healthcare compliance analytics in practice
TRANSCRIPT
1
Compliance Investigations Manager, UC Davis Health
Alessia Shahrokh, CHC
DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.
Co-Founder and CEO, Protenus
Nick Culbertson
Healthcare Compliance Analytics in PracticeSession 17, August 10, 2021
2#HIMSS21
Welcome
Co-Founder and CEO, Protenus
Nick CulbertsonCompliance Investigations Manager,
UC Davis Health
Alessia Shahrokh, CHC
#HIMSS21
Agenda
• UC Davis Health compliance program overview
• Patient privacy monitoring platform
• How the platform works for UC Davis Health, its workflows, and investigations
• Drug diversion surveillance platform
• How the platform works for UC Davis Health, its workflows, and investigations
• Healthcare Compliance Analytics
• Applying these learnings to your organization
3
#HIMSS21
Conflict of Interest
Alessia Shahrokh and Nick Culbertson
Have no real or apparent conflicts of interest to report.
4
#HIMSS21
Learning Objectives
• Review how UC Davis Health manages investigations for privacy
• Discover UC Davis Health's best practices for handling privacy and diversion investigations
• Relate UC Davis Health's case study examples for privacy investigations
5
6
UC Davis HealthCompliance & Privacy Services
#HIMSS21 7
Who We Are: UC Davis Health• One of six health systems within the
University of California• Includes a 625-bed hospital,
community and specialty clinics, research and health sciences
• Serves 33 counties covering a 65,000-square-mile area north to the Oregon border and east to Nevada
#HIMSS21
Who We Are: Compliance & Privacy Services• Compliance Program: OIG 1998 Hospital Guidance
• Required the development of effective internal controls to promote adherence to
applicable federal and state law, and the program requirements of federal, state
and private health plans
• Privacy Program: HIPAA & HITECH, State laws• Require effective controls to meet regulatory requirements and respond
• UC Davis Health Compliance & Privacy Services Components:• General Compliance (e.g., FWA, COI/COC, etc.)• Billing & Coding• Research• Privacy• Investigations
8
#HIMSS21
• Why Audit and Investigations within Compliance?• Compliance Program Requirements: Auditing & Monitoring
• “An effective tool to promote and ensure compliance is the performance of
regular, periodic compliance audits by internal or external auditors who have
expertise.”
• Compliance Program Requirements: Violations & Investigations• “Detected but uncorrected misconduct can seriously endanger the mission,
reputation, and legal status of the hospital.”
9
Who We Are: Compliance & Privacy Services
10
Compliance and Patient Privacy
#HIMSS21
The Challenge: Auditing at Scale
• 8.5 million records breached by
hospital insiders in 2020• The Solution: Healthcare Compliance
Analytics• AI & automation detect & investigate all
incidents, rather than manually reviewing
a small fraction of auditable events
• Faster time to case detection and
resolution
11
Insider incidents, 2016-20202021 Breach Barometer
#HIMSS21 12
Healthcare Compliance Analytics Platform
#HIMSS21
UC Davis Health: Privacy Cases
• Patient Privacy Monitoring• AI-based system implemented in April 2019• Supported by 1 Surveillance Analyst, 2 Investigators and 1 Manager• Analyst reviews on average 79 cases per month• An average of 18 cases per month require further review, 1 goes to full investigation• Current active categories: Co-worker, VIP, and Suspicious Activity
• What Commonly Triggers an Investigation?• No discernible work purpose• Unsupported workflow• High-risk access
13
#HIMSS21 14
Privacy Case
Workflow
#HIMSS21
Privacy Investigations: The Co-Worker ExampleSample Case: ICU Nurse Sally accessed Nurse James’ EHR on August 1, 2021, for 20 minutes. James is not a current ICU patient and was last seen by his PCP in October 2020.
