SUMMARY OF Proactive Monitoring Procedures



Similar documents
HIPAA, Minnesota s Health Records Act, and Psychotherapy Notes

Logging and Auditing in a Healthcare Environment

The HIPAA Audit Program

HIPAA Compliance Review Analysis and Summary of Results

CHIS, Inc. Privacy General Guidelines

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Montclair State University. HIPAA Security Policy

Our Commitment to Information Security

Overview of the HIPAA Security Rule

8.03 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA and HITECH Compliance for Cloud Applications

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

How to Use the NYeC Privacy and Security Toolkit V 1.1

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HIPAA Privacy Policies & Procedures

University of Wisconsin-Madison Policy and Procedure

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

SCAC Annual Conference. Cybersecurity Demystified

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

DISCLAIMER HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Privacy & Security White Paper

Information Security Plan May 24, 2011

HIPAA Security. assistance with implementation of the. security standards. This series aims to

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Building a Culture of Health Care Privacy Compliance

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

How Managed File Transfer Addresses HIPAA Requirements for ephi

SECURITY RISK ASSESSMENT SUMMARY

The CIO s Guide to HIPAA Compliant Text Messaging

Personal Health Information Privacy Policy

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

ALERT LOGIC FOR HIPAA COMPLIANCE

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

Sustainable Compliance: A System for Ongoing Audit Readiness

PHI- Protected Health Information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Who is looking at your electronic health record?

VMware vcloud Air HIPAA Matrix

ehealth and Health Information Exchange in Minnesota

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

SCDA and SCDA Member Benefits Group

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Healthcare and IT Working Together KY HFMA Spring Institute

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

HIPAA and Mental Health Privacy:

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Healthcare Compliance Solutions

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Iowa Health Information Network (IHIN) Security Incident Response Plan

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

HIPAA Security Alert

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA/HITECH Compliance Using VMware vcloud Air

2014 Core Training 1

HIPAA 101: Privacy and Security Basics

HIPAA Security COMPLIANCE Checklist For Employers

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Compliance Evaluation Report

Authorized. User Agreement

Transcription:

SUMMARY OF Proactive Monitoring Procedures for Secure Individual Identifiable Health Information OCTOBER 2014 Minnesota E-Health Initiative & the Minnesota Department of Health, Office of Health Information Technology P.O. Box 64882 85 East Seventh Place, Suite 220, St. Paul, MN. 55164-0882 www.health.state.mn.us/e-health/index.html MN.eHealth@state.mn.us

Table of Contents Acknowledgements...1 Purpose...2 Background...2 Minnesota Health Records Access Study Data...2 Minnesota e-health Privacy Security Workgroup...3 Proactive Monitoring Procedures...3 Table 1: Summary of Proactive Monitoring Procedures...4 Strong Trust Fabric to Ensure Secure Electronic Health Information...6 Acknowledgements The Minnesota Department of Health thanks the many members of the Minnesota e-health Initiative and the Minnesota e-health Privacy and Security workgroup for their time, leadership and expertise in developing and endorsing this piece. Minnesota e-health Privacy and Security Workgroup Co-Chairs Laurie Beyer-Kropuenske, JD LaVonne Wieland, RHIA, CHP Director, Information Policy Analysis Division System Director Compliance & Privacy Compliance Minnesota Department of Administration HealthEast Care System Special Advisor Vicki Clevenger, Vice President of Compliance & Audit and Chief Compliance and Privacy Officer, Essentia Health Other Advisors and Project Support Stacie Christensen, Information Policy Analysis Division, Minnesota Department of Administration Bob Johnson, Office of Health Information Technology, Minnesota Department of Health Lisa Moon, Office of Health Information Technology, Minnesota Department of Health 1

