Who Is Looking At Your Electronic Health Record?
2y ago
65 Views
1 Downloads
1.45 MB
18 Pages
Report/dmca
Download PDF

Transcription

Who is looking at your electronic healthrecord?A practical guide to building an audit plan.April 22, 2013Sandy GilmoreAudit Plan April 201321

Audit Plan April 20133Who is looking at your EHRObjectives Understand the importance of a completeinventory of systems and system users Complete a risk assessment based on systemsand system users Develop / write an audit plan based on risksand organization resourcesAudit Plan April 201342

Legacy HealthPortland – Vancouver 6 medical centers 2 urban 3 suburban 1 children’s hospital Regional burn center Trauma center Inpatient rehabilitation facility 2 inpatient behavioral health facilitiesAudit Plan April 20135Audit Plan April 20136Legacy Health Legacy Medical Group 25 Primary care clinics 14 Specialty care clinics Hospice Inpatient facility Home hospice care Hospital outpatient clinics 9000 employees 1578 licensed beds3

Legacy HealthImplemented electronic health record – EpicNovember 2011 Inpatient Outpatient – ambulatory Legacy Epic Ancillary Provider (LEAP) Epic LINK Epic Care EverywhereAudit Plan April 20137Before Epic Access audits were for cause Patient complaint Manager concerns Quarterly VIP or in the news access audit Approximately 75 audits per year Limited audit ability with electronic systems Audits analyzed by small HIPAA complianceoffice (1.5 FTE)Audit Plan April 201384

Inventory of electronic systems with PHIInventory or review inventory of all systems thatcontain Protected Health Information (PHI). Type of PHI kept on the system Frequency of access log timing Maintenance of access logs Users of systemsAudit Plan April 20139Inventory of electronic systems with PHI Cerner Millennium – lab system PACS – imaging system AS400 – retired with Epic MedManager – retired with Epic Muse –ECG tracings Chart Plus – Echart – retired with Epic CPACS – cardiac images Etc, etc, etcAudit Plan April 2013105

Inventory of users of EHR Legacy employees (including physicians) Medical Staff – 5 different medical staffs Legacy contractors Legacy vendors Medical staff office personnel Community physicians and staff Students LEAP customersAudit Plan April 201311Audit Plan April 201312Inventory of users of EHR Outside auditors Outside utilization review Outside billing offices Epic care LINK users Epic Care Everywhere users Ambulance providers DME providers Future user groups?6

Risk Assessment of electronic systems Type of PHI Number of users User groups with access Control of access Generates access logs Reports on accessAudit Plan April 201313Risk Assessment of electronic systems Epic (all modules) – highest risk Large number of users (18,000) Large number of outside users Contains protected health information Both financial and clinical informationAudit Plan April 2013147

Risk Assessment users of electronic systems Number of users User groups with access Control of access Detail information about user HIPAA Training Privacy culture Sanctions for inappropriate accessAudit Plan April 201315Risk Assessment users of electronic systems Legacy employees, students, contractors Largest number Confidential patients Confidential departments Medical staff office personnel Detail information about user HIPAA Training Privacy culture Sanctions for inappropriate accessAudit Plan April 2013168

Determine what to audit Access to Epic (all modules) Access by Legacy employees (workforce) LEAP users LINK users Access by medical office personnelAudit Plan April 201317Inventory of Epic access reports Same last name / same guarantor Same employer Same address Break the Glass – confidential departments /patients Largest number of records accessed First access – LINK Access queries – Care EverywhereAudit Plan April 2013189

Run reports / analyze Run available reports Work to produce reports Work to analyze reports Quality of data from reports Follow up needed on results Enough data to sanction user? Determine which reports to run regularlyAudit Plan April 201319Determine response to inappropriate access Legacy has HR response plan in place Based on history of For Cause audits Follow same process for ProActive audits Non- employees Needed to develop and communicate Physicians on medical staff Based on history of For Cause audits Pursue more stringent sanctions withMedical Staff processAudit Plan April 20132010

Choose ProActive reports Quality of data Actionable Analysis of available reports Time and resources available Bang for the buckAudit Plan April 201321Choose ProActive reportsLegacy chose 3 ProActive reports for first yearaudit plan. Break the Glass reports Same last name / same guarantor Clinic access report Utilizing a for cause audit reportAudit Plan April 20132211

What is Break the GlassEpic solution to provide extra privacy for certainpatients or records. Extra level of protection for Confidential encounters Confidential departments Confidential patientsAudit Plan April 201323Audit Plan April 20132412

Audit Plan April 201325Audit Plan April 20132613

Break the glass reportAudit Plan April 201327Communication plan for internal users New employee orientation Annual HIPAA training Specialized training for departments Training combined with Epic training Specialized communication to employedphysiciansAudit Plan April 20132814

Communication plan for external users Specialized training for LEAP users Specialized communication plan for medicalstaff physicians and office personnel (inprocess) As part of the access authorization process forany outside EPIC user Updated Business Associates AgreementAudit Plan April 201329Assess resources to complete audits Generate access log reports Analyze access reports Communicate with HR/clinic managers Follow up on sanctions Refer reports of inappropriate access toBreach Investigation process Manage data, save, reportAudit Plan April 20133015

Write audit plan What reports How often Who will run Who will analyze Follow up actions Annual reporting to what committees Who approves the audit planAudit Plan April 201331Legacy Audit Plan Started in April 2012 (still in approval process) Monthly Proactive audit Rotating 3 audits Analysis of 2 weeks of data Scan results In-depth review of 10 records Reports to HIPAA Steering Committee Quarterly reports to Compliance Committee Annual report to Audit CommitteeAudit Plan April 20133216

Audit Plan April 201333Audit Plan April 201334Questions?17

Sandy Gilmore 503.413.3870SGilmore@LHS.org18

Annual HIPAA training Specialized training for departments Training combined with Epic training Specialized communication to employed physicians Audit Plan April 2013 28. 15 Communication plan for external u

Related Books

Looking at Your Total Financial Picture - Client Seminar

Looking at Your Total Financial Picture - Client Seminar

Looking Deeper into the Galaxy (Note 7)

Looking Deeper into the Galaxy (Note 7)

Experiencing God- Session 3 (Unit 2- Looking To God) 09-20 .

Experiencing God- Session 3 (Unit 2- Looking To God) 09-20 .

Picture Changes During Blinks: Looking Without Seeing and .

Picture Changes During Blinks: Looking Without Seeing and .

Residential Electricity Use Feedback: Looking Back and .

Residential Electricity Use Feedback: Looking Back and .

what you’re looking for. We’re the language center of the .

what you’re looking for. We’re the language center of the .

School looking to cut 670,800 in next budget

School looking to cut 670,800 in next budget

Expert Panel: Reflecting on 2020 and looking to the Future .

Expert Panel: Reflecting on 2020 and looking to the Future .

FORWARD LOOKING BACKLOOKING - womenscenter.njit.edu

FORWARD LOOKING BACKLOOKING - womenscenter.njit.edu

2019 C B N Looking Committee tours back Buffett Cancer

2019 C B N Looking Committee tours back Buffett Cancer

Past Looking: Using Arts as Historical Evidence in .

Past Looking: Using Arts as Historical Evidence in .

Similes In Novel Looking For Alaska By John Green

Similes In Novel Looking For Alaska By John Green

PopularTags

Recent Views