Advancing Privacy Through Quality Improvement: Three Essentials

Wednesday, March 2

Elizabeth Delahoussaye, RHIA, CHPS,

IOD - HealthPort

Kelly McLendon, RHIA, CHPS,

CompliancePro Solutions, LLC

Conflict of Interest

Kelly McLendon, RHIA, CHPS and Elizabeth Delahoussaye, RHIA, CHPS

have no real or apparent conflicts of interest to report.

Agenda

• Learning Objectives

• IT Value Steps - Introduction

• Objectives

• Project Plan and Implementation of a Data Driven Compliance Program

• Privacy and Security Functions That Have Been Automated

• Using Data for Privacy and Security Compliance Program Quality Improvement

• Benefits in IT Value Steps

• Conclusion

Learning Objectives

• Recognize the three pillars of advancing privacy compliance in healthcare: internal assessments, data analytics, and operationalizing towards a privacy mindset

• Define 11 steps for internal privacy assessments including checklists for providers and business associates

• Describe the 11 most important privacy data elements to track and analyze across your organization for reporting, identifying trends, and applying CQI principles to your privacy program

• Assess new ways to operationalize privacy programs and integrate data-driven privacy assessments within an overall CQI program

IT Value Steps S=Satisfaction: Strong and data driven information privacy and security compliance programs results in improved consumer trust and patient satisfaction T=Treatment/Clinical: Privacy and security compliance supports an organization’s reputation, improves patient safety and clinical outcomes E=Electronic Information/Data: Management of compliance case data within secure applications is not easy but results in far fewer hacks and breaches P=Patient Engagement/Population Management: Patient engagement has a foundation in trust which is engendered by privacy and security practices S=Savings: Savings from strong and automated privacy and security compliance comes from many areas

http://www.himss.org/ValueSuite

OBJECTIVES

3

Objective and Justification of Need

• Public Awareness and focus on healthcare privacy and security

• Create data driven systems and management structures that increase accountability and drive improvement

• Quality-based improvements through measuring, understanding, and managing variation must be applied to privacy and security compliance

4

Three Essential Ingredients

1. A Defined Program for Internal Privacy

Assessment

• Produces Useable Data & Metrics

• Success Measures

• Is consistent and can be replicated

• Is actually used in operations to improve them and reduce liabilities, close holes identified

5

Three Essential Ingredients

2. Data Analysis

• Consistency

– Fairness to Associate

– Fairness to Situation

– Reliability Testing

• Reporting – Analytical Approach

– Decision Making

– Improvements

– Business Intelligence

Three Essential Ingredients

3. Information/Data Governance Managing Operationalization

• Policies and Procedures/structure/rules of engagement

• Authority and Control

• Decision Rights and Accountabilities

• Management of the feedback of analysis results into operations

• Sanctions and other means of mitigation and remediation

PROJECT PLAN AND IMPLEMENTATION OF A DATA DRIVEN

COMPLIANCE PROGRAM

Do You Have a Plan?

What’s Your Strategy?

• “A goal without a plan is just a wish.”

– Antoin e de Saint-Exupery

• “Vision without execution is hallucination.”

– Thomas Edison

• “If you wish to understand something, try changing it.”

– Kurt Lewin

Elements of Strategic Planning

Values

Mission & Values

Phase I

Environmental

Assessment

•External

•Internal

•Risks

Phase II

Vision

Driving Force

Areas of Excellence

Strategy

Skills

Strategic Thinking

Strategic Management

Leading Change

Operational Planning

Customer Focus

Innovation

Communication

Phase III

Strategic Profile

•Scenario

Building

•Competitive

Analysis

•Critical Issues

•Innovation

Phase IV

Implementation

•Final Strategic

Profile

•Strategic Goals

•Strategic Objectives

•Measurement

11 Steps for Internal Privacy Assessments

1. Create a privacy assessment program that meets OCR and more generalized privacy compliance requirements,

1. Identify the scope of the assessments (e.g. if a hospital how much ambulatory)?

2. Identify stakeholders, governance, committee members, staff

3. Identify data and computer application resources available for assessments

4. Create or procure assessment tools, for both HIPAA privacy and security

1. Web based, Excel based?

2. Be sure to meet all of the HIPAA privacy rule requirements by having a detailed checklist of all areas covered by the privacy rule