Summary of Proactive Monitoring Procedures for secure individual identifiable health information Purpose This document provides a summary of proactive monitoring procedures identified through the Minnesota e-health Privacy Security Workgroup. This document is meant to be a resource tool for providers and health care organizations and should be used to support compliance programing. Feedback or questions? Email mn.ehealth@state.mn.us Background Strong compliance programs are built on privacy, security and compliance functions. Based on both state and federal law, these functions and related activities are necessary so that the patient, who is at the center of the information exchange transaction, can have trust and confidence that their individually identifiable health information is safe within the electronic health record system and when shared with other health care providers. Minnesota Health Records Access Study Data The Minnesota Health Records Access Study (HRAS, 2013) conducted a survey of a random sample of 25% of Minnesota hospitals and ambulatory clinics that use electronic health record systems. Additionally, the study conducted three focus groups of Minnesota health information management and privacy experts. The HRAS found that monitoring unauthorized access to a patient s health record is completed through both proactive and reactive methods that are not standardized. Figure 1 shows the most common monitoring procedure was completed in response to a patient complaint. FIGURE 1: Methods for Monitoring, Compliance Checks, and Audit Procedures to determine Unauthorized Access to Patient Electronic Health Records Action initiated in response to patient complaint Action intiated based on alert or flag generated by electronic health record system Other basis for monitoring, compliance checks, and/or audit procedures Do not monitor, check compliance, or audit for intentional, unauthorized access to patient electronic health records Total (n=212) Clinic (n=183) Hospital (n=29) 8% 9% 3% 34% 54% 57% 63% 60% 0% 20% 40% 60% 80% 100% Percent of Responding Facilities 87% 86% 90% 83% SOURCE:, 2012-2013 Health Record Access Survey 2

The survey data showed that more than half of all respondents (54%) initiate action based on proactive monitoring of alerts or flags generated by an electronic health record system, with 57% of clinics and 34% of hospitals reporting that they perform monitoring, compliance checks and audits based on this information. Nine percent of clinics and eight percent of hospitals indicated that they do not monitor, check compliance, or audit to determine whether intentional, unauthorized access to a patient s EHR has occurred. This may indicate a number of things, including that some EHRs are still not fully implemented or that some systems lack generated alerts in their EHR. It may also be an indication that tools, resources and processes are not in place to complete the needed monitoring process at these sites. In focus group discussions, participants noted they are In focus group discussions, participants noted they are always seeking robust always seeking robust and and creative ways to safeguard patient information and that learning from what other organizations are doing can be very helpful. Participants also noted that creative ways to safeguard they have systematic auditing, monitoring and compliance policies and procedures in place for both internal and external unauthorized access to patient patient information and that health records. These core procedures for securing health information appear learning from what other to be more similar than different across organizations, though the processes organizations are doing for monitoring and auditing may differ from one health care entity to the other can be very helpful. based on organizational policies. Most reported going above and beyond the regulations that govern monitoring of electronic health information. Minnesota e-health Privacy Security Workgroup The HRAS report recommended that best practices and existing national standards be identified for proactive and reactive monitoring procedures. These procedures should be used as part of a larger compliance program in a health care organization or health care setting to detect unauthorized access to electronic protected health information. In response to this recommendation, the Minnesota e-health Privacy Security Workgroup convened to discuss, identify and develop a summary of existing proactive monitoring procedures that can be shared with healthcare organizations statewide. Proactive Monitoring Procedures Proactive Monitoring Procedures are only one function within a larger and more robust compliance program. Proactive Monitoring Procedures should be used in conjunction with other administrative, technical, physical frameworks outlined in the Health Insurance Portability and Accountability Act (HIPAA) 1 to ensure the safe and secure use, disclosure and exchange of electronic health information. This federal regulation and the Minnesota Health Records Act 2 create the legal framework on which personally identifiable health information is protected in Minnesota. Table 1 is a summary of proactive monitoring procedures that were identified through discussion of the Minnesota e-health Privacy Security Workgroup using consensus methodologies. This is a resource tool for health care providers and organizations to use as part of larger compliance efforts. Some or all of these methods should be implemented in a healthcare setting to strengthen monitoring and audit activities used to detect unauthorized and impermissible access of patient electronic health information. 1 Pub. L. No. 104-191, 110 Stat 1936 (codified in sections of 18, 26, 29, and 42 U.S.C.), 65 Fed. Reg. 82,474 (Dec. 28, 2000) and 45 C.F.R. 160 and 164 modifications made for the HIPAA final rule effective March 26, 2013 2 Minn. Stat. 144.293-298 3

