advancing privacy through quality improvement: three ...safety and clinical outcomes e=electronic...
TRANSCRIPT
Advancing Privacy Through Quality Improvement: Three Essentials
Wednesday, March 2
Elizabeth Delahoussaye, RHIA, CHPS,
IOD - HealthPort
Kelly McLendon, RHIA, CHPS,
CompliancePro Solutions, LLC
Conflict of Interest
Kelly McLendon, RHIA, CHPS and Elizabeth Delahoussaye, RHIA, CHPS
have no real or apparent conflicts of interest to report.
Agenda
• Learning Objectives
• IT Value Steps - Introduction
• Objectives
• Project Plan and Implementation of a Data Driven Compliance Program
• Privacy and Security Functions That Have Been Automated
• Using Data for Privacy and Security Compliance Program Quality Improvement
• Benefits in IT Value Steps
• Conclusion
Learning Objectives
• Recognize the three pillars of advancing privacy compliance in healthcare: internal assessments, data analytics, and operationalizing towards a privacy mindset
• Define 11 steps for internal privacy assessments including checklists for providers and business associates
• Describe the 11 most important privacy data elements to track and analyze across your organization for reporting, identifying trends, and applying CQI principles to your privacy program
• Assess new ways to operationalize privacy programs and integrate data-driven privacy assessments within an overall CQI program
IT Value Steps S=Satisfaction: Strong and data driven information privacy and security compliance programs results in improved consumer trust and patient satisfaction T=Treatment/Clinical: Privacy and security compliance supports an organization’s reputation, improves patient safety and clinical outcomes E=Electronic Information/Data: Management of compliance case data within secure applications is not easy but results in far fewer hacks and breaches P=Patient Engagement/Population Management: Patient engagement has a foundation in trust which is engendered by privacy and security practices S=Savings: Savings from strong and automated privacy and security compliance comes from many areas
http://www.himss.org/ValueSuite
OBJECTIVES
3
Objective and Justification of Need
• Public Awareness and focus on healthcare privacy and security
• Create data driven systems and management structures that increase accountability and drive improvement
• Quality-based improvements through measuring, understanding, and managing variation must be applied to privacy and security compliance
4
Three Essential Ingredients
1. A Defined Program for Internal Privacy
Assessment
• Produces Useable Data & Metrics
• Success Measures
• Is consistent and can be replicated
• Is actually used in operations to improve them and reduce liabilities, close holes identified
5
Three Essential Ingredients
2. Data Analysis
• Consistency
– Fairness to Associate
– Fairness to Situation
– Reliability Testing
• Reporting – Analytical Approach
– Decision Making
– Improvements
– Business Intelligence
Three Essential Ingredients
3. Information/Data Governance Managing Operationalization
• Policies and Procedures/structure/rules of engagement
• Authority and Control
• Decision Rights and Accountabilities
• Management of the feedback of analysis results into operations
• Sanctions and other means of mitigation and remediation
PROJECT PLAN AND IMPLEMENTATION OF A DATA DRIVEN
COMPLIANCE PROGRAM
Do You Have a Plan?
What’s Your Strategy?
• “A goal without a plan is just a wish.”
– Antoin e de Saint-Exupery
• “Vision without execution is hallucination.”
– Thomas Edison
• “If you wish to understand something, try changing it.”
