Published on April 25, 2014
855.85HIPAA www.compliancygroup.com Industry leading Education Certified Partner Program • Please ask questions • For todays Slides http://compliancy-group.com/ slides023/ • Todays & Past webinars go to: http://compliancy-group.com/ webinar/ Get Involved. #cgwebinar
ì Daniel Fabbri Founder & CEO of Maize Analy5cs Assistant Professor at Vanderbilt University
Electronic Medical Records
Problem: Insecure Data 1. Open access environment 2. Millions of accesses per week 3. Pa<ent care is dynamic
Regulations HIPAA, HITECH, and Aﬀordable Care Act • Minimal requirements to access PHI • Security monitoring requirements • Penal<es and ﬁnes for breaches
Paper-‐Bag Security “Nancy, I’m not sure that’s what HIPAA had in mind.”
Basic Security Mechanisms Fine-‐grained access controls Permission escala<on “Are you sure you want to con<nue?” WARNING
Current Approaches Compliance oﬃcers manually review complaints Flag “suspicious” types of accesses (i) Same last name, (ii) co-‐workers, (iii) neighbors
Audit Limitations ì Most accesses audited are appropriate ì Inves<ga<ons can take days or weeks to complete ì Poten<al alert avalanches (turn system oﬀ)
Objective Provide compliance oﬃcers the ability to quickly and accurately ﬁnd inappropriate access from audit logs.
Observation Most appropriate accesses occur for valid clinical or opera5onal reasons. “Authorized access is limited to those with the need to know for purposes of pa5ent care, billing, medical record review and quality assurance.” University of Michigan Health System Screen Saver
Explanation-‐Based Auditing System (EBAS) !""#$%&'()*+",%-%.$-/0%123)!435.-6) 7235&%,) 82&$#3)90) :42#;):) :<) :=) !435>)?$6) @%,53)82%1$-) A$#)!&&211B) !""#$"#5%>2) C41"5&5$41) 7235&%,) 82&$#3) <D) E) Filter accesses so there are fewer for manual review. i
Filter Based On Data Stored In The EMR
What is an Explanation? nation Graph Evidence->Audit Log->Employee ID Evidence->Audit Log->Patient ID Evidence->Appointment->Patient ID Evidence->Appointment->Employee ID Connec<on between the pa*ent and employee accessing the pa<ent’s record
Explanation Recommendations Find frequently occurring explana*ons Graph search problem Recommend explana*ons to compliance oﬃcers Approve correct explana<ons Use to ﬁlter future appropriate accesses
Limitations Basic explana<ons are eﬀec<ve for doctors, not suppor<ng staﬀ (e.g., nurses, pharmacists, central staﬃng, etc.) Appointments are made with doctors, not nurses. This lack of data causes missed explana5ons
Enhance Explanations 1. Automa*cally ﬁll-‐in missing data: Oncologists treat cancer pa5ents Pediatric nurses work with pediatric physicians Pediatric nurse Pediatric physician Hospital Employees
Enhance Explanations Explanation-Based Auditing False 0.500 Medication + Department View False 0.167 Icd + Department To Icd + Department View Evidence->Audit Log->Employee ID Evidence->Audit Log->Patient ID Employee Info->Department->Info Value Employee Info->Department->Employee ID Department to ICD->Department To Department to ICD->Department To Icd->depart Patient Info->Icd->Patient ID Patient Info->Icd->Info Value 1. Automa*cally ﬁll-‐in missing data: Oncologists treat cancer pa5ents Pediatric nurses work with pediatric physicians 2. Mine new explana*ons: “The access occurred because Dr. Dave is an oncologist, oncologists treat cancer and Alice has cancer”
High-‐Level Results 95% of accesses in one-‐week sample ﬁltered with high precision Ongoing trials at major hospitals to evaluate eﬀec<veness See VLDB 2011, JAMIA 2012 publica<ons
Practical Example ì US hospital audited accesses for 1 pa<ent over a few weeks ì 500+ accesses normally audited manually ì EBAS ﬁltered the list down to 5 for manual review
Integrated Analytics ì Search for outliers, then drill down with EBAS Analyze high usage employees
Deployment Many hospitals will not release data to the cloud…yet Hospitals download VM and run locally!
Data Extraction How to get data into the audi<ng system? Repor<ng System (e.g., Epic’s Clarity) Text File All within the hospital
Short Video Summary Pufng the pieces together! hhps://www.youtube.com/watch?v=gDEcgVwIgSU
Why Use EBAS? busy / too many audits / too much manual eﬀort need for automa5on / need for improved HIPAA procedures worried about OCR audits / want more proac5ve tools want published & peer-‐reviewed technology looking for a diﬀerent approach to audi5ng Email us for faster HIPAA audits! info@MaizeAnaly5cs.com 26
Free Demo and 60 Day Evaluation www.compliancy-‐group.com 855 85 HIPAA (855.854.4722) The Guard: One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, & Omnibus Compliance • Guaranteed HIPAA Audit Protection • Gap Identification & Remediation Plans • Built in Training, Policies & Procedures • Business Associate Agreements Included • HIPAA Hotline Support • Experienced HIPAA Coach Implementation
Calcification Inhibitors in CKD and Dialysis Patients
←Business Associate and HIPAA Compliance Infographic FREE HIPAA Whitepaper: How to Disappoint Your HIPAA Auditors and Gain the Respect of Your Board of ...
About. Our Story; Total HIPAA Solution; Demo; Solutions. HIPAA Compliance Software; HIPAA Compliance for Covered Entities; HIPAA Compliance for Business ...
EMR INDUSTRY > Webinars > Apr 18 : Is Your EHR Safe? New Technologies for Auditing
Nominate your favorite game changer in the 50+ healthcare market to be among the 50+ Innovation Leaders. Deadline Nov. 30. INVEST 2017, a national ...
Home; Health & Medicine; Is Your EHR Safe? New Technologies for Auditing
Join us for our upcoming webinar “Is your EHR Safe? New Technologies for Auditing” Thursday April 24 th 2:00pm – 3:30 EST. U.S. legislation such as ...
Understanding The Relationship Between Meaningful Use ... Is Your EHR Safe? New Technologies for Auditing. ... Don’t worry your information is safe with ...
Is Your EHR Safe? New Technologies for Auditing U.S. legislation such as the Affordable Care Act, HIPAA and HITECH outline rules governing the appropriate ...