11 Steps for Internal Privacy Assessments

5. Determine an internal audit and monitoring for privacy program (which is related to be not the same as security monitoring)

1. e.g. Audit log monitoring

6. Link the privacy monitoring program with security monitoring, with technology and/or manual processes

7. Develop incident response and investigation that provides data to drive assessments for ‘hot spots’

8. Create a program for walk downs and real time checks on privacy compliance throughout the enterprise

9. Develop multiple avenues for assessing through education e.g. quizzes employee knowledge about privacy compliance

10. Create and operationalize checklists for vendors / business associates

11. Develop the processes for using the data derived from the assessment program with CQI to improve operations

Data Dictionaries Can Help… Field Field Type Field Answer Options Extras

Site Information

Today's Date Autopopulate Calendar

Health System Name Account names: Drop down list Role based access by region

Facility Name Account names: Drop down list Role based access by region

Site Number Autopopulate based on facility selection 5 numbers

Facility Street Address Autopopulate based on facility selection unlimited characters

City Autopopulate based on facility selection unlimited characters

State Autopopulate based on facility selection 2 characters

Zip Code Autopopulate based on facility selection 5 numbers

Facility Contact's Name Manual 50 characters

Facility Contact's Email Manual 50 characters

Summary of Disclosure

Invoice Number Manual 10 numbers

Requestor Type (EXPAND) Drop Down List Attorney Disability Continuing Care Other

If "other" is selected, open a free text field

Who Requested Information? Manual 100 characters

Who Received Information? Manual 100 characters

Date Request Received Manual Calendar

Date Request Processed Manual Calendar

Implementation

• Develop a rollout plan

• Test

• Train

• Test

• Train

• Disseminate

• Measure

PRIVACY AND SECURITY COMPLIANCE FUNCTIONS

THAT HAVE BEEN AUTOMATED

Privacy and Security Compliance Automation on the rise

• Automation of privacy and security compliance is relatively new, especially privacy

• Privacy automation ramped up with HITECH and meaningful enforcement

• Security compliance in general continues to evolve with more encompassing monitoring and logging

• A result of increasing amounts of compliance automation is increased data to assist in managing and strengthening operations

Privacy and Security Compliance Functions That Have Been Automated

Areas of functionality, products and lines of services that have been automated by some company(s) to date

• Privacy incident (including federal and state breach) management and investigation

• Security incident management and investigation

• Audit log monitoring

• SIEM (Security Information and Event Monitoring)

• Other types of security monitors

• ‘Patient’s Rights’ workflows (Amendment, Restrictions, AOD)

• More generalized tracking of issues for privacy, security or related compliance

Privacy and Security Compliance Functions That Have Been Automated

• Security Risk Analysis (including MU)

• Privacy Risk Analysis (compliance program GAP type assessment)

• Security and Privacy policies and forms (limited automation, but some macro based MS-Word type tools are in the marketplace)

• Business Associate Agreement management

• Breach notification

• HIPAA Training

• Privacy and Security Courses for Academic programs

Required Quality Controls for Compliance Automation

• Compliance automation functional ideas and designs may be vendor or customer originated, but must be agreed to by both parties

• Vetting of enhancements with live users before, during and after development

• Use of formal system development methodology that includes multiple quality checks

• Test, test, test application

• Support and feedback after rollout

• Active, robust audit logs

• Reporting and graphing across all captured data elements

• Multiple points within the system for users to monitor the usage and application of program functions

• Integration with physical compliance program to cross check quality on a constant, on-going basis

USING DATA FOR PRIVACY AND SECURITY COMPLIANCE QUALITY

IMPROVEMENT

Describe the 11 most important privacy data elements to track

In order to analyze data across the organization for reporting, identifying trends, and applying CQI principles to the privacy program