– Kurt Lewin
Elements of Strategic Planning
Values
Mission & Values
Phase I
Environmental
Assessment
•External
•Internal
•Risks
Phase II
Vision
Driving Force
Areas of Excellence
Strategy
Skills
Strategic Thinking
Strategic Management
Leading Change
Operational Planning
Customer Focus
Innovation
Communication
Phase III
Strategic Profile
•Scenario
Building
•Competitive
Analysis
•Critical Issues
•Innovation
Phase IV
Implementation
•Final Strategic
Profile
•Strategic Goals
•Strategic Objectives
•Measurement
11 Steps for Internal Privacy Assessments
1. Create a privacy assessment program that meets OCR and more generalized privacy compliance requirements,
1. Identify the scope of the assessments (e.g. if a hospital how much ambulatory)?
2. Identify stakeholders, governance, committee members, staff
3. Identify data and computer application resources available for assessments
4. Create or procure assessment tools, for both HIPAA privacy and security
1. Web based, Excel based?
2. Be sure to meet all of the HIPAA privacy rule requirements by having a detailed checklist of all areas covered by the privacy rule
11 Steps for Internal Privacy Assessments
5. Determine an internal audit and monitoring for privacy program (which is related to be not the same as security monitoring)
1. e.g. Audit log monitoring
6. Link the privacy monitoring program with security monitoring, with technology and/or manual processes
7. Develop incident response and investigation that provides data to drive assessments for ‘hot spots’
8. Create a program for walk downs and real time checks on privacy compliance throughout the enterprise
9. Develop multiple avenues for assessing through education e.g. quizzes employee knowledge about privacy compliance
10. Create and operationalize checklists for vendors / business associates
11. Develop the processes for using the data derived from the assessment program with CQI to improve operations
Data Dictionaries Can Help… Field Field Type Field Answer Options Extras
Site Information
Today's Date Autopopulate Calendar
Health System Name Account names: Drop down list Role based access by region
Facility Name Account names: Drop down list Role based access by region
Site Number Autopopulate based on facility selection 5 numbers
Facility Street Address Autopopulate based on facility selection unlimited characters
City Autopopulate based on facility selection unlimited characters
State Autopopulate based on facility selection 2 characters
Zip Code Autopopulate based on facility selection 5 numbers
Facility Contact's Name Manual 50 characters
Facility Contact's Email Manual 50 characters
Summary of Disclosure
Invoice Number Manual 10 numbers
Requestor Type (EXPAND) Drop Down List Attorney Disability Continuing Care Other
If "other" is selected, open a free text field
Who Requested Information? Manual 100 characters
Who Received Information? Manual 100 characters
Date Request Received Manual Calendar
Date Request Processed Manual Calendar
Implementation
• Develop a rollout plan
• Test
• Train
• Test
• Train
• Disseminate
• Measure
PRIVACY AND SECURITY COMPLIANCE FUNCTIONS
THAT HAVE BEEN AUTOMATED
Privacy and Security Compliance Automation on the rise
• Automation of privacy and security compliance is relatively new, especially privacy
• Privacy automation ramped up with HITECH and meaningful enforcement
• Security compliance in general continues to evolve with more encompassing monitoring and logging
• A result of increasing amounts of compliance automation is increased data to assist in managing and strengthening operations
Privacy and Security Compliance Functions That Have Been Automated
Areas of functionality, products and lines of services that have been automated by some company(s) to date
• Privacy incident (including federal and state breach) management and investigation
• Security incident management and investigation
• Audit log monitoring
• SIEM (Security Information and Event Monitoring)
• Other types of security monitors
• ‘Patient’s Rights’ workflows (Amendment, Restrictions, AOD)
• More generalized tracking of issues for privacy, security or related compliance
Privacy and Security Compliance Functions That Have Been Automated
• Security Risk Analysis (including MU)
• Privacy Risk Analysis (compliance program GAP type assessment)
• Security and Privacy policies and forms (limited automation, but some macro based MS-Word type tools are in the marketplace)
• Business Associate Agreement management
• Breach notification
• HIPAA Training
• Privacy and Security Courses for Academic programs
Required Quality Controls for Compliance Automation
• Compliance automation functional ideas and designs may be vendor or customer originated, but must be agreed to by both parties
• Vetting of enhancements with live users before, during and after development
• Use of formal system development methodology that includes multiple quality checks
• Test, test, test application
• Support and feedback after rollout
• Active, robust audit logs
• Reporting and graphing across all captured data elements
• Multiple points within the system for users to monitor the usage and application of program functions
• Integration with physical compliance program to cross check quality on a constant, on-going basis
USING DATA FOR PRIVACY AND SECURITY COMPLIANCE QUALITY
IMPROVEMENT
Describe the 11 most important privacy data elements to track
In order to analyze data across the organization for reporting, identifying trends, and applying CQI principles to the privacy program
