Implementing an Effective Auditing and Monitoring Program with a New EMR:

2 AMCs + 1 Healthcare System = OHCA

Karen Pagliaro-Meyer

Chief Privacy Officer

Columbia University Irving

Medical Center

June 3, 2019

Tanisha Raiford, JD, MPA

Chief Privacy Officer & Senior Billing Compliance OfficerWeill Cornell Medicine

Overview• The Organized Health Care Arrangement (OHCA) is implementing a single

electronic medical record (EMR)• NewYork-Presbyterian Hospital

• Weill Cornell University

• Columbia University

• Over 30,000 users

• 3 year implementation plan

• Single: • EMPI – Electronic Master Patient Index

• LDAP - Lightweight Directory Access Protocol

Columbia

NewYorkPresbyterian

Weill Cornell Medicine

EpicTogether Timeline

EpicTogether System Integration

EpicTogether 2022

Considerations• Policy Alignment

• Revenue

• Data Sharing (Federal and NYS Regulations)• HIPAA

• OHCA

• TPO

• New York State• Public Health Law

• Education Law

• Incident Management

• Vendor/BAA

Implement Monitoring & Audit Platform

GOAL - Develop and implement a single monitoring and audit platform for the Electronic Medical Record(s)

• The three (3) Privacy Officers developed:• A governance structure for the Privacy Audit and Monitoring Platform

• A processes to conduct monitoring, auditing and investigations

• Monitoring and Audit Indicators and Definitions

• Align related policies and procedures

• Establish a system to effectively manage and communicate potential HIPAA breaches

• Shared best practices along the way

Implement Monitoring & Audit Platform

• Policies aligned include:• Notice of Privacy Practices

• Sanction Policy

• Privacy Complaints

• Managing patients requiring additional privacy protections

• Personal Health Record and Proxy Access

• Employee Access to their Own EMR

• Legal Health Record and Designated Record Set

• Authorization to Release Medical Information

• Amendment and Accounting of Disclosure Requests

Single Notice of Privacy Practices

Authorization to Use & Disclose Patient Information

Health Information Management• Standardize ROI process to manage

• Legal requests for PHI• ROIs from each organization• Amendment Requests• Accounting of Disclosures

Tri-Institutional Privacy & Security Governance Committee• Mission

• Provide overall direction for Consortium Privacy and Security Audit Platform

• Scope• Alert and Monitoring process

• Investigations

• Rules and Policies for the Platform

• Track and trend Incident Management System

• Review and approve modification requests of the platform

• Membership• Chief Privacy Officers

• Chief Information Security Officers

• EMR Privacy and Security Architect

• Key Principles (MOU) Details on management & maintenance of system

Privacy Monitoring & Auditing Platform

• Worked with Information Security to review the existing