![Page 1: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/1.jpg)
855.85HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program
• Please ask questions • For todays Slides http://compliancy-group.com/slides023/ • Todays & Past webinars go to: http://compliancy-group.com/webinar/
Get Involved.
#cgwebinar
![Page 2: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/2.jpg)
ì
Daniel Fabbri Founder & CEO of Maize Analy5cs
Assistant Professor at Vanderbilt University
![Page 3: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/3.jpg)
Electronic Medical Records
![Page 4: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/4.jpg)
Problem: Insecure Data 1. Open access environment
2. Millions of accesses per week
3. Pa<ent care is dynamic
![Page 5: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/5.jpg)
Regulations
HIPAA, HITECH, and Affordable Care Act • Minimal requirements to access PHI • Security monitoring requirements • Penal<es and fines for breaches
![Page 6: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/6.jpg)
Paper-‐Bag Security
“Nancy, I’m not sure that’s what HIPAA had in mind.”
![Page 7: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/7.jpg)
Basic Security Mechanisms
Fine-‐grained access controls
Permission escala<on “Are you sure you want to con<nue?” WARNING
![Page 8: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/8.jpg)
Current Approaches Compliance officers manually review complaints
Flag “suspicious” types of accesses (i) Same last name, (ii) co-‐workers, (iii) neighbors
![Page 9: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/9.jpg)
Audit Limitations ì Most accesses audited are appropriate
ì Inves<ga<ons can take days or weeks to complete
ì Poten<al alert avalanches (turn system off)
![Page 10: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/10.jpg)
Objective
Provide compliance officers the ability to
quickly and accurately
find inappropriate access from audit logs.
![Page 11: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/11.jpg)
Observation
Most appropriate accesses occur for valid clinical or opera5onal reasons.
“Authorized access is
limited to those with the need to know for purposes of pa5ent care, billing,
medical record review and quality assurance.”
University of Michigan Health System Screen Saver
![Page 12: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/12.jpg)
Explanation-‐Based Auditing System (EBAS) !""#$%&'()*+",%-%.$-/0%123)!435.-6)
7235&%,)82&$#3)90)
:42#;):):<) :=)
!435>)?$6)
@%,53)82%1$-)A$#)!&&211B)
!""#$"#5%>2)
C41"5&5$41)
7235&%,)82&$#3)
<D)
E)
Filter accesses so there are fewer for manual review.
i
![Page 13: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/13.jpg)
Filter Based On Data Stored In The EMR
![Page 14: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/14.jpg)
What is an Explanation?
2/17/14 Explanation-Based Auditing
127.0.0.1:8000/user_data/explanation/ 1/2
Manage Data Explore Data Manage Edges Manage Explanations Diagnosis Responsibility
CreateExplanations
Mine Explanations
Test Explanations
ExplanationReports
DeleteExplanations
ExplanationsAn explanation captures the the clinical or operator reason for access. Explanations arerepresented as paths connecting the patient whose record is accessed (i.e., Audit Log->Patient ID)to the employee accessing the record (i.e., Audit Log->Employee ID). Paths are constructed bylinking multiple edges together.
7 explanations!
Active Training Frequency Description Explanation Graph
False 0.333 Medication View
True 0.333 Appointment View
Evidence->Audit Log->Employee ID
Evidence->Audit Log->Patient ID
Evidence->Appointment->Patient ID
Evidence->Appointment->Employee ID
True 0.167 RepeatAccess
View
False 0.167 Floor + Floor View
False 0.500 Appointment+Department
View
Explanation-Based Auditing [email protected]
Connec<on between the pa*ent and employee accessing the pa<ent’s record
![Page 15: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/15.jpg)
Explanation Recommendations
Find frequently occurring explana*ons Graph search problem
Recommend explana*ons to compliance officers
Approve correct explana<ons Use to filter future appropriate accesses
![Page 16: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/16.jpg)
Limitations
Basic explana<ons are effec<ve for doctors, not suppor<ng staff (e.g., nurses, pharmacists, central staffing, etc.)
Appointments are made with doctors, not nurses. This lack of data causes missed explana5ons
![Page 17: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/17.jpg)
Enhance Explanations 1. Automa*cally fill-‐in missing data:
Oncologists treat cancer pa5ents Pediatric nurses work with pediatric physicians
Pediatric nurse
Pediatric physician Hospital Employees
![Page 18: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/18.jpg)
Enhance Explanations 2/17/14 Explanation-Based Auditing
127.0.0.1:8000/user_data/explanation/ 2/2
False 0.500 Medication+Department
View
False 0.167 Icd +DepartmentTo Icd +Department
View
Evidence->Audit Log->Employee ID
Evidence->Audit Log->Patient ID
Employee Info->Department->Info Value
Employee Info->Department->Employee ID
Department to ICD->Department To Icd->icd
Department to ICD->Department To Icd->department
Patient Info->Icd->Patient ID
Patient Info->Icd->Info Value
© Maize Analytics 2014
1. Automa*cally fill-‐in missing data: Oncologists treat cancer pa5ents Pediatric nurses work with pediatric physicians
2. Mine new explana*ons:
“The access occurred because Dr. Dave is an oncologist, oncologists treat cancer and Alice has cancer”
![Page 19: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/19.jpg)
High-‐Level Results
95% of accesses in one-‐week sample filtered with high precision
Ongoing trials at major hospitals to evaluate effec<veness
See VLDB 2011, JAMIA 2012 publica<ons
![Page 20: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/20.jpg)
Practical Example
ì US hospital audited accesses for 1 pa<ent over a few weeks
ì 500+ accesses normally audited manually
ì EBAS filtered the list down to 5 for manual review
![Page 21: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/21.jpg)
Integrated Analytics ì Search for outliers, then drill down with EBAS
Analyze high usage employees
![Page 22: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/22.jpg)
Deployment
Many hospitals will not release data to the cloud…yet
Hospitals download VM and run locally!
![Page 23: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/23.jpg)
Data Extraction How to get data into the audi<ng system?
Repor<ng System (e.g., Epic’s Clarity)
Text File All within the hospital
![Page 24: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/24.jpg)
Investigation Management
![Page 25: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/25.jpg)
Short Video Summary
Pufng the pieces together! hhps://www.youtube.com/watch?v=gDEcgVwIgSU
![Page 26: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/26.jpg)
Why Use EBAS?
busy / too many audits / too much manual effort need for automa5on / need for improved HIPAA procedures
worried about OCR audits / want more proac5ve tools want published & peer-‐reviewed technology looking for a different approach to audi5ng
Email us for faster HIPAA audits! [email protected]
26
![Page 27: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/27.jpg)
Questions?
![Page 28: Is Your EHR Safe? New Technologies for Auditing](https://reader034.vdocument.in/reader034/viewer/2022051323/549b3d80b479591a098b4706/html5/thumbnails/28.jpg)
Free Demo and 60 Day Evaluation www.compliancy-‐group.com
855 85 HIPAA (855.854.4722)
The Guard:
One Simple, cost effective Compliance Tracking Solution that satisfies HIPAA, HITECH Risk Assessment, & Omnibus Compliance • Guaranteed HIPAA Audit Protection • Gap Identification & Remediation Plans • Built in Training, Policies & Procedures • Business Associate Agreements Included • HIPAA Hotline Support • Experienced HIPAA Coach Implementation