1. Who was responsible for the incident – was this a ‘frequent flyer’?
2. What patient’s PHI was involved?
3. What type of incident – break down into OCR specified types
4. Where did the incident occur – is there a pattern or repeated issues?
Describe the 11 most important privacy data elements to track
5. When – discovery and occurrence dates
6. Was the incident a Policy Violation / HIPAA Violation /HIPAA Breach / State Breach
7. If a breach what notification was undertaken when?
8. Was there a BA (Business Associate) involved? Repeat offender?
9. Type of PHI involved – break down into OCR specified
10.Type of corrective actions undertaken for mitigation and remediation
11.What if any sanctions were levied?
Building Privacy and Security Programs Fostering Quality Improvement
• Perform compliance risk assessments of new and existing systems and programs to determine what is working well, and what areas have room for improvement
• Change forms, systems, and procedures to comply with privacy requirements
• Consider automating the privacy program through a software or alternative program that is the most closely tailored to suit the specific needs of your privacy program
• Develop a team and assign responsibility for privacy actions (software, documents, investigations, etc.)
• Provide feedback on quality measures to staff to foster continuous improvement efforts and increase visibility by partnering with marketing and other departments
• Train and retrain
The Significance of Centralizing Privacy and Security Reporting
• Reporting for Governance is one of the most compelling reasons for automation
• Manual processes including spreadsheets, notes, or a basic homegrown database are inefficient, and time intensive to compile and present
• Privacy and Security Officers find it difficult to justify their staff time without clear, comprehensive reporting
• Privacy Incidents can have 60+ data elements stored and reported upon
• Ideal software will have the capability of producing canned reports and .xls or .xml downloads for producing ad hoc reports making pivot tables, charts, and graphs all easily created
Using Data for Quality Improvement
• Categorizing Privacy
Incidents • Turn-Around Times for
Matters Regulated Under
HIPAA
– Corporate policy violations
– HIPAA violations
– HIPAA breaches
– State breaches
– Investigations for breach
– Investigations for other issues
– Amendment requests
– Restriction requests
Other Data Use Considerations
• What are we doing with the data?
• Are there trends revealed by the data?
– If there is, then what are we doing with the data?
– How are we partnering with that Covered Entity, ancillary Departments and or Business Associates to determine what education that we can offer?
• Compliance needs to step away from being viewed as the internal ‘compliance police’, towards becoming partners with all Covered Entity and Business Associate workforce members.
• How is Information Governance should be involved?
Examples of Operational Reports Related to Quality Improvement
• Which CEs or BAs have the most incidents, their timeframes for resolution
• Causes of incidents
• Methods of reporting, sources of incidents
• Frequent flyers, who are repeat violators
• Watching case workflows with real time monitoring
• Speed with which detected potential breaches (incidents) are investigated and addressed
Data Elements Graphed and Trended
ID Disclosure
Name Discovery
Date Covered
Entity Status Assessment
Short
Assessme
nt Category
Assigne
d To Business
Associate
Occurren
ce Date
Begin
Occurrenc
e Date
End
Location
of
Occurren
ce
Disclosur
e Types Patient
Name Patient
EMPI
122 RESP
TEST 2 09/28/2013
Loveland
GV Active
Privacy
Violation /
Potential
Breach
Priv / PB
Incident Type
A, Incident
Type B,
HIPAA
Privacy,
Misdirected
Fax
Paul
Albrecht 11/28/201
2 Improper
Disposal
161 Unnamed
Wrongful
Disclosure 8/26/2013
Loveland
GV Active
N/A, Incident
Type A,
HIPAA
Privacy
Adam
Albrecht 09/10/201
3 09/27/2013 asdf
Last, First,
MI
163 Unnamed
Wrongful
Disclosure 7/14/2013
Southern
Again New
hello, HIPAA
Privacy 09/23/201
3 asdf
Albrecht,
Paul F
156 test new
breach
analysis 7/4/2013
Southern
Again Active Breach Breach
Paul
Albrecht 09/25/201
3
Full system data can be downloaded into XLS or XML for further analysis and
graphing. Let’s view a full set of data from a Privacy Incident Details page.
