Who is looking at your electronic health record?

Transcription

1 Who is looking at your electronic health record? A practical guide to building an audit plan. April 22, 2013 Sandy Gilmore Audit Plan April

2 Audit Plan April Who is looking at your EHR Objectives Understand the importance of a complete inventory of systems and system users Complete a risk assessment based on systems and system users Develop / write an audit plan based on risks and organization resources Audit Plan April

3 Legacy Health Portland Vancouver 6 medical centers > 2 urban > 3 suburban > 1 children s hospital > Regional burn center > Trauma center > Inpatient rehabilitation facility > 2 inpatient behavioral health facilities Audit Plan April Legacy Health Legacy Medical Group > 25 Primary care clinics > 14 Specialty care clinics Hospice > Inpatient facility > Home hospice care Hospital outpatient clinics 9000 employees 1578 licensed beds Audit Plan April

4 Legacy Health Implemented electronic health record Epic November 2011 Inpatient Outpatient ambulatory Legacy Epic Ancillary Provider (LEAP) Epic LINK Epic Care Everywhere Audit Plan April Before Epic Access audits were for cause > Patient complaint > Manager concerns Quarterly VIP or in the news access audit Approximately 75 audits per year Limited audit ability with electronic systems Audits analyzed by small HIPAA compliance office (1.5 FTE) Audit Plan April

5 Inventory of electronic systems with PHI Inventory or review inventory of all systems that contain Protected Health Information (PHI). Type of PHI kept on the system Frequency of access log timing Maintenance of access logs Users of systems Audit Plan April Inventory of electronic systems with PHI Cerner Millennium lab system PACS imaging system AS400 retired with Epic MedManager retired with Epic Muse ECG tracings Chart Plus Echart retired with Epic CPACS cardiac images Etc, etc, etc Audit Plan April

6 Inventory of users of EHR Legacy employees (including physicians) Medical Staff 5 different medical staffs Legacy contractors Legacy vendors Medical staff office personnel Community physicians and staff Students LEAP customers Audit Plan April Inventory of users of EHR Outside auditors Outside utilization review Outside billing offices Epic care LINK users Epic Care Everywhere users Ambulance providers DME providers Future user groups? Audit Plan April

7 Risk Assessment of electronic systems Type of PHI Number of users User groups with access Control of access Generates access logs Reports on access Audit Plan April Risk Assessment of electronic systems Epic (all modules) highest risk > Large number of users (18,000) > Large number of outside users > Contains protected health information > Both financial and clinical information Audit Plan April

8 Risk Assessment users of electronic systems Number of users User groups with access Control of access Detail information about user HIPAA Training Privacy culture Sanctions for inappropriate access Audit Plan April Risk Assessment users of electronic systems Legacy employees, students, contractors > Largest number > Confidential patients > Confidential departments Medical staff office personnel > Detail information about user > HIPAA Training > Privacy culture > Sanctions for inappropriate access Audit Plan April

9 Determine what to audit Access to Epic (all modules) Access by Legacy employees (workforce) > LEAP users > LINK users Access by medical office personnel Audit Plan April Inventory of Epic access reports Same last name / same guarantor Same employer Same address Break the Glass confidential departments / patients Largest number of records accessed First access LINK Access queries Care Everywhere Audit Plan April

10 Run reports / analyze Run available reports > Work to produce reports > Work to analyze reports > Quality of data from reports > Follow up needed on results > Enough data to sanction user? Determine which reports to run regularly Audit Plan April Determine response to inappropriate access Legacy has HR response plan in place > Based on history of For Cause audits > Follow same process for ProActive audits Non- employees > Needed to develop and communicate Physicians on medical staff > Based on history of For Cause audits > Pursue more stringent sanctions with Medical Staff process Audit Plan April

11 Choose ProActive reports Quality of data Actionable Analysis of available reports Time and resources available Bang for the buck Audit Plan April Choose ProActive reports Legacy chose 3 ProActive reports for first year audit plan. Break the Glass reports Same last name / same guarantor Clinic access report > Utilizing a for cause audit report Audit Plan April

12 What is Break the Glass Epic solution to provide extra privacy for certain patients or records. Extra level of protection for > Confidential encounters > Confidential departments > Confidential patients Audit Plan April Audit Plan April

13 Audit Plan April Audit Plan April

14 Break the glass report Audit Plan April Communication plan for internal users New employee orientation Annual HIPAA training Specialized training for departments Training combined with Epic training Specialized communication to employed physicians Audit Plan April

15 Communication plan for external users Specialized training for LEAP users Specialized communication plan for medical staff physicians and office personnel (in process) As part of the access authorization process for any outside EPIC user Updated Business Associates Agreement Audit Plan April Assess resources to complete audits Generate access log reports Analyze access reports Communicate with HR/clinic managers Follow up on sanctions Refer reports of inappropriate access to Breach Investigation process Manage data, save, report Audit Plan April

16 Write audit plan What reports How often Who will run Who will analyze Follow up actions Annual reporting to what committees Who approves the audit plan Audit Plan April Legacy Audit Plan Started in April 2012 (still in approval process) Monthly Proactive audit > Rotating 3 audits > Analysis of 2 weeks of data > Scan results > In-depth review of 10 records Reports to HIPAA Steering Committee Quarterly reports to Compliance Committee Annual report to Audit Committee Audit Plan April

17 Audit Plan April Questions? Audit Plan April

18 Sandy Gilmore