View the Replay on YouTube Sustainable HIPAA Compliance: Enhancing Your Epic Reporting FairWarning Executive Webinar Series October 17, 2013
Today s Panel Chris Arnold FairWarning VP of Product Management Chris@FairWarning.com Chuck Burbank FairWarning Director of Managed Services Chuck@FairWarning.com Kurt J. Long FairWarning Founder Kurt@FairWarning.com
FairWarning and Epic Production Customers 44 Production Customers 10,267 employees on average, 2,500 to 60,000 On average 1,300 physicians across 6 hospitals and 36 clinics Moving from legacy EHR to Epic for Meaningful Use Converting from paper to Electronic Health Records 3 applications in addition to Epic Several are monitoring 12-16 additional applications that touch PHI 17 of 44 customers are using DLP or SIEM in cooperation with FairWarning Patient Privacy Monitoring
Agenda Motivations for Compliance and Privacy Key Elements for Sustainable Compliance User Activity Monitoring in a KPMG/OCR HIPAA Audit Lessons Learned from Epic Based Environments Hands-on Demonstration FairWarning Achievement & Educational Programs Q&A
Sources: New London Consulting US Survey; Ponemon Study; HHS.gov; OCR NIST Presentation on Security Compliance Impacting Outcomes, Revenue and Lives Why Compliance & Privacy Matters 27% of US patients withhold medical information due to privacy concerns COMPLIANCE: User Activity Monitoring found to be #1 deficiency in 115 HIPAA pilot audits according to Office for Civil Rights More than 100,000 care providers have adopted EHRs and realize payments under Meaningful Use REPUTATION: 85% of patients indicate that a care provider s reputation for protecting privacy influences their choice to seek care from that provider FINANCIAL DAMAGE: An estimated average of 2 million Americans are victims of medical identity theft yearly, with an estimated total cost of $41 billion
Regulatory Framework for HIPAA Compliance HIPAA Audit Protocol User Activity Monitoring 2014 OCR HIPAA Enforcement #1 Security Gap from Pilot Audits Patient Privacy Monitoring ARRA HITECH Meaningful-Use Electronic Health Records Audit Logs Required Security Risk Analysis / Correct Deficiencies Protect Your Reputation Position Yourself for HIPAA Compliance
Sustainable HIPAA Compliance for User Activity Monitoring Written appropriate access policies Documented sanctioning program Automated enforcement of access policies Proactive alerting Consistent and documented investigation Governance and audit reporting Patient notification and governmental reporting
HIPAA Audit Protocol FairWarning 3.1 Maps Directly to OCR HIPAA Audit Protocol Security Requirements HIPAA Security Rule Established Performance Criteria Key Activity Audit Procedures FairWarning Solution 164.308 164.308(a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Develop and Deploy the Information System Activity Review Process Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices Determine if the covered entity policy and procedures have been approved and updated on a periodic basis. FairWarning Analytics and Reports enable reviewing of information system activity, such as audit logs and access reports. FairWarning Investigations centralize management and tracking of security incidents. 164.312 164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Determine the Activities that Will be Tracked or Audited Inquire of management as to whether audit controls have been implemented over information systems that contain or use ephi. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ephi. FairWarning Analytics record and examine activity in systems with ephi. These Analytics can then be automated as Enforced Policies to proactively alert users of any activity that is being tracked or audited.
HIPAA Audit Protocol FairWarning 3.1 Maps Directly to OCR Audit Protocol HIPAA Security Requirements HIPAA Security Rule Established Performance Criteria Key Activity Audit Procedures FairWarning Solution 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Select the Tools that Will be Deployed for Auditing and System Activity Reviews Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. FairWarning s Ready Programs maps to and supports over 185 applications that touch ephi. Nearly 50 applications have been fully certified by FairWarning to provide the necessary data to effectively audit access to ephi. 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop and Deploy the Information System Activity Review/Audit Policy Inquire of management as to whether a formal or informal audit policy is in place to communicate the details of the entity's audits and reviews to the work force. Obtain and review formal or informal policies and procedures and evaluate the content in relation to the specified criteria to understand whether a formal audit policy is in place to communicate the details of the entity's audits and reviews to the work force. Obtain and review an email, or some form of communication, showing that the audit policy is communicated to the work force. Alternatively, a screenshot of the audit policy located on the entity's intranet would suffice. The FairWarning Implementation Toolkit is an open copyright best practices guide on how other customers implemented formal audit policies and how to communicate that to the work force. 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop Appropriate Standard Operating Procedures Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management's procedures in place to determine the systems and applications to be audited and how they will be audited. FairWarning centralizes where and how applications are audited. All systems touching ephi can be audited through the FairWarning Analytics and Reports. These audits can be automated as Enforced Policies and all investigations can be centrally managed within the product. Governance and dashboard reports give executive views of the effectiveness of the policies being enforced.
What OCR Wants to See Written privacy and security policy and procedures Evidence that you are following these policies and procedures Review sample investigation, written sanctions and other means by which you respond to identified breaches
Most Common FairWarning Policies for an Epic Environment Quick Reports Activity Access Reports Break the Glass Access Co-worker and Employee Snooping Activity Reports Deceased and Discharged Patient Access Activity Report Neighbor Snooping Activity Report Simultaneous Logins Activity Report VIP Access Activity Report
FairWarning Ready For predictable, consistent implementations Audit Logs Authoritative User Data Advanced Patient data
Certified Solution Considerations Performance Optional filtering of audit events Primary Care Physician data available Active Directory integration Audit log consolidation
FAIRWARNING DEMO
Enabling Sustainable HIPAA Compliance Compliance Dashboard Measurement of patient privacy monitoring and compliance effectiveness Privacy Dashboard- Recent investigations, enforced policies, alerts and privacy reports Robust collaborative investigations - Document the legally defensible position of the care provider OCR HIPAA Audit Protocol Direct mapping to 5 major areas in Audit Control and Systems Activity Review Wide-scale support for FairWarning Ready - Instant compatibility with every major EHR and over 185 applications used in healthcare Analytics Library - Point and click best practice analytics, reports and administration
FairWarning Achievement & Educational Programs www.privacyexcellenceawards.com
Contact Information Chris Arnold FairWarning VP of Product Management Chris@FairWarning.com Chuck Burbank FairWarning Director of Managed Services Chuck@FairWarning.com Kurt J. Long FairWarning Founder Kurt@FairWarning.com @FairWarningInc