Data Elements Graphed and Trended
Full system data can be downloaded into XLS or XML for further analysis and graphing
ID Disclosure
Name Discovery
Date Covered
Entity Status Assessment
Short Assessment
Category Assigned
To Business Associate
Occurrence Date Begin
Occurrence Date End
Location of Occurrence
Disclosure Types
Patient Name
Patient EMPI
122 RESP TEST 2 09/28/2013 Loveland
GV Active
Privacy Violation / Potential
Breach Priv / PB
Incident Type A, Incident
Type B, HIPAA Privacy,
Misdirected Fax
Paul Albrecht
11/28/2012 Improper Disposal
161 Unnamed Wrongful Disclosure
8/26/2013 Loveland
GV Active
N/A, Incident Type A, HIPAA
Privacy
Adam Albrecht
09/10/2013 09/27/2013 asdf Last, First, MI
163 Unnamed Wrongful Disclosure
7/14/2013 Southern
Again New
hello, HIPAA Privacy
09/23/2013 asdf Albrecht, Paul F
156 test new breach analysis
7/4/2013 Southern
Again Active Breach Breach
Paul Albrecht
09/25/2013
Let’s view a full set of data from a Privacy Incident Details page
Privacy Incident Turn-Around Times
Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
Incidents 8 10 17 5 13 20 9 10 8 22 14 8
Turnaround Time 25 28 27 15 22 27 19 25 19 25 20 17
0
5
10
15
20
25
30
Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
Incidents
Turnaround Time
Privacy Incidents by Hospital
Covered Entity No Violation Privacy
Violation Breach Total
Incidents
Hospital - East 5 7 5 17
Hospital - South 1 3 6 10
Hospital - West 3 1 4 8
Hospital - North 6 2 0 8
Grand Total 15 13 15 43* 0
2
4
6
8
10
12
14
16
18
Hospital - East Hospital - South Hospital - West Hospital - North
Breach
Privacy Violation
No Violation
*43 incidents exposing 124 records
STEPS: BENEFITS OF DATA DRIVEN PRIVACY
AND SECURITY COMPLIANCE
Well managed privacy and
security practices reduce
risks associated with bad
PR associated with
breaches and hacks
STEPS: Patient Satisfaction
Strong and data driven
information privacy and
security compliance
programs results in
improved consumer trust
and patient satisfaction
STEPS: Treatment
Privacy and security
compliance supports an
organization’s reputation,
improves patient safety
and clinical outcomes
Reduction in duplicative
services and delayed
treatment as patients
more confidently share
their information
STEPS: Electronic Secure Data
Management of
compliance case data
within secure
applications is not
easy but results in far
fewer hacks and
breaches
Encryption of
compliance data
ensures no HIPAA or
state breaches and
lowers overall
organizational risk
Reduction in
duplicative services
as patients more
confidently share their
information
STEPS: Patient Engagement
Patient engagement
has a foundation in
trust which is
engendered by
privacy and security
practices
STEPS: Savings
Savings from strong and automated
privacy and security compliance comes from many areas
Although tough to measure reduction of risk from fines
and civil judgments is significant for well
run, data driven compliance programs
Conclusion • Healthcare privacy and security compliance is becoming more
complex as electronic records engage and public perception
of breaches and hacking rise
• State breaches and an increasing patchwork of state privacy
and security compliance regulations have added another
dimension of complexity
• Operationalizing data from automation as a part a CQI program
aids in achieving and maintaining high levels of compliance
• Automation of privacy and security compliance is increasing
required for governance reporting and to obtain patient
satisfaction
• Both tangible (measureable) and intangible (unmeasureable)
benefits being realized as automation and process re-
engineering is developed for privacy, security and even other
areas of regulatory compliance
Questions?
43