Security and Privacy Practices for Electronic Health Records
Joseph W. Hales, PhD, FACMI
Intermountain Healthcare
Salt Lake City, UT
Intermountain Healthcare
• Formed 1975
• Not-for-profit
• Integrated system
• 20 Hospitals
• > 100 clinics• 6M patient encounters/yr (2007)
• $3.6B revenue (2007)
• Clinical Programs
Information Systems
• Internally-developed systems
• Enterprise-wide, longitudinal record
• Nationally recognized leader
• Clinical decision-support– Chronic disease management– Hospital-acquired infection detection– Adverse drug event detection– Resistant strain infection monitoring
Outcomes at Intermountain
Dartmouth Atlas of Healthcare
“The Mayo Clinic and Intermountain Healthcare have reputations for excellence and are noted for their leading research efforts in rationalizing the clinical pathways for managing chronic illness. Because they provide higher quality care at lower cost, the utilization rates in Salt Lake City, Rochester, Minnesota, and Portland, Oregon are useful benchmarks for estimating the potential savings from a successful national effort to improve efficiency in managing chronic illness…
The Salt Lake City benchmark results in the greatest estimated reduction in acute care hospital spending. If, over the four years of our study, hospital utilization rates had been at the level of Salt Lake City, Medicare spending for inpatient care would have been reduced by 32.4%, with physician visit savings of 34%.”
Outcomes at Intermountain
Dennis A. Cortese, MDPresident and CEO, Mayo Clinic
“If I were ever diagnosed with diabetes, I would want to be treated by Intermountain Healthcare in Salt Lake City. They have the best outcomes in the country – and the lowest costs.”
KARE-NBC, Channel 11 (Minneapolis)“Utah Gets it Right,” February 8, 2008
Outcomes at Intermountain
Intermountain Information Systems
• Intermountain Healthcare is able to deliver– Consistent , high quality medical care– At the lowest possible cost
• …in part because of enterprise-wide information systems that permit users to – Share data across time and space between
providers– Analyze data across populations to eliminate
inappropriate variation
Technical Safeguards
• Harmonization of HIPAA, SOX, PCI, GLB• Physical network security• Encryption
– Mobile devices– Backup media
• User security– Single master directory– Provisioned according to role using templates– Log user activity
Proactive Auditing and Monitoring
• Scan 16+ million access events per month• Triggers for further investigation
– employees looking at records of family members – Employees looking at records of co-workers
• Review ALL access to records of high profile patients (VIPs, individuals in the news, etc)– 2008 – 47 patients audited, 0 inappropriate accesses– 2007 – 50 patients audited, 4 inappropriate accesses
Demonstrated reduction in inappropriate access violations over last 5 years through consistently auditing access and disciplining employees
Policy and Education
Policy and Education
• Policies and procedures on intranet
• Ongoing employee education– New employee orientation – Annual mandatory compliance training – Job-specific privacy training– Employee newsletter articles
• Annual risk assessment of privacy and security concerns
Holding Employees Accountable• Matrix of recommended sanctions
– Unintentional, intentional or malicious– Access or Disclosure– Number of records involved– First offense or repeat offense
• Employees have been terminated for privacy/security violations (incl. MDs)
• Ensures consistent application of sanctions for similar actions
Summary
• We use information systems in order to achieve consistent, high quality outcomes at lower cost for every patient
• We protect patient privacy through– “Best practices” in technical security– Establishing a culture of individual
accountability
HIT Legislation
• Intermountain supports legislation that encourages adoption of HIT
• Intermountain is concerned about unrealistic expectations about HIT capacity– We currently do not have the capacity to fully
comply with the proposed accounting for disclosures requirement contained in the Ways & Means and Energy & Commerce HIT bills
Top Related