Table 1: Summary of Proactive Monitoring Procedures Proactive Monitoring Procedures: Organized from less technical to more automated PROCEDURE HOW METHOD IS USED EXAMPLES Staff Education to promote a culture of awareness Conducting privacy rounds and physical monitoring of building and activities Tracking and Trending Monitoring Electronic Health Record access to records of High Profile Patients Performing Random Focused Audits of Electronic Health Record access Conducting Planned and Scheduled Education, Training and Communication Target Audience: Employee Medical Staff Contractor Volunteer Students Compliance staff are visible and accessible in health care setting or organization Baseline tracking and ongoing trending of incidents or unusual patterns of activity Tracking access of EHR by staff and contractors when high profile patients or clients access medical care Manual random audits that are created based on case by case need 1. Use training events as a time to ask for staff feedback or questions related to health information safety 2. Results and feedback can be used as a way to monitor perceived risks to the organization 3. Sending compliance reminder emails routinely 4. Annual Staff Training on Privacy Security Topics 1. Physical Walk-Through of facility to monitor staff 2. Use an official audit tool to complete a walkthrough of an area 3. Review physical safeguards including security of documents, verbal disclosures, proper disposal, white boards/bulletin boards, etc. 4. Review technical safeguards- unattended computer monitors, use of computer lock outs, etc. 5. Review staff knowledge and understanding of privacy-related matters (e.g. how do they manage PHI, how to report a privacy concern/ask questions, etc.) 6. Ask staff what help they need to protect PHI better within their area 7. Generate an official report with action plans to ensure accountability 1. Use results to build monitoring/auditing 2. Identification of educational needs 3. May lead to needed updates in policies, procedures, training, etc. 1. Monitor Current Events: Someone in news/missing persons Using Google alerts Vulnerable populations VIP (e.g. public figures, celebrities, retired clergy, board members, highly visibility employees/ members of medical staff, etc.) 1. Medical emergency actions 2. Work unit audit logs: Sorting by job titles Use of data analytics tools 4

Proactive Monitoring Procedures: Organized from less technical to more automated, CONTINUED PROCEDURE HOW METHOD IS USED EXAMPLES Conduct Systematic Audits of Electronic Health Record Access - Either random/periodic audits or continuous auditing Monitoring Electronic Health Record use of Break the Glass type tools Trending Electronic Health Record Access Data followed by Focused Audits Other related Monitoring Activities Using audit and business intelligence tools NOTE: the more specific the criteria used in predictive analytics, the less likely false positives or significant investigative work to rule in possible matches Set-up to deter unauthorized access to record and flag access to records for any reason Review data and assess for frequency of access and review users with higher utilization than their peer groups Timely user ID / Access Administration EHR audit logs Monitoring Remote Network Access 1. Audit criteria can be selected based upon most common risk areas across health care providers or within a covered entity. Organizations with more complex tools are able to layer several pieces of criteria and databases to focus in on possible issues (e.g. medical record and employee database). Examples include: Same last name Spouse/child/ emergency contact match Same address or address within certain radius (e.g. three blocks) Guarantor match Health insurance ID match Department or location mismatch Records accessed six months after last date of service/patient death 1. Whenever going into a patient s chart who hasn t been seen by that facility 2. High Profile patients 3. Medical emergencies 4. Employee records 5. Place on accounts as a risk mitigation strategy for those who have had breaches or at patient s request 1. Review date and time of access and compare to work schedules 2. Evaluate high utilization and access by staff and/or contractors 3. Look for trends that point to uncharacteristic access of patient records 1. Most organizations have multiple applications that store, retrieve and access ephi. Keeping appropriate user access up to date is critical for each ephi application. This includes terminated employees/ contractors, people changing jobs/roles, etc. 1. Keeping up to date audit logs secure 2. Controlling access to audit logs 1. Monitoring of firewalls, settings, access attempts, etc. is important 5

Strong Trust Fabric to Ensure Secure Electronic Health Information Proactive Monitoring Procedures in health care settings are necessary and required. The ongoing work of the Minnesota e-health Privacy Security Workgroup and the Minnesota ehealth Initiative supports sound privacy and security practices for the management of electronic health information that build patient trust and secure patient confidence. Without patient trust and confidence, the sharing of health information is limited or nonexistent, increasing the opportunity for negative care results, poor quality, gaps or delays in the delivery of care, and increased redundancy and costs in the health care system. To establish this trust relationship, the patient must be confident in the security measures that have been applied for the protection and exchange of their electronic protected health information. The secure exchange of health information between providers is achievable when well-documented standards and tools for health information security are implemented in all care settings. The secure exchange of health information between providers is achievable when well-documented standards and tools for health information security are implemented in all care settings. To accomplish this, a health care system must support a framework of compliance that is built on preserving the integrity of the data, while facilitating the secure exchange of health information between providers to promote optimal health care. It is within this framework that the fabric of patient trust and confidence can grow, and meaningful exchange of health information can take place. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information