Is Your EHR Safe? New Technologies for Auditing
28
855.85HIPAA www.compliancygroup.com Industry leading Education Certified Partner Program • Please ask questions • For todays Slides http://compliancy-group.com/ slides023/ • Todays & Past webinars go to: http://compliancy-group.com/ webinar/ Get Involved. #cgwebinar
-
Upload
compliancy-group -
Category
Health & Medicine
-
view
53 -
download
2
description
U.S. legislation such as the Affordable Care Act, HIPAA and HITECH outline rules governing the appropriate use of personal health information (PHI). Unfortunately, current technologies do not adequately monitor PHI use. In particular, while electronic medical records (EMR) systems maintain detailed audit logs that record each access to PHI, the logs contain too many accesses for compliance officers to practically monitor, putting PHI at risk. In this talk I will present the explanation-based auditing system, which aims to filter appropriate accesses from the audit log so compliance officers can focus their efforts on suspicious behavior. The underlying premise of the system is that most appropriate accesses to medical records occur for valid clinical or operational reasons in the process of treating a patient, while inappropriate accesses do not. I will discuss how explanations for accesses (1) capture these clinical and operational reasons, (2) can be mined directly from the EMR database, (3) can be enhanced by filling-in frequently missing types of data, and (4) can drastically reduce the auditing burden.
Transcript of Is Your EHR Safe? New Technologies for Auditing
855.85HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program
• Please ask questions • For todays Slides http://compliancy-group.com/slides023/ • Todays & Past webinars go to: http://compliancy-group.com/webinar/
Get Involved.
#cgwebinar
ì
Daniel Fabbri Founder & CEO of Maize Analy5cs
Assistant Professor at Vanderbilt University
Electronic Medical Records
Problem: Insecure Data 1. Open access environment
2. Millions of accesses per week
3. Pa<ent care is dynamic
Regulations
HIPAA, HITECH, and Affordable Care Act • Minimal requirements to access PHI • Security monitoring requirements • Penal<es and fines for breaches
Paper-‐Bag Security
“Nancy, I’m not sure that’s what HIPAA had in mind.”
Basic Security Mechanisms
Fine-‐grained access controls
Permission escala<on “Are you sure you want to con<nue?” WARNING
Current Approaches Compliance officers manually review complaints
Flag “suspicious” types of accesses (i) Same last name, (ii) co-‐workers, (iii) neighbors
Audit Limitations ì Most accesses audited are appropriate
ì Inves<ga<ons can take days or weeks to complete
ì Poten<al alert avalanches (turn system off)
Objective
Provide compliance officers the ability to
quickly and accurately
find inappropriate access from audit logs.
Observation
Most appropriate accesses occur for valid clinical or opera5onal reasons.
“Authorized access is
limited to those with the need to know for purposes of pa5ent care, billing,
medical record review and quality assurance.”
University of Michigan Health System Screen Saver
Explanation-‐Based Auditing System (EBAS) !""#$%&'()*+",%-%.$-/0%123)!435.-6)
7235&%,)82&$#3)90)
:42#;):):<) :=)
!435>)?$6)
@%,53)82%1$-)A$#)!&&211B)
!""#$"#5%>2)
C41"5&5$41)
7235&%,)82&$#3)
<D)
E)
Filter accesses so there are fewer for manual review.
i
Filter Based On Data Stored In The EMR
What is an Explanation?
2/17/14 Explanation-Based Auditing
127.0.0.1:8000/user_data/explanation/ 1/2
Manage Data Explore Data Manage Edges Manage Explanations Diagnosis Responsibility
CreateExplanations
Mine Explanations
Test Explanations
ExplanationReports
DeleteExplanations
ExplanationsAn explanation captures the the clinical or operator reason for access. Explanations arerepresented as paths connecting the patient whose record is accessed (i.e., Audit Log->Patient ID)to the employee accessing the record (i.e., Audit Log->Employee ID). Paths are constructed bylinking multiple edges together.
7 explanations!
Active Training Frequency Description Explanation Graph
False 0.333 Medication View
True 0.333 Appointment View
Evidence->Audit Log->Employee ID
Evidence->Audit Log->Patient ID
Evidence->Appointment->Patient ID
Evidence->Appointment->Employee ID
True 0.167 RepeatAccess
View
False 0.167 Floor + Floor View
False 0.500 Appointment+Department
View
Explanation-Based Auditing [email protected]
Connec<on between the pa*ent and employee accessing the pa<ent’s record
Explanation Recommendations
Find frequently occurring explana*ons Graph search problem
Recommend explana*ons to compliance officers
Approve correct explana<ons Use to filter future appropriate accesses
Limitations
Basic explana<ons are effec<ve for doctors, not suppor<ng staff (e.g., nurses, pharmacists, central staffing, etc.)
Appointments are made with doctors, not nurses. This lack of data causes missed explana5ons
Enhance Explanations 1. Automa*cally fill-‐in missing data:
Oncologists treat cancer pa5ents Pediatric nurses work with pediatric physicians
Pediatric nurse
Pediatric physician Hospital Employees
Enhance Explanations 2/17/14 Explanation-Based Auditing
127.0.0.1:8000/user_data/explanation/ 2/2
False 0.500 Medication+Department
View
False 0.167 Icd +DepartmentTo Icd +Department
View
Evidence->Audit Log->Employee ID
Evidence->Audit Log->Patient ID
Employee Info->Department->Info Value
Employee Info->Department->Employee ID
Department to ICD->Department To Icd->icd
Department to ICD->Department To Icd->department
Patient Info->Icd->Patient ID
Patient Info->Icd->Info Value
© Maize Analytics 2014
1. Automa*cally fill-‐in missing data: Oncologists treat cancer pa5ents Pediatric nurses work with pediatric physicians
2. Mine new explana*ons:
“The access occurred because Dr. Dave is an oncologist, oncologists treat cancer and Alice has cancer”
High-‐Level Results
95% of accesses in one-‐week sample filtered with high precision
Ongoing trials at major hospitals to evaluate effec<veness
See VLDB 2011, JAMIA 2012 publica<ons
Practical Example
ì US hospital audited accesses for 1 pa<ent over a few weeks
ì 500+ accesses normally audited manually
ì EBAS filtered the list down to 5 for manual review
Integrated Analytics ì Search for outliers, then drill down with EBAS
Analyze high usage employees
Deployment
Many hospitals will not release data to the cloud…yet
Hospitals download VM and run locally!
Data Extraction How to get data into the audi<ng system?
Repor<ng System (e.g., Epic’s Clarity)
Text File All within the hospital
Investigation Management
Short Video Summary
Pufng the pieces together! hhps://www.youtube.com/watch?v=gDEcgVwIgSU
Why Use EBAS?
busy / too many audits / too much manual effort need for automa5on / need for improved HIPAA procedures
worried about OCR audits / want more proac5ve tools want published & peer-‐reviewed technology looking for a different approach to audi5ng
Email us for faster HIPAA audits! [email protected]
26
Questions?
Free Demo and 60 Day Evaluation www.compliancy-‐group.com
855 85 HIPAA (855.854.4722)
The Guard:
One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, & Omnibus Compliance • Guaranteed HIPAA Audit Protection • Gap Identification & Remediation Plans • Built in Training, Policies & Procedures • Business Associate Agreements Included • HIPAA Hotline Support • Experienced HIPAA Coach Implementation