1. Who was responsible for the incident – was this a ‘frequent flyer’?

2. What patient’s PHI was involved?

3. What type of incident – break down into OCR specified types

4. Where did the incident occur – is there a pattern or repeated issues?

Describe the 11 most important privacy data elements to track

5. When – discovery and occurrence dates

6. Was the incident a Policy Violation / HIPAA Violation /HIPAA Breach / State Breach

7. If a breach what notification was undertaken when?

8. Was there a BA (Business Associate) involved? Repeat offender?

9. Type of PHI involved – break down into OCR specified

10.Type of corrective actions undertaken for mitigation and remediation

11.What if any sanctions were levied?

Building Privacy and Security Programs Fostering Quality Improvement

• Perform compliance risk assessments of new and existing systems and programs to determine what is working well, and what areas have room for improvement

• Change forms, systems, and procedures to comply with privacy requirements

• Consider automating the privacy program through a software or alternative program that is the most closely tailored to suit the specific needs of your privacy program

• Develop a team and assign responsibility for privacy actions (software, documents, investigations, etc.)

• Provide feedback on quality measures to staff to foster continuous improvement efforts and increase visibility by partnering with marketing and other departments

• Train and retrain

The Significance of Centralizing Privacy and Security Reporting

• Reporting for Governance is one of the most compelling reasons for automation

• Manual processes including spreadsheets, notes, or a basic homegrown database are inefficient, and time intensive to compile and present

• Privacy and Security Officers find it difficult to justify their staff time without clear, comprehensive reporting

• Privacy Incidents can have 60+ data elements stored and reported upon

• Ideal software will have the capability of producing canned reports and .xls or .xml downloads for producing ad hoc reports making pivot tables, charts, and graphs all easily created

Using Data for Quality Improvement

• Categorizing Privacy

Incidents • Turn-Around Times for

Matters Regulated Under

HIPAA

– Corporate policy violations

– HIPAA violations

– HIPAA breaches

– State breaches

– Investigations for breach

– Investigations for other issues

– Amendment requests

– Restriction requests

Other Data Use Considerations

• What are we doing with the data?

• Are there trends revealed by the data?

– If there is, then what are we doing with the data?

– How are we partnering with that Covered Entity, ancillary Departments and or Business Associates to determine what education that we can offer?

• Compliance needs to step away from being viewed as the internal ‘compliance police’, towards becoming partners with all Covered Entity and Business Associate workforce members.

• How is Information Governance should be involved?

Examples of Operational Reports Related to Quality Improvement

• Which CEs or BAs have the most incidents, their timeframes for resolution

• Causes of incidents

• Methods of reporting, sources of incidents

• Frequent flyers, who are repeat violators

• Watching case workflows with real time monitoring

• Speed with which detected potential breaches (incidents) are investigated and addressed

Data Elements Graphed and Trended

ID Disclosure

Name Discovery

Date Covered

Entity Status Assessment

Short

Assessme

nt Category

Assigne

d To Business

Associate

Occurren

ce Date

Begin

Occurrenc

e Date

End

Location

of

Occurren

ce

Disclosur

e Types Patient

Name Patient

EMPI

122 RESP

TEST 2 09/28/2013

Loveland

GV Active

Privacy

Violation /

Potential

Breach

Priv / PB

Incident Type

A, Incident

Type B,

HIPAA

Privacy,

Misdirected

Fax

Paul

Albrecht 11/28/201

2 Improper

Disposal

161 Unnamed

Wrongful

Disclosure 8/26/2013

Loveland

GV Active

N/A, Incident

Type A,

HIPAA

Privacy

Adam

Albrecht 09/10/201

3 09/27/2013 asdf

Last, First,

MI

163 Unnamed

Wrongful

Disclosure 7/14/2013

Southern

Again New

hello, HIPAA

Privacy 09/23/201

3 asdf

Albrecht,

Paul F

156 test new

breach

analysis 7/4/2013

Southern

Again Active Breach Breach

Paul

Albrecht 09/25/201

3

Full system data can be downloaded into XLS or XML for further analysis and

graphing. Let’s view a full set of data from a Privacy Incident Details page.

