmental reviews) Informally (e.g., workstation placement) Formally (e.g., business associate contracts) Perform Monitoring

16 The Monitoring Process
Reporting Document results Compare results to objectives Identify non-compliant areas Highlight areas for root cause analysis Document areas for special attention in future monitoring Identify trends

17 The monitoring process
Act on results (so what?) If no analysis and action, monitoring is a waste of time If results consistently meet expectations, monitor something else Monitor Act Analyze

18 The monitoring process
Act on results Things that can cause problems include: Unclear policies and procedures Inconsistent (or non-existent) enforcement of policies and procedures Ineffective training Lack of employee motivation

19 The monitoring process
Act on results Take corrective action Revise policies and procedures Refine or focus training Redesign processes Tighten supervision Modify monitoring program Re-monitor for compliance within 2 to 4 weeks after corrective action is taken. Continue quarterly monitoring for some period, or flag for future monitoring reviews. Often, the corrective action will translate into important refreshers and reminders to be communicated to the workforce at large. We compile information from our monitoring into helpful hints to be sent to specific audiences to increase awareness and compliance.

20 A Monitoring Model What How When What How When What How When What How
Monitoring goals & targets Metrics & Methods Frequency What How When Compliance With P&P Chart audits Observation Surveys Variable Policies What How When Training All workforce trained Training Reports Monthly Now let's take these principles and apply them to a monitoring model. In this particular model, we have decided to monitor compliance with some of our key policies, with our training goals, and wil the safeguards that have been put into place for Privacy Rule compliance. For each area, the what/how/when questions were asked and answered. What How When Safeguards Implemented Safeguards Walkthrough Quarterly Annually

21 A Monitoring Model Compliance with Policies
Monitoring the organization’s compliance with its own policies, not whether or not the policies are compliant with the Privacy Rule. This is a key point. Determining if you have adequate or compliant policies is one issue. Determining if your organization is compliant with your policies is another issue entirely.

22 Request an accounting; reconcile with chart
A Monitoring Model What How When Monitoring goals & targets Metrics & Methods Policies Frequency What How When Accounting Of Disclosures All required disclosures are tracked Request an accounting; reconcile with chart Quarterly Notice of Privacy Practices What How When Acknowledgmnt signed Chart Audit Quarterly Here we have determined that three key policies that are potentially problem-prone include the accounting of disclosures, Notice of Privacy Practices and Role-Based Access. Review each one ... What How When Role-Based Access Need-to-know Access only System audit logs Variable

23 Monitoring Model Role-based access
Utilize information system audit capabilities. Determine criteria for audit: Random By patient By staff role Sensitivity of data High-profile patients All new employees during first 60 days

24 Monitoring Model Role-based access
Requires maximization of system auditing capabilities. Consider the vulnerabilities of the system when deciding how stringent controls should be. Must determine audit log retention needs. Assignment of responsibility is key.

25 Monitoring Model - Training
Documentation of training of workforce as of April 14, 2003 Training of new employees Within pre-defined timeframe Training of students, volunteers, medical staff Training of contractors Average training scores Refresher training In response to privacy incidents In response to results of monitoring In response to new policies or procedures Document, track and report

26 Monitoring Model - Safeguards
Monitor by “walking around” Develop checklists Formal, informal Track number of observances of non-compliance Reward good practices

27 Monitoring Model - Safeguards
Areas to review PHI in trash or unsecured recycle bins Workstations not logged off or securely positioned Discussion of confidential information among staff in public areas PHI in open view in hallways, on desks PHI left on faxes, printers PHI on whiteboards Doors propped open Sharing passwords Dictation conducted in public areas Business visitors not badged or signed in

28 Monitoring Model – Business Associates
Monitor compliance from two aspects Have you identified all of your business associates? Do you have required contract terms with your business associates? Ongoing challenge for most organizations Periodic sampling of invoices Reports from contract management systems Periodic departmental surveys Random sampling of contracts

29 Monitoring Model - Documentation
Ensure that required documentation is in place: Authorizations, court orders, subpoenas, satisfactory assurances Requests and responses for access, amendment and restrictions Documentation of disclosures available for accounting Accounting requests and responses

30 Monitoring Model - Documentation
Ensure that required documentation is in place: Complaints and resolutions Privacy incident investigations Marketing and fundraising opt-out requests Minimum necessary protocols Current and past Notice of Privacy Practices Training records Policies and procedures

31 Monitoring Model - Documentation
Ensure that required documentation is in place: Patient acknowledgement of receipt of Notice Designation of affiliated covered entity Business Associate contracts Data Use agreements Research waiver requests and approvals Definition of designated record sets

32 Monitoring Model - Documentation
Ensure that required documentation is in place: Title/Office of: person responding to access and amendment requests person responding to complaints privacy official This requires designation of exactly where the documentation will be stored and who is responsible for it.

33 Key Steps - Summary Identify targets for monitoring, based on program objectives, risk assessment, feedback from incident reporting system, cost/benefit analysis Establish metrics and methods Create baseline and performance goals Design tools Conduct monitoring Report results Analyze results Take corrective action Monitor again

34 Examples Monitoring Plan Walkthrough Checklist Survey
Documentation Audit Chart Audit Training and Incident Reports Drills and Mystery Shoppers

35 Compliance Monitoring Plan
This is a sample of a compliance monitoring plan, that establishes the metrics, how they will be measured, the frequency, and the performance goals. Read the details ... A compliance monitoring plan that is formally reviewed and understood is critical to the success of the Privacy Program.

36 Walkthrough Checklist
There are so many areas that can be reviewed. We are requiring each of our hospitals to develop an annual review schedule that ensures all departments are reviewed at least once a year. In some cases these review areas are incorporated into already established reviews such as safety reviews or environment of care reviews. Additionally, problem-prone or high risk areas, are reviewed more frequently. Read the review areas ...

37 Surveys - Examples Employee Awareness Patient Satisfaction 1 2 3 4 5
Don’t Completely Agree Agree Patient Satisfaction I know what a privacy breach is. I know how to report a privacy breach. I can locate our privacy policies. I understand how to protect health information on my computer. I understand when I need a patient authorization to release information. I know what patient information is allowable to use for fundraising. I understand patient’s privacy rights. I am confident my health information is treated confidentially by [hospital name]. I am aware of how the hospital uses my health information. I understand my rights regarding my health information. I know how to register a complaint concerning confidential treatment of my health information. I am satisfied with the protection of my health information.

38 Documentation Audit

39 Chart Audit

40 Training Completion Discuss why training scores were rejected as a metric (required a minimum passing score anyway).

41 Incident Reporting

42 Drills and Mystery Shoppers
Ask staff how they respond to amendment requests. How does an incident get reported? What documentation is required with a subpoena? What identifiers need removal to de-identify PHI? Request information over the phone. Start reviewing medical charts. Ask for a password. Pretend to be a family member with a privacy complaint. Access “secured” areas.


Download ppt "Monitoring Compliance with HIPAA Privacy"

Similar presentations

Ads by Google