Is Your EHR Safe? New Technologies for Auditing

50 %
50 %
Information about Is Your EHR Safe? New Technologies for Auditing
Health & Medicine

Published on April 25, 2014

Author: compliancygroup

Source: slideshare.net

Description

U.S. legislation such as the Affordable Care Act, HIPAA and HITECH outline rules governing the appropriate use of personal health information (PHI). Unfortunately, current technologies do not adequately monitor PHI use. In particular, while electronic medical records (EMR) systems maintain detailed audit logs that record each access to PHI, the logs contain too many accesses for compliance officers to practically monitor, putting PHI at risk. In this talk I will present the explanation-based auditing system, which aims to filter appropriate accesses from the audit log so compliance officers can focus their efforts on suspicious behavior. The underlying premise of the system is that most appropriate accesses to medical records occur for valid clinical or operational reasons in the process of treating a patient, while inappropriate accesses do not. I will discuss how explanations for accesses (1) capture these clinical and operational reasons, (2) can be mined directly from the EMR database, (3) can be enhanced by filling-in frequently missing types of data, and (4) can drastically reduce the auditing burden.

855.85HIPAA   www.compliancygroup.com   Industry leading Education Certified Partner Program •  Please ask questions •  For todays Slides http://compliancy-group.com/ slides023/ •  Todays & Past webinars go to: http://compliancy-group.com/ webinar/ Get Involved. #cgwebinar

ì   Daniel  Fabbri   Founder  &  CEO  of  Maize  Analy5cs   Assistant  Professor  at  Vanderbilt  University  

Electronic  Medical  Records  

Problem:  Insecure  Data   1.  Open  access  environment   2.  Millions  of  accesses  per  week   3.  Pa<ent  care  is  dynamic  

Regulations     HIPAA,  HITECH,  and  Affordable  Care  Act   •  Minimal  requirements  to  access  PHI   •  Security  monitoring  requirements   •  Penal<es  and  fines  for  breaches  

Paper-­‐Bag  Security   “Nancy,  I’m  not  sure  that’s  what  HIPAA  had  in  mind.”    

Basic  Security  Mechanisms                  Fine-­‐grained  access  controls              Permission  escala<on            “Are  you  sure  you  want  to  con<nue?”  WARNING  

Current  Approaches                    Compliance  officers  manually  review  complaints          Flag  “suspicious”  types  of  accesses    (i)  Same  last  name,  (ii)  co-­‐workers,  (iii)  neighbors    

Audit  Limitations   ì  Most  accesses  audited  are  appropriate   ì  Inves<ga<ons  can  take  days  or  weeks  to  complete   ì  Poten<al  alert  avalanches  (turn  system  off)  

Objective       Provide  compliance  officers  the  ability  to     quickly  and  accurately     find  inappropriate  access  from  audit  logs.    

Observation   Most  appropriate  accesses  occur  for  valid  clinical  or  opera5onal  reasons.        “Authorized    access    is     limited    to    those    with    the       need    to    know    for    purposes     of    pa5ent    care,    billing,     medical    record    review    and     quality      assurance.”   University  of  Michigan  Health  System  Screen  Saver  

Explanation-­‐Based  Auditing  System  (EBAS)   !""#$%&'()*+",%-%.$-/0%123)!435.-6) 7235&%,) 82&$#3)90) :42#;):) :<) :=) !435>)?$6) @%,53)82%1$-) A$#)!&&211B) !""#$"#5%>2) C41"5&5$41) 7235&%,) 82&$#3) <D) E) Filter  accesses  so  there  are  fewer  for  manual  review.   i  

Filter  Based  On  Data  Stored  In  The  EMR  

What  is  an  Explanation?   nation Graph Evidence->Audit Log->Employee ID Evidence->Audit Log->Patient ID Evidence->Appointment->Patient ID Evidence->Appointment->Employee ID Connec<on  between  the  pa*ent  and  employee  accessing  the  pa<ent’s  record  

Explanation  Recommendations     Find  frequently  occurring  explana*ons    Graph  search  problem   Recommend  explana*ons  to  compliance  officers    Approve  correct  explana<ons    Use  to  filter  future  appropriate  accesses  

Limitations     Basic  explana<ons  are  effec<ve  for  doctors,  not  suppor<ng  staff  (e.g.,  nurses,  pharmacists,  central  staffing,  etc.)         Appointments  are  made  with  doctors,  not  nurses.     This  lack  of  data  causes  missed  explana5ons  

Enhance  Explanations   1.  Automa*cally  fill-­‐in  missing  data:    Oncologists  treat  cancer  pa5ents    Pediatric  nurses  work  with  pediatric  physicians           Pediatric  nurse   Pediatric  physician   Hospital  Employees  

Enhance  Explanations   Explanation-Based Auditing False 0.500 Medication + Department View False 0.167 Icd + Department To Icd + Department View Evidence->Audit Log->Employee ID Evidence->Audit Log->Patient ID Employee Info->Department->Info Value Employee Info->Department->Employee ID Department to ICD->Department To Department to ICD->Department To Icd->depart Patient Info->Icd->Patient ID Patient Info->Icd->Info Value 1.  Automa*cally  fill-­‐in  missing  data:    Oncologists  treat  cancer  pa5ents    Pediatric  nurses  work  with  pediatric  physicians     2.  Mine  new  explana*ons:        “The  access  occurred  because     Dr.  Dave  is  an  oncologist,     oncologists  treat  cancer     and  Alice  has  cancer”  

High-­‐Level  Results        95%  of  accesses  in  one-­‐week  sample  filtered      with  high  precision      Ongoing  trials  at  major  hospitals  to  evaluate  effec<veness   See  VLDB  2011,  JAMIA  2012  publica<ons  

Practical  Example   ì  US  hospital  audited  accesses  for  1  pa<ent  over  a  few  weeks   ì  500+  accesses  normally  audited  manually   ì  EBAS  filtered  the  list  down  to  5  for  manual  review  

Integrated  Analytics   ì  Search  for  outliers,  then  drill  down  with  EBAS   Analyze  high  usage     employees  

Deployment     Many  hospitals  will  not  release  data  to  the  cloud…yet       Hospitals  download  VM  and  run  locally!    

Data  Extraction   How  to  get  data  into  the  audi<ng  system?         Repor<ng  System  (e.g.,  Epic’s  Clarity)   Text  File   All  within  the  hospital  

Investigation  Management  

Short  Video  Summary       Pufng  the  pieces  together!   hhps://www.youtube.com/watch?v=gDEcgVwIgSU    

Why  Use  EBAS?   busy  /  too  many  audits  /  too  much  manual  effort    need  for  automa5on  /  need  for  improved  HIPAA  procedures   worried  about  OCR  audits  /  want  more  proac5ve  tools   want  published  &  peer-­‐reviewed  technology     looking  for  a  different  approach  to  audi5ng     Email  us  for  faster  HIPAA  audits!   info@MaizeAnaly5cs.com   26  

Questions?  

Free  Demo  and  60  Day  Evaluation   www.compliancy-­‐group.com     855  85  HIPAA  (855.854.4722)   The Guard: One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, & Omnibus Compliance •  Guaranteed HIPAA Audit Protection •  Gap Identification & Remediation Plans •  Built in Training, Policies & Procedures •  Business Associate Agreements Included •  HIPAA Hotline Support •  Experienced HIPAA Coach Implementation

Add a comment

Related presentations

Related pages

Is Your EHR Safe? New Technologies for Auditing

←Business Associate and HIPAA Compliance Infographic FREE HIPAA Whitepaper: How to Disappoint Your HIPAA Auditors and Gain the Respect of Your Board of ...
Read more

Is Your EHR Safe? New Technologies for Auditing ...

About. Our Story; Total HIPAA Solution; Demo; Solutions. HIPAA Compliance Software; HIPAA Compliance for Covered Entities; HIPAA Compliance for Business ...
Read more

Apr 18 : Is Your EHR Safe? New Technologies For Auditing ...

EMR INDUSTRY > Webinars > Apr 18 : Is Your EHR Safe? New Technologies for Auditing
Read more

Is Your EHR Safe? New Technologies for Auditing - MedCity ...

Nominate your favorite game changer in the 50+ healthcare market to be among the 50+ Innovation Leaders. Deadline Nov. 30. INVEST 2017, a national ...
Read more

Is Your EHR Safe? New Technologies for Auditing - Health ...

Home; Health & Medicine; Is Your EHR Safe? New Technologies for Auditing
Read more

FREE HIPAA Webinar: Is your EHR Safe? New Technologies for ...

Join us for our upcoming webinar “Is your EHR Safe? New Technologies for Auditing” Thursday April 24 th 2:00pm – 3:30 EST. U.S. legislation such as ...
Read more

Understanding The Relationship Between Meaningful Use And ...

Understanding The Relationship Between Meaningful Use ... Is Your EHR Safe? New Technologies for Auditing. ... Don’t worry your information is safe with ...
Read more

Auditing - Flash Technologies - Documents

Is Your EHR Safe? New Technologies for Auditing U.S. legislation such as the Affordable Care Act, HIPAA and HITECH outline rules governing the appropriate ...
Read more