PrivacyPro ; A Key Component of Privacy Information Management Overview Whitepaper

Transcription

1 PrivacyPro ; A Key Component of Privacy Information Management Overview Whitepaper This Whitepaper is the first of a series published by CompliancePro Solutions Founder Kelly McLendon, RHIA which will create the foundation of concepts that introduce and explain an entirely new class of software applications that manage privacy compliance. That the increasing requirements of privacy regulations and the dramatic penalties for non- compliance created the need for these types of applications as not surprising, but has gone relatively un- noticed by the marketplace to date. That will change as electronic health records (EHRs) and their electronic protected health information (ephi) expand, creating the need for automation to manage the supporting back end processes designed to keep them private and secure. Healthcare privacy enforcement, through ever more complex HITECH HIPAA and State regulations, has fostered the creation of a new class of software application that can be referred to as Privacy Information Management (PIM), of which the CompliancePro Solutions product PrivacyPro is a key component. Prior to arduous privacy regulations coming into play there was little market for software tools designed to assist healthcare providers understand and adequately address their privacy compliance programs or Privacy Officers perform their duties. By Federal policy maker design, increased privacy regulations are being implemented at the same time as electronic health records take off under HITECH s incentives for the meaningful use of certified electronic health records program. Focusing on privacy as well as the incentives for EHRs themselves, HITECH creators realized that the quickest way to fail in the efforts to bring automation to health information management is to allow the public to become disenchanted or even fearful of computerization of their medical records. Their concept was to clamp down on privacy and security before and during the phases of implementation of EHRs and to augment a rather small force of Federal enforcement agents with State Attorney Generals and their staff. The final piece of the equation is to empower the patients to be able to collect portions of fines levied for privacy violations. These moves are politically bi- partisan in nature and are not going to dissipate; rather the industry expects increasingly restrictive regulations as data exchange expands and EHRs continue to rollout replacing increasingly archaic paper and hybrid medical record systems. HITECH has put the United States on a track of automation that will not be lessened; indeed it cannot, if the obvious patient safety, cost savings and heightened healthcare data reporting are to be achieved in the near term. What is Privacy Information Management? Healthcare privacy compliance is sufficiently complex to require automation across several fronts in order to gain a full complement of efficiencies which yield compelling cost benefit realization. In general, Privacy Information Management automates the detection of privacy (and security) events with proactive alerting, along with the collection of data related to HIPAA and State based privacy requests from patients, performance of processes surrounding investigation and resolution of privacy events that 1

2 may be determined to be violations. Privacy Information Management systems also can create an infrastructure of libraries providing easy to find and update lists of statues, rules, policies, forms which make up the necessary materials to successfully manage a provider of care s privacy compliance program. And finally, Privacy Information Management systems must be able to investigate, log and track other, more general, workflows that identify, develop and mitigate the many privacy issues, outside of requests, alerts and complaints that Privacy and Compliance Officers are responsible for. Figure 1.0 Conceptual Diagram of a Fully Scoped Privacy Information Management Architecture Why is Privacy Information Management Needed? Healthcare in the United States has recognized privacy as an issue for over a decade, with HIPAA being created in the 1990 s and actually implemented in However, lax enforcement and little penalties left most healthcare providers with the option of basically ignoring their own privacy compliance, at least from a formal, structured, programmatic point of view. That all changed with the introduction of HITECH, with not only increased civil penalties, i.e. up to $1.5 million per year per incident, but a renewed emphasis on enforcement and through a program where patients will be able to get a cut of any privacy fines levied. Plus the Office for Civil Rights has stated that they will begin (or perhaps delegate to the States) to audit for privacy compliance to HIPAA. These factors all work together to force 2

3 a much more formalized approach for healthcare providers and Business Associates in order to protect themselves from potential liabilities and fraud. This formalized approach has introduced the need for specific software applications (i.e. Privacy Information Management systems) that detect events, as well as, log, track and document both patient requests for actions related to their PHI within their medical records and the investigation phases of any discovered privacy event (or incident). HITECH s push towards increased privacy compliance has (and will continue to) raised the number of privacy events (or incidents) being managed by healthcare providers. Whereas up to this point most sites utilized in- house, spreadsheet based tools they designed to track requests, complaints and events, these are quickly being outgrown. Risks for providers of care are rising along with FTE counts required to manage these complex processes. New hires are being ramped up to manage processes they may not really understand. The typical compliance software vendor is a shallow toolset that requires each site to learn and build their own toolsets and processes. A Privacy Information Management system such as PrivacyPro, addresses the needs for formalized, repeatable workflows based in a easy to use software application that can be implemented with minimal effort, yet grow to be very powerful and specific to each client sites own internal processes and supporting materials. PrivacyPro is a web based workflow platform combined with current, state- of- the- art privacy resources that assist Privacy Officers and their staff in logging and documenting their actions as they manage privacy events. HIM Directors are also assisted with a common application that manages the various HIPAA requests that are increasingly made by patients, including the dreaded Accounting of Disclosures and the new Access Reports which few providers have to fulfill at present, but with the rules changes and expansion of health information exchanges, are steadily increasing. Cost Benefits of PrivacyPro More detailed cost benefits and justification for PrivacyPro will be addressed within a separate whitepaper, but some generalizations can be made. Cost benefits generally defined within two major categories, quantifiable and non- quantifiable. The best reason to utilize PrivacyPro is to support an organized, structured and consistent approach to privacy compliance that will reduce the likelihood of penalties from the Federal and State governments, as guided by their regulations. They state repeatedly that covered entities, business associates and anyone managing protected health information (PHI) must approach privacy and security with seriousness and diligence that proactively approaches the processes that manage their compliance. Failure to approach this compliance can result in fines, including the dreaded willful neglect that multiplies the monetary penalties from disregard of the regulations every healthcare provider and their associates are subject to. These fines and penalties scan amount to tens, hundreds or millions of dollars. PrivacyPro is inexpensive insurance lessening the likelihood of large monetary outlays for non- sophisticated compliance approaches. More quantifiable cost benefits are achieved through reduction of staff needed to manage and report upon privacy activities. The number of FTEs (full time equivalents) required for diligent privacy compliance is increasing. PrivacyPro automation helps keep the staff required to lower levels than simple, ad hoc spreadsheet and homemade solutions or those from other vendors that offer shells of 3

