who is looking at your electronic health record? · 2013-03-27 · who is looking at your ehr...
TRANSCRIPT
1
Who is looking at your electronic health record?
A practical guide to building an audit plan.April 22, 2013
Sandy Gilmore
Audit Plan April 2013 2
2
Audit Plan April 2013 3
Who is looking at your EHR
Objectives
Understand the importance of a complete inventory of systems and system users
Complete a risk assessment based on systems and system users
Develop / write an audit plan based on risks and organization resources
Audit Plan April 2013 4
3
Legacy Health
Portland – Vancouver
6 medical centers > 2 urban
> 3 suburban
> 1 children’s hospital
> Regional burn center
> Trauma center
> Inpatient rehabilitation facility
> 2 inpatient behavioral health facilities
Audit Plan April 2013 5
Legacy Health
Legacy Medical Group> 25 Primary care clinics
> 14 Specialty care clinics
Hospice > Inpatient facility
> Home hospice care
Hospital outpatient clinics
9000 employees
1578 licensed beds
Audit Plan April 2013 6
4
Legacy Health
Implemented electronic health record – Epic November 2011
Inpatient
Outpatient – ambulatory
Legacy Epic Ancillary Provider (LEAP)
Epic LINK
Epic Care Everywhere
Audit Plan April 2013 7
Before Epic
Access audits were for cause> Patient complaint
> Manager concerns
Quarterly VIP or in the news access audit
Approximately 75 audits per year
Limited audit ability with electronic systems
Audits analyzed by small HIPAA compliance office (1.5 FTE)
Audit Plan April 2013 8
5
Inventory of electronic systems with PHI
Inventory or review inventory of all systems that contain Protected Health Information (PHI).
Type of PHI kept on the system
Frequency of access log timing
Maintenance of access logs
Users of systems
Audit Plan April 2013 9
Inventory of electronic systems with PHI
Cerner Millennium – lab system
PACS – imaging system
AS400 – retired with Epic
MedManager – retired with Epic
Muse –ECG tracings
Chart Plus – Echart – retired with Epic
CPACS – cardiac images
Etc, etc, etc
Audit Plan April 2013 10
6
Inventory of users of EHR
Legacy employees (including physicians)
Medical Staff – 5 different medical staffs
Legacy contractors
Legacy vendors
Medical staff office personnel
Community physicians and staff
Students
LEAP customers
Audit Plan April 2013 11
Inventory of users of EHR
Outside auditors
Outside utilization review
Outside billing offices
Epic care LINK users
Epic Care Everywhere users
Ambulance providers
DME providers
Future user groups?
Audit Plan April 2013 12
7
Risk Assessment of electronic systems
Type of PHI
Number of users
User groups with access
Control of access
Generates access logs
Reports on access
Audit Plan April 2013 13
Risk Assessment of electronic systems
Epic (all modules) – highest risk> Large number of users (18,000)
> Large number of outside users
> Contains protected health information
> Both financial and clinical information
Audit Plan April 2013 14
8
Risk Assessment users of electronic systems
Number of users
User groups with access
Control of access
Detail information about user
HIPAA Training
Privacy culture
Sanctions for inappropriate access
Audit Plan April 2013 15
Risk Assessment users of electronic systems
Legacy employees, students, contractors> Largest number
> Confidential patients
> Confidential departments
Medical staff office personnel> Detail information about user
> HIPAA Training
> Privacy culture
> Sanctions for inappropriate access
Audit Plan April 2013 16
9
Determine what to audit
Access to Epic (all modules)
Access by Legacy employees (workforce)> LEAP users
> LINK users
Access by medical office personnel
Audit Plan April 2013 17
Inventory of Epic access reports
Same last name / same guarantor
Same employer
Same address
Break the Glass – confidential departments / patients
Largest number of records accessed
First access – LINK
Access queries – Care Everywhere
Audit Plan April 2013 18
10
Run reports / analyze
Run available reports> Work to produce reports
> Work to analyze reports
> Quality of data from reports
> Follow up needed on results
> Enough data to sanction user?
Determine which reports to run regularly
Audit Plan April 2013 19
Determine response to inappropriate access
Legacy has HR response plan in place> Based on history of For Cause audits
> Follow same process for ProActive audits
Non- employees> Needed to develop and communicate
Physicians on medical staff> Based on history of For Cause audits
> Pursue more stringent sanctions with Medical Staff process
Audit Plan April 2013 20
11
Choose ProActive reports
Quality of data
Actionable
Analysis of available reports
Time and resources available
Bang for the buck
Audit Plan April 2013 21
Choose ProActive reports
Legacy chose 3 ProActive reports for first year audit plan.
Break the Glass reports
Same last name / same guarantor
Clinic access report > Utilizing a for cause audit report
Audit Plan April 2013 22
12
What is Break the Glass
Epic solution to provide extra privacy for certain patients or records.
Extra level of protection for> Confidential encounters
> Confidential departments
> Confidential patients
Audit Plan April 2013 23
Audit Plan April 2013 24
13
Audit Plan April 2013 25
Audit Plan April 2013 26
14
Break the glass report
Audit Plan April 2013 27
Communication plan for internal users
New employee orientation
Annual HIPAA training
Specialized training for departments
Training combined with Epic training
Specialized communication to employed physicians
Audit Plan April 2013 28
15
Communication plan for external users
Specialized training for LEAP users
Specialized communication plan for medical staff physicians and office personnel (in process)
As part of the access authorization process for any outside EPIC user
Updated Business Associates Agreement
Audit Plan April 2013 29
Assess resources to complete audits
Generate access log reports
Analyze access reports
Communicate with HR/clinic managers
Follow up on sanctions
Refer reports of inappropriate access to Breach Investigation process
Manage data, save, report
Audit Plan April 2013 30
16
Write audit plan
What reports
How often
Who will run
Who will analyze
Follow up actions
Annual reporting to what committees
Who approves the audit plan
Audit Plan April 2013 31
Legacy Audit Plan
Started in April 2012 (still in approval process)
Monthly Proactive audit> Rotating 3 audits
> Analysis of 2 weeks of data
> Scan results
> In-depth review of 10 records
Reports to HIPAA Steering Committee
Quarterly reports to Compliance Committee
Annual report to Audit Committee
Audit Plan April 2013 32
17
Audit Plan April 2013 33
Questions?
Audit Plan April 2013 34