implementing an effective auditing and monitoring program ... · •monitoring and audit indicators...
TRANSCRIPT
Implementing an Effective Auditing and Monitoring Program with a New EMR:
2 AMCs + 1 Healthcare System = OHCA
Karen Pagliaro-Meyer
Chief Privacy Officer
Columbia University Irving
Medical Center
June 3, 2019
Tanisha Raiford, JD, MPA
Chief Privacy Officer & Senior Billing Compliance OfficerWeill Cornell Medicine
Overview• The Organized Health Care Arrangement (OHCA) is implementing a single
electronic medical record (EMR)• NewYork-Presbyterian Hospital
• Weill Cornell University
• Columbia University
• Over 30,000 users
• 3 year implementation plan
• Single: • EMPI – Electronic Master Patient Index
• LDAP - Lightweight Directory Access Protocol
Columbia
NewYorkPresbyterian
Weill Cornell Medicine
EpicTogether Timeline
EpicTogether System Integration
EpicTogether 2022
Considerations• Policy Alignment
• Revenue
• Data Sharing (Federal and NYS Regulations)• HIPAA
• OHCA
• TPO
• New York State• Public Health Law
• Education Law
• Incident Management
• Vendor/BAA
Implement Monitoring & Audit Platform
GOAL - Develop and implement a single monitoring and audit platform for the Electronic Medical Record(s)
• The three (3) Privacy Officers developed:• A governance structure for the Privacy Audit and Monitoring Platform
• A processes to conduct monitoring, auditing and investigations
• Monitoring and Audit Indicators and Definitions
• Align related policies and procedures
• Establish a system to effectively manage and communicate potential HIPAA breaches
• Shared best practices along the way
Implement Monitoring & Audit Platform
• Policies aligned include:• Notice of Privacy Practices
• Sanction Policy
• Privacy Complaints
• Managing patients requiring additional privacy protections
• Personal Health Record and Proxy Access
• Employee Access to their Own EMR
• Legal Health Record and Designated Record Set
• Authorization to Release Medical Information
• Amendment and Accounting of Disclosure Requests
Single Notice of Privacy Practices
Authorization to Use & Disclose Patient Information
Health Information Management• Standardize ROI process to manage
• Legal requests for PHI• ROIs from each organization• Amendment Requests• Accounting of Disclosures
Tri-Institutional Privacy & Security Governance Committee• Mission
• Provide overall direction for Consortium Privacy and Security Audit Platform
• Scope• Alert and Monitoring process
• Investigations
• Rules and Policies for the Platform
• Track and trend Incident Management System
• Review and approve modification requests of the platform
• Membership• Chief Privacy Officers
• Chief Information Security Officers
• EMR Privacy and Security Architect
• Key Principles (MOU) Details on management & maintenance of system
Privacy Monitoring & Auditing Platform
• Worked with Information Security to review the existing monitoring and audit platform(s) for each organization
• Evaluated audit and monitoring tools in the market
• Developed use cases for monitoring privacy incidents throughout Enterprise
• Created a single platform to manage all three organizations multiple alerts, reports and investigation requirements
• Currently testing application
Privacy Tri-institution Platform
Epic PACs NYP Apps
Privacy Auditing Platform: Multi-Entity-NYP/Columbia/Cornell
1. Continuous Automated Review and Analysis of Logs2. Continuous 24x7 logging of critical events3. Privacy Dashboard4. Data Capture Application for Alerts and Reports5. Workflow for reporting and tracking alerts
Incident ManagerPrivacy Officer
Dashboard
HIPAA Breach Reports
& Corrective ActionsSeparate Systems
Applications providing Audit logs
Manual Updates
Correlating Apps
• Human Resources Info• Student Info• Employee MRN• LDAP
WC Apps CU Apps
Privacy Platform Architecture Overview
Privacy Platform• The Privacy Platform includes:
• Dashboard to track key performance indicators
• Alerts to trigger anomalous activity
• Reports to communicate information/summarize data
• Information required to perform patient/workforce member investigations
• Other key data points relevant for monitoring, audits and investigations
• Developed User Manual
• Established “mailbox” for each organization designated for monitoring and alert related communications
15
Privacy Platform Operational Workflow
Privacy Event Lifecycle
Start – Alert Initiated
Incident Manager Alert
High Medium
Start
Incident Manager Alert Manual Entry
Low
Investigation email to End User
Manager
Risk Analysis Mgt System
Risk Assessment Repository
Change Status to Closed-Privacy
Incident
Pri
vacy
Pla
tfo
rmP
riva
cy O
ffic
er
End
Use
r (U
nd
er
Inve
stig
atio
n
Assign Owner
Change Status to Work in Progress
Conduct Investigation
Change Status to Mitigation in Process
Evidence Capture
Change Status to Closed-Non Privacy Incident
Privacy Issue - YES
Privacy Issue -NO
Change Status to Closed-Privacy Incident
Monitoring and Alerts1. Higher that user normal (User specific)
2. Excessive hours with activity
3. Compare usage among peers
4. Employee Patient Record Access
5. Access to consecutive MRN’s
6. Excessive Demographic Access / Access to Deceased Demographics
7. VIP Access
8. Break the Glass / Bump the Glass
9. Failed login attempts
10. Access by inactive user
Implementation Plan for Alerts and Reports• Define Alert
• Agree on parameter to trigger Alerts- High, Medium, and Low
• Develop process to communicate Alerts to the organization/department
• Track Alerts to resolution
• Review and approve resolution
• Escalate issue(s) as required
Example of Alert Process
Higher that user normal (user specific)• User Jane Doe normally accesses 25 records a day
• Yesterday Jane Doe accessed 150 records
• Alert triggered • User is a Nurse assigned to work at Columbia
• Issue entered into Incident Manager
• Issue sent via email to Columbia Department Administrator and copied to Columbia’s Privacy Office
• Response returned to Incident Manager and copied to Columbia’s Privacy Office
• Follow-up managed by appropriate organization
Investigations
• Audit & Monitoring Platform supervised by tri-institutional Privacy and Security Architect team
• The case is entered into the Incident Manager
• Privacy and Security Architect team send automated notification to appropriate Privacy Officer, Department Administrator
• Privacy Officer reviews Departmental response and enters update in the Incident Manager
Investigations - Independent Investigation
• Each Organization can obtain data from all systems to investigate an issue, complaint, allegation, etc.
• User Access – all records access by a user over “x” period of time
• Patient Access – all users that accessed a specific medical record, including reason for access, tasks performed in record (view, update, create, delete, etc.)
• VIP patient – instant Alerts
Thank you
Karen Pagliaro-Meyer, CHPC, CHC, CHPQChief Privacy OfficerColumbia University Irving Medical [email protected]
Tanisha Raiford, JD, MPA, CIPP/US, CCEP, CHPC, CHRC, CHCChief Privacy Officer & Senior Billing Compliance OfficerWeill Cornell [email protected]