who is looking at your electronic health record? · 2013-03-27 · who is looking at your ehr...

1

Who is looking at your electronic health record?

A practical guide to building an audit plan.April 22, 2013

Sandy Gilmore

Audit Plan April 2013 2

2


Who is looking at your EHR

Objectives

Understand the importance of a complete inventory of systems and system users

Complete a risk assessment based on systems and system users

Develop / write an audit plan based on risks and organization resources


3

Legacy Health

Portland – Vancouver

6 medical centers > 2 urban

> 3 suburban

> 1 children’s hospital

> Regional burn center

> Trauma center

> Inpatient rehabilitation facility

> 2 inpatient behavioral health facilities


Legacy Health

Legacy Medical Group> 25 Primary care clinics

> 14 Specialty care clinics

Hospice > Inpatient facility

> Home hospice care

Hospital outpatient clinics

9000 employees

1578 licensed beds


4

Legacy Health

Implemented electronic health record – Epic November 2011

Inpatient

Outpatient – ambulatory

Legacy Epic Ancillary Provider (LEAP)

Epic LINK

Epic Care Everywhere


Before Epic

Access audits were for cause> Patient complaint

> Manager concerns

Quarterly VIP or in the news access audit

Approximately 75 audits per year

Limited audit ability with electronic systems

Audits analyzed by small HIPAA compliance office (1.5 FTE)


5

Inventory of electronic systems with PHI

Inventory or review inventory of all systems that contain Protected Health Information (PHI).

Type of PHI kept on the system

Frequency of access log timing

Maintenance of access logs

Users of systems


Inventory of electronic systems with PHI

Cerner Millennium – lab system

PACS – imaging system

AS400 – retired with Epic

MedManager – retired with Epic

Muse –ECG tracings

Chart Plus – Echart – retired with Epic

CPACS – cardiac images

Etc, etc, etc


6

Inventory of users of EHR

Legacy employees (including physicians)

Medical Staff – 5 different medical staffs

Legacy contractors

Legacy vendors

Medical staff office personnel

Community physicians and staff

Students

LEAP customers


Inventory of users of EHR

Outside auditors

Outside utilization review

Outside billing offices

Epic care LINK users

Epic Care Everywhere users

Ambulance providers

DME providers

Future user groups?


7

Risk Assessment of electronic systems

Type of PHI

Number of users

User groups with access

Control of access

Generates access logs

Reports on access


Risk Assessment of electronic systems

Epic (all modules) – highest risk> Large number of users (18,000)

> Large number of outside users

> Contains protected health information

> Both financial and clinical information


8

Risk Assessment users of electronic systems

Number of users

User groups with access

Control of access

Detail information about user

HIPAA Training

Privacy culture

Sanctions for inappropriate access


Risk Assessment users of electronic systems

Legacy employees, students, contractors> Largest number

> Confidential patients

> Confidential departments

Medical staff office personnel> Detail information about user

> HIPAA Training

> Privacy culture

> Sanctions for inappropriate access


9

Determine what to audit

Access to Epic (all modules)

Access by Legacy employees (workforce)> LEAP users

> LINK users

Access by medical office personnel


Inventory of Epic access reports

Same last name / same guarantor

Same employer

Same address

Break the Glass – confidential departments / patients

Largest number of records accessed

First access – LINK

Access queries – Care Everywhere


10

Run reports / analyze

Run available reports> Work to produce reports

> Work to analyze reports

> Quality of data from reports

> Follow up needed on results

> Enough data to sanction user?

Determine which reports to run regularly


Determine response to inappropriate access

Legacy has HR response plan in place> Based on history of For Cause audits

> Follow same process for ProActive audits

Non- employees> Needed to develop and communicate

Physicians on medical staff> Based on history of For Cause audits

> Pursue more stringent sanctions with Medical Staff process


11

Choose ProActive reports

Quality of data

Actionable

Analysis of available reports

Time and resources available

Bang for the buck


Choose ProActive reports

Legacy chose 3 ProActive reports for first year audit plan.

Break the Glass reports

Same last name / same guarantor

Clinic access report > Utilizing a for cause audit report


12

What is Break the Glass

Epic solution to provide extra privacy for certain patients or records.

Extra level of protection for> Confidential encounters

> Confidential departments

> Confidential patients



13



14

Break the glass report


Communication plan for internal users

New employee orientation

Annual HIPAA training

Specialized training for departments

Training combined with Epic training

Specialized communication to employed physicians


15

Communication plan for external users

Specialized training for LEAP users

Specialized communication plan for medical staff physicians and office personnel (in process)

As part of the access authorization process for any outside EPIC user

Updated Business Associates Agreement


Assess resources to complete audits

Generate access log reports

Analyze access reports

Communicate with HR/clinic managers

Follow up on sanctions

Refer reports of inappropriate access to Breach Investigation process

Manage data, save, report


16

Write audit plan

What reports

How often

Who will run

Who will analyze

Follow up actions

Annual reporting to what committees

Who approves the audit plan


Legacy Audit Plan

Started in April 2012 (still in approval process)

Monthly Proactive audit> Rotating 3 audits

> Analysis of 2 weeks of data

> Scan results

> In-depth review of 10 records

Reports to HIPAA Steering Committee

Quarterly reports to Compliance Committee

Annual report to Audit Committee


17


Questions?


18

Sandy Gilmore 503.413.3870

[email protected]

who is looking at your electronic health record? · 2013-03-27 · who is looking at your ehr...

Documents