4 functionality, but no real, in depth efficiency gains as they are not specific enough to privacy compliance to foster savings. Views of PrivacyPro PrivacyPro has many useful features which are expressed through a user friendly GUI (graphical user interface). The following screenshots illustrate many of the robust features listed within the table that follows this section. Figure 1 - Dashboard for Improper Access, Use or Disclosure Investigation Tracking Figure 2 Workflow Management for Improper Access, Use or Disclosure Investigations Figure 3 - Reference Library for Each Site 4

5 Key PrivacyPro Features Features are the most significant groups of basic functionalities that define what a software application actually performs. The list of features required to deliver a software product that effectively and efficiently manages the workflows of your privacy compliance program is extensive, even if you exclude on- going privacy event / incident detection and monitoring. PrivacyPro provides the following capabilities which together form a core set of features to manage your privacy compliance Logging Privacy Requests From Patient Integrated Data Collection From Audit and Security Monitoring Programs Wrongful Access, Use or Disclosure Investigation Accounting of Disclosures (AOD) Processing HIPAA grants rights to patients (individuals) to control and protect health information that identifies and relates to them. These rights allow requests that must be addressed by healthcare providers. PrivacyPro logs and provides workflows that facilitate the fulfillment of these requests according to regulations. Automated input of data about flagged events and incidents from Audit Log Monitors, Security Information Management and Identity Management applications facilitate efficient investigation and documentation of potential privacy and security violations. The most complex investigations related to HIPAA involve wrongful access, use or disclosure of PHI, PrivacyPro creates replicable, easy to follow steps and workflows that both expert and novice users can follow and correctly log and guide their investigations. HIPAA violation and breach determination are included. AOD is increasingly onerous and will take more time and staff as patient s become familiar with their rights to obtain these free (one per year) accountings. PrivacyPro is a thought leader in this area and is developing both manual and automated processes to manage not only the requests for 5

6 5 HIPAA Request Processing HIPAA Privacy Compliance Program Issue Workflows Universal Library of Regulations and Privacy Compliance materials Library of Site Specific Privacy Materials Management of Business Associates and Their Agreements Workforce and Management HIPAA Training and Education Content but fulfillment of AODs and Access Reports. Patients can request amendments, restrictions and other management of their PHI. PrivacyPro manages these requests and the workflow for their processing. In the event of a related OCR complaint PrivacyPro tracks the investigation through to successful mitigation and sanctions, if necessary. A well executed, PrivacyPro centralizes the management of the many open issues related to Privacy Risks and Vulnerabilities that require a management plan, workflows to spur resolution and final mitigation and sends reminders to appropriate parties PrivacyPro includes a pre- populated and constantly updated, robust library of statues, rules, policies, forms, educational tools and related materials that simplify and consolidate the location and use for privacy compliance. All materials are versioned, so locating versions that were in force when a rule was potentially violated is easy to find. Each site has their own library space to index and store their own policies, templates, letters, educational tools according to their preferences. Business Associates are tracked within the database too, eliminating manual, cumbersome tracking of the dozens or hundreds of Business Associates and their Agreements. When new rules come out and their agreements need to be updated PrivacyPro simplifies the process. BAA s can also be tracked, along with any other attachments pertaining to them. Keeping education tools fresh and up to date is a time consuming task. PrivacyPro reduces this effort by keeping both workforce and management educational content updated within the library for incorporation into your own Computer Based Training (CBT) or other delivery mechanisms. CompliancePro Solutions expert consultants are also available to perform education via webinar or on- site. Does PrivacyPro Address Other Healthcare Compliance? The short answer is soon, the PrivacyPro workflow and basic infrastructure can be adapted to any kind of compliance, including, HIPAA Security, fraud and abuse, PCI, OIG, and others. CompliancePro Solutions is developing these wider scoped compliance features and welcomes discussions from prospects and customers. Watch for additional whitepapers addressing these other areas of compliance. It should be noted that security compliance many times becomes addressed as privacy events / incidents. However, security documentation and tracking can be well performed by PrivacyPro. The Principals of CompliancePro Solutions 6

7 Kelly McLendon, RHIA and Paul Albrecht are the founding members of CompliancePro Solutions, representing experienced and successful designers and developers of electronic medical record applications. Kelly and Paul created one of a leading healthcare electronic document management platform that have been consistently KLAS ranked #1 and have sold many millions of dollars of worth of product. They have created the same winning formula for PrivacyPro delivering the highest levels of functionality for reasonable prices. for more details. Contacts CompliancePro Solutions looks forward to further discussions and demonstrations with interested parties. Please contact: Kelly McLendon, RHIA kmclendon@complianceprosolutions.com (321)