• Expand review of access to the records of Nurse James and co-workers for 1
month look-back; continue expanded, incremental review until no
questionable access detected
• Discuss and review access/user workflow with Department
• Consider “social environment”
• Interview user
• Interview witnesses (where applicable)
• Issue findings & consider breach reporting (state and federal)
15
#HIMSS21
Privacy: The Value of Healthcare Compliance Analytics
• Increase in meaningful cases
• Increased insight into user roles and workflow
• Increased audit functionality
• Ability to direct cases to organizational interest and risks
• Ability to translate cases into education
16
17
Drug DiversionOversight
#HIMSS21
The Challenge: Drug Diversion Oversight
• 10-15% of all healthcare workers engage
in diversion & illicit drug use
• Diversion is difficult to identify• Existing methods require tedious audits/manual
intervention
• Reactive instead of proactive
• The solution: Healthcare Compliance
Analytics• Use of AI to proactively identify diverters
protects patients, workforce & institution
18
Average fine per incident, 2017-20202021 Drug Diversion Digest
#HIMSS21
Drug Diversion at UC Davis Health• Medication Diversion Oversight Committee (MDOC)
• Charge: “To prevent diversion of controlled substances by UC Davis Health staff by monitoring each step of the medication use process (ordering, receiving, prescribing, dispensing, and administration) and identifying variations from policy and expectations. The committee will ensure that all instances of variation are fully investigated and when diversion has occurred, that appropriate actions are taken with the staff member and that all reporting to state and federal agencies is completed in a timely manner.“
• Focus on staff training/education• Pharmacy responsibility: inventory controls, management of technology, routine
monitoring and auditing
19
#HIMSS21
• Handling cases as investigation versus audit has several advantages:• Compliance has an investigative process:
• Experience conducting and documenting interviews• Ability to tie together privacy piece which is often easier to “catch”• Ability to draft comprehensive reports (that hold up with regulatory reporting and
audit)• Handling employment matters (HR, Union, Resources)
• Compliance has oversight authority• Ability to render corrective action plan• Ability to dictate training (at individual and organizational level)• Ability to encourage organization change
20
Drug Diversion at UC Davis Health
#HIMSS21
Drug Diversion at UC Davis Health• Drug Diversion Surveillance
• AI-based system implemented in December 2019• Supported by 1 FT Pharmacy Analyst and Pharmacy Manager• Pharmacy reviews on average 10 cases per month• Compliance support for Investigations
• What Commonly Triggers an Investigation?• Unreconciled drugs• Unaccounted for waste or excessive wasting• Delayed administration or waste• User is an outlier for dispensing• Other staff reports of atypical behavior• Unexplained EHR access
21
#HIMSS21 22
Diversion Case
Workflow
#HIMSS21 23
Diversion Case
Workflow (continued)
#HIMSS21
Diversion Investigation: Case ExampleSample Case: ICU Nurse flagged for a cluster of incidents involving controlled substances – delayed administrations and wasting, unreconciled medications, wasting full amounts dispensed• Expand platform review to 90-day administration/dispensing
• Discuss and review access/user workflow with Department
• Review EHR access to consider:• Volume of patient records accessed (i.e., scrolling behavior)
• Typical workflow including: location of Pyxis access, printing of labels, time of
access (pre/post shift)
• Documentation patterns (e.g., pain scores)
• Review other access points• Cameras• Cardkey logs
24
#HIMSS21
Diversion Investigation: Case Example (continued)
Sample Case: ICU Nurse flagged for a cluster of incidents involving controlled substances – delayed administrations and wasting, unreconciled medications, wasting full amounts dispensed• Interview user
• Review job duties and workflows• Review dispensing/administration activity and documentation• Provide and discuss EHR activity logs
• Interview witnesses (where applicable)
• Issue findings & consider reporting (DEA, Board of Pharmacy, Police, the
User’s licensing board, Privacy laws?)
25
#HIMSS21
Diversion: The Value of Healthcare Compliance Analytics• AI-based system digests and analyzes large volume of data from different
sources
• Never usually about a single access or diversion – it’s all about patterns,
wherever you find them• Identify and recognize diversion indicators and techniques
• Printing labels• Searching patient Medication Administration Records (MARs)• Following high-dose patients• Accessing records outside shift
If you think compliance is expensive or hard – try non-compliance.
26
#HIMSS21 27
Questions
#HIMSS21
Thank you!
• Alessia Shahrokh, CHC, Compliance Investigations Manager, UC Davis Health, [email protected]
• Nick Culbertson, Co-Founder & CEO, Protenus, [email protected]
28