Data Elements Graphed and Trended

Full system data can be downloaded into XLS or XML for further analysis and graphing

ID Disclosure

Name Discovery

Date Covered

Entity Status Assessment

Short Assessment

Category Assigned

To Business Associate

Occurrence Date Begin

Occurrence Date End

Location of Occurrence

Disclosure Types

Patient Name

Patient EMPI

122 RESP TEST 2 09/28/2013 Loveland

GV Active

Privacy Violation / Potential

Breach Priv / PB

Incident Type A, Incident

Type B, HIPAA Privacy,

Misdirected Fax

Paul Albrecht

11/28/2012 Improper Disposal

161 Unnamed Wrongful Disclosure

8/26/2013 Loveland

GV Active

N/A, Incident Type A, HIPAA

Privacy

Adam Albrecht

09/10/2013 09/27/2013 asdf Last, First, MI

163 Unnamed Wrongful Disclosure

7/14/2013 Southern

Again New

hello, HIPAA Privacy

09/23/2013 asdf Albrecht, Paul F

156 test new breach analysis

7/4/2013 Southern

Again Active Breach Breach

Paul Albrecht

09/25/2013

Let’s view a full set of data from a Privacy Incident Details page

Privacy Incident Turn-Around Times

Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec

Incidents 8 10 17 5 13 20 9 10 8 22 14 8

Turnaround Time 25 28 27 15 22 27 19 25 19 25 20 17

0

5

10

15

20

25

30

Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec

Incidents

Turnaround Time

Privacy Incidents by Hospital

Covered Entity No Violation Privacy

Violation Breach Total

Incidents

Hospital - East 5 7 5 17

Hospital - South 1 3 6 10

Hospital - West 3 1 4 8

Hospital - North 6 2 0 8

Grand Total 15 13 15 43* 0

2

4

6

8

10

12

14

16

18

Hospital - East Hospital - South Hospital - West Hospital - North

Breach

Privacy Violation

No Violation

*43 incidents exposing 124 records

STEPS: BENEFITS OF DATA DRIVEN PRIVACY

AND SECURITY COMPLIANCE

Well managed privacy and

security practices reduce

risks associated with bad

PR associated with

breaches and hacks

STEPS: Patient Satisfaction

Strong and data driven

information privacy and

security compliance

programs results in

improved consumer trust

and patient satisfaction

STEPS: Treatment

Privacy and security

compliance supports an

organization’s reputation,

improves patient safety

and clinical outcomes

Reduction in duplicative

services and delayed

treatment as patients

more confidently share

their information

STEPS: Electronic Secure Data

Management of

compliance case data

within secure

applications is not

easy but results in far

fewer hacks and

breaches

Encryption of

compliance data

ensures no HIPAA or

state breaches and

lowers overall

organizational risk

Reduction in

duplicative services

as patients more

confidently share their

information

STEPS: Patient Engagement

Patient engagement

has a foundation in

trust which is

engendered by

privacy and security

practices

STEPS: Savings

Savings from strong and automated

privacy and security compliance comes from many areas

Although tough to measure reduction of risk from fines

and civil judgments is significant for well

run, data driven compliance programs

Conclusion • Healthcare privacy and security compliance is becoming more

complex as electronic records engage and public perception

of breaches and hacking rise

• State breaches and an increasing patchwork of state privacy

and security compliance regulations have added another

dimension of complexity

• Operationalizing data from automation as a part a CQI program

aids in achieving and maintaining high levels of compliance

• Automation of privacy and security compliance is increasing

required for governance reporting and to obtain patient

satisfaction

• Both tangible (measureable) and intangible (unmeasureable)

benefits being realized as automation and process re-

engineering is developed for privacy, security and even other

areas of regulatory compliance

Questions?

43