EMR Risk Mitigation and Optimization



Similar documents
Auditing Electronic Medical Record Systems. Mary Jo Flynn, RN, CIA, CCSA Interim Vice President, Audit Services

EMR Implementation: Compliance Challenges

Decision Tree: When is a Business Associate Agreement (BAA) Required?

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Microsoft s Compliance Framework for Online Services

The Challenge of Implementing Interoperable Electronic Medical Records

NOTICE OF PRIVACY PRACTICES

How To Use An Ehr

Cloud Computing: Legal Risks and Best Practices

Security Controls What Works. Southside Virginia Community College: Security Awareness

Sponsor Site Questionnaire FAQs Regarding Maestro Care

HIGHMARK BLUE CROSS BLUE SHIELD DELAWARE NOTICE OF PRIVACY PRACTICES PART I NOTICE OF PRIVACY PRACTICES (HIPAA)

Sustainable Compliance: A System for Ongoing Audit Readiness

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

BILLING COMPANY STANDARDS

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Health Information Privacy Refresher Training. March 2013

case study Denver Health & Hospital Authority IT as a Change Agent in the Transformation of Healthcare Summary Introductory Overview ORGANIZATION:

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Information Technology General Controls (ITGCs) 101

COMPLIANCE WITH LAWS AND REGULATIONS (CLR)

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Third Party Security: Are your vendors compromising the security of your Agency?

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Voice Documentation in HIPAA Compliance

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Final. National Health Care Billing Audit Guidelines. as amended by. The American Association of Medical Audit Specialists (AAMAS)

The Role of Oversight and Monitoring and the Use of Analytics to Increase Effectiveness of your Compliance Program

Lessons Learned from HIPAA Audits

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Managing the Weight of the World - Best Practices in Global Subsidiary Compliance. Add TX Chapter logo

HIPAA Security Alert

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

HIPAA Security & Compliance

The Practical Guide to HIPAA Privacy and Security Compliance

HIPAA Notice of Privacy Practices - Sample Notice. Disclaimer: Template Notice of Privacy Practices (45 C.F.R )

White Paper. Trends in Hospital Professional Liability Operations. Macro Trends in Hospital Insurance Operations

2014 ACMPE Exam Blueprint

How To Get A Tech Startup To Comply With Regulations

LIFESTREAM BEHAVIORAL CENTER, INC. JOINT NOTICE OF PRIVACY PRACTICES. Effective Date: April 14, 2003

Table of Contents. Preface CPSA Position How EMRs and Alberta Netcare are Changing Practice Evolving Standards of Care...

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Certified Identity and Access Manager (CIAM) Overview & Curriculum

650 Clark Way Palo Alto, CA

The Requirements Compliance Matrix columns are defined as follows:

Notice of Privacy Practices

VENDOR AUDIT LETTER TEMPLATE

HITRUST CSF Assurance Program

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Six Steps to Achieving Meaningful Use Qualification, Stage 1

Information Systems and Technology

HIM 111 Introduction to Health Information Management HIM 135 Medical Terminology

Processing invoices in the cloud or on premises pros and cons

Seven Component Framework For Compliance Auditing & Monitoring Physician Contracting In Healthcare Organizations

Eye Clinic of Bellevue, LTD. P.S. Privacy Policy EYE CLINIC OF BELLEVUE LTD PS NOTICE OF INFORMATION PRACTICES

State of Oregon. State of Oregon 1

EHR Implementation: What you need to know to have a successful project: Part 2. Bruce Kleaveland President Kleaveland Consulting, Inc.

HIPAA and Mental Health Privacy:

OUTSOURCING DUE DILIGENCE FORM

Certified Information Systems Auditor (CISA)

Health Sciences Compliance Plan

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

ELECTRONIC INFORMATION SECURITY A.R.

Vendor Audit Questionnaire

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

CISM Certified Information Security Manager

MONTANA PROFESSIONAL ASSISTANCE PROGRAM, INC. POSITION DESCRIPTION:

UAB MY HEALTH REWARDS BIOMETRIC SCREENING PROGRAM NOTICE OF HEALTH INFORMATION PRACTICES

HIPAA CHECKLISTS DEVELOPING YOUR HIPAA DOCUMENTS PRACTICAL TOOLS AND RESOURCES. MASSACHUSETTS MEDICAL SOCIETY Getting Ready for

Table of Contents. Page 1

Sarbanes-Oxley Control Transformation Through Automation

HIPAA Privacy Policies & Procedures

Transcription:

EMR Risk Mitigation and Optimization Kelly Nueske, LarsonAllen LLP Jenny O Brien, Halleland Lewis Nilan & Johnson Session Objectives Define potential risk/audit areas in electronic medical records Selection Implementation Operations Review both familiar and new risk areas related to electronic records Discuss possible approaches to assess risks and audit controls effectiveness Offer a multi-disciplinary view, focusing on the enabling technology and resulting new operational risks January 21, 2005 1 1

EMR - One Patient. One Record. Implementing Epic Single database architecture, supporting all of Allina s hospitals and clinics One of country s largest, most integrated implementations Scheduling/Registration CPOE, Clinical information, Care Plans Pharmacy, Radiology, OR, ED Professional and Facility Billing Pushing the limits of system design, capacity and integrated operation January 21, 2005 2 EMR Selection Risks Clarity of desired system scope Clinical only Clinical and billing Ancillary departments CPOE or not Scheduling Organizational status and culture Degree of common clinical and business support processes Operations ownership of initiative Physician relationships Financial health Drivers for EMR implementation January 21, 2005 3 2

Selection Risks (continued) Integration with existing environment Network Database Interfaces to existing systems Workstations Vendor Fit/Technology Vendor experience with your implementation model Capacity and architecture Scalability Administrative access and logging Reporting versus transaction loads Configurability/flexibility of application Good and bad Redundancy - Built in or need to develop January 21, 2005 4 Organization Infrastructure Organizational Culture and Structure Medical staff bylaws Union contracts impact on jobs get their buy in Physician relationships Common charging philosophy, fee schedules Employed versus affiliated physicians Security and access philosophy for data Exposure and resolution of ineffective, inappropriate, sub-optimal workflows, processes January 21, 2005 5 3

Organization Infrastructure (continued) Governance infrastructure to support maintenance and updating decision-making Ownership of shared data Integration pros and cons Central versus local control/accountability for most everything Criteria for transitioning from implementation to support Application and workflow support Where in organization? Skill sets needed? Physician and other care giver support requirements Patient safety response team and process Maintenance and updating of workflows January 21, 2005 6 Regulatory Accreditation Core measures reporting Very dependent on consistent workflow usage and adherence to documentation standards Potential revenue impacts and accreditation issues Integrating JCAHO standards and CMS Conditions of Participation into workflows and functionality Informed consent Medication reconciliation Single system design vs. varied facilities interpretation of regulations Procedures documentation and retention January 21, 2005 7 4

Federal & State Regulations Occupational health records & pre-employment screening Compliance with state laws & union contracts Use of previous information for pre-employment screening Psychotherapy (HIPAA, federal and state regulations) Federally funded substance abuse programs Research studies Integration of FDA requirements Compliance with CFR statutes for EMR January 21, 2005 8 Financial External Audit Extended implementation impact General computer controls Change management Logical security Dual systems materiality extra costs Benefits Realization Operational drivers to achieve January 21, 2005 9 5

Financial (continued) Revenue Impacts Charging processes Supplies Injections Drugs/dosages on MAR versus billing documentation Accountability for monitoring volumes/dollars Claims activities Creation Denials Write-offs/Discounts Payer relief during implementation of new system relief of timely filing deadlines? January 21, 2005 10 Clinical Practice Standards Scope of practice Use of protocols and clinical standards of care Management of duplicate orders Documentation standards for group notes Consistent follow up on increased volume of information Charting practices batch versus real time Increased information on actual activities and timing January 21, 2005 11 6

Medical Record Integrity Maintaining history of end user name, licensure or credentialing changes and validation process Developing consistent data entry and data standards FYIs on charts Ensuring records integrity Interface errors Data entered on wrong patient deletion versus pointer removal Finding data in an electronic chart Data recovery after system outages Flagging deceased patients Timing of name change for adopted babies January 21, 2005 12 Technology Risk versus work effort for testing changes Technology IT technical staff expertise Maintenance and controls of multiple environments Disaster recovery planning (DRP) and testing Co-existence and synchronization of business continuity plan and down time procedures with DRP Wide area network load balancing traffic prioritization and monitoring Change control Programmatic Configuration Master table/file audit logs? January 21, 2005 13 7

Privacy & Security Employee accessing their own medical record and records of family members Physician access to patient data Single database security versus monitoring Physicians concern about their competitors access to their patients data Conflicting state / federal regulations Designated record set definition Outside reviewers access & monitoring of activities Criteria for business associates remote access Disclosures tracking (single database) Monitoring and enforcement of company policies Design & philosophy of access monitoring vs. complex security structure January 21, 2005 14 Compliance & Audit Strategies Get involved push for membership on oversight groups Educate yourself and your staff Project documents Vendor training Readiness Assessments Computer skills Organizational focus, key operations roles assignments Physician readiness for CPOE Organizational model for managing physician issues January 21, 2005 15 8

Compliance & Audit Strategies (continued) Sample Projects Validation of project progress reporting Testing documentation by clinical and business support staff Transfer of care workflow testing Security/access design and implementation Disaster Recovery review Business Continuity/Downtime Procedures/recovery plans by departments and sites Interfaces development methodology and testing controls Data conversions methodology and testing controls Change management controls programmatic, master files/tables, systems infrastructure Billing compliance 2-4 months post go-live for each site Auditors unique training needs January 21, 2005 16 Compliance & Audit Strategies (continued) Privacy and Security Participate in oversight or steering committee Review profiles and access Assess monitoring plans and activities Review sanctions process and actual use Review disclosures reporting and process Perform facility walk-throughs Locations of monitors and visibility to public Use of screen savers, password protection Generic workstations? January 21, 2005 17 9

Lessons Learned Develop relationship with key management in project, operations Provide impartial eyes and ears, develop audit plan/projects in coordination with project/operations management Connect with other risk groups in your organization Law Compliance Risk Management Quality IT Internal Audit Develop a Risk Plan and Business Unit Implementation/Risk Plan Connect with other organizations Compare strategies, frustrations, successes January 21, 2005 18 Lessons Learned (continued) Look for gaps in supporting infrastructure in organization EMR with CPOE requires major changes in workflows Integration of clinical systems with billing systems increases complexity New approaches required for issue resolution, training, reporting and support functions Organization may need to create different infrastructures Pursue participation in key oversight groups, implementation teams Optimization takes time and effort January 21, 2005 19 10

Kelly Nueske, Manager Leader, Risk Management & Performance Improvement Services Phone:612.376.4739 knueske@larsonallen.com Jenny O Brien, Attorney at Law Shareholder, Halleland Lewis Nilan & Johnson Phone:612.573.2968 jobrien@halleland.com 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information