Pam Matthews, FHIMSS Director of Business Information Systems Business Information Systems is focused around administrative and financial information technology while strengthening the balance and integration between clinical and business initiatives related to EHR, interoperability, healthcare information exchanges and advocacy. October 17, 2006 2nd NHIN Forum

Auditing Data Ideally…. Tracking your organization’s ‘data activity’ both inside and outside the organization To Ensure: The Right Person (end user ~ staff, providers, external & internal) Accesses the Right Software Application Accesses the Right Patient Accesses the Right Data (clinical & financial information) Performs the Right Function (add, change, delete, view) …..And by the way, when & where (location)

Auditing Data Technology and Manpower Issues: Technology: software applications, network, other middleware products, reporting tools for audit reports, etc. Manpower: manage report generation & distribution; actual utilization of reports, etc. Issues: Does the technology capture ALL desired/required data elements? What is the ease of using the automated reporting tools? Unplanned/unbudgeted expenses Proper use of logins/access: Data Quality How can an organization accomplish success in a cost effective and resource efficient manner ? Costs for technical solutions & tools Costs of Information Systems Staff in time and energy Cost of Operational Staff Resources who are users of the audit reporting including those with responsibilities with security/privacy, legal, compliance and others

Auditing Data ……..not IT Driven Gap Analysis: Organizational Driven Determine what you can do immediately, Identify what you can leverage for the future, .. And what your future Security Technical Strategy Integrated into the Information Systems Strategic Plan … And how it fits into the organizational Privacy & Security management program Based on the business: Business internal to the organization Business external to the organization Organizational Driven ……..not IT Driven

How much risk is an organization willing to assume ? The Organizational Challenge Balancing the Need with the Risk How much risk is an organization willing to assume ? Organizational Needs CEO, CFO, COO Medical Staff Budgets New Revenue Generating Services Retooling Existing Services & Infrastructure Privacy & Security, Legal & Liability, Compliance

Auditing Data Privacy & Security Education What to do? Provide education opportunities top down within the organization Develop appreciation for data Role and importance in privacy & security Identify organizational risks, sample case studies Support driving P & S organizational program development Include role of data auditing Provide end user training around case studies around best use of data audit programs Policies and Procedures Identify best practices: integrate with operational practices & processes

Auditing Data Future Challenges & Future Lessons to Learn: Auditing data across health information exchanges including RHIOs, HIEs and with the future NHIN Criticality of the data Data oversight once distributed; trust relation Provide data auditing in a consistent, cost efficient and efficient manner that produces high level of data quality PHR – Consumer education The Right Person; Accesses the Right Software, the Right Patient, the Right Data