NEW 2014 Clearwater Compliance Virtual HIPAA Audit Prep BootCamp™
Strategic Approaches to HIPAA Access & Audit
description
Transcript of Strategic Approaches to HIPAA Access & Audit
Strategic Approaches to HIPAA Access & Audit
HIPAA Summit West IIMarch 15, 2002
San Francisco, CA
Mariann Yeager561.234.9876 tel561.913.1588 cel
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 2
• HIPAA Expertise
• Industry Leader
• National speaker
• Technology & HIPAA
Background
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 3
Agenda
• Role of technology
• Access & Audit
• Implementation considerations
• Practical, Vendor & Standards
• Case Study
• Discussion
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved
Strategic Benefit
Technical
• Access
• Audit
Administrative
• Policies & Procedures
• Training
Efficiencies – automation, cost savings
Trust –
consumers, partners
Privacy & Security Strategic Benefit
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 5
Intersection of Security & Privacy
Role of Technology
Access
• Minimum Necessary
• Access Controls – Need-to-know
Audit
• Accounting of Disclosures
• Audit Controls
WEDI SNIP Security & Privacy White Paper: http://snip.wedi.org
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 6
Implementation Decisions
Access• Reinforce with technology
• Mitigate risk
Audit• Usage, detail, storage
• Separate vs. centralized
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 7
Implementation Considerations
Practical
Infrastructure:• Enterprise-wide• Disparate systems
Data:• Amount & type• Link users to patient
Compliance:
• Ease of use• Universal
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 8
Implementation Considerations Vendors
• Multiple approaches?
• Separate systems?
• Core competency?
• Ability to meet needs?
You are still accountable
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved
Infrastructure:• Context Management - CCOW
• National Health Information Infrastructure
Others – Process & Policies:
• Accreditation programs
• Best practices
• ASTM
• NIST
Implementation Considerations
Standards
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved
Context Management
Industry Standard
Architecture
The Role of CCOW
Result: Streamlined use of applications
Uptake
Accepted standard
Healthcare-specific
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved
CCOW Architecture
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 12
HIPAA Case Study
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 13
The Environment
Largest hospital in Maine: •606-bed tertiary care and teaching hospital
•30,000 inpatient stays
•140,000 outpatient visits
•22,000 surgeries
•3,200 users, 2,100 desktops, 660 systems
Major systems:•Medical records –100% electronic/imaged
•PACS and departmental
•CCOW Architecture
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 14
The Philosophy
Broad approach
Reasonable
Leverage technology• Existing investments
• Keep it simple
• Seek synergies
• Support vision
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 15
The Vision
“… CPR is not a single system. It is several systems seamlessly integrated in the eyes of the user, so that it appears to be one system.”
– Jerry Edson, CIO
HIPAA Vision
• Process
• Systematic
• Enterprise-wide
• Leverage for greater good
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 16
The Approach
Centralized oversight
Gap analysis: • IT Dept.
• Compliance office
HIPAA IT team:• Lead Analyst• Two Technical Analysts• Compliance Analyst
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 17
The Need: Access & Audit
Strategy:• Address access & audit
• Reasonable approach
Requirements:• Enterprise-wide
• Meaningful data
• Flexible reporting
Drivers:• Mitigate risk
• Focus on highest priority
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 18
Implementation Considerations
Vendor:• Multiple approaches?• Separate systems?• Core competency?• Ability to meet needs?
We are still accountable
Practical: • Infrastructure• Compliance• Data
Standards-based
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 19
The Solution
• Vergence Privacy Auditor Sentillion:•Standards-based
•Enterprise-wide
•Vendor-neutral
• Supports vision of integrated desktop:•Single implementation
•Centralized management
•User-friendly / Vendor-friendly
• Flexible reports
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 20
Vergence Privacy Auditor
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 21
The Rationale
Fundamental HIPAA requirement
Mitigates high risk
Simplifies analysis, implementation
Minimizes development
Supports IT vision
Copyright © 2001, 2002. Emerson Strategic Group, Inc. All Rights Reserved 22
The Results
• Cost-effective
• Reasonable approach
• Single, centralized solution
• Rapidly deployed
• Flexible
Strategic Approaches to HIPAA Access & Audit
Discussion
Mariann Yeager561.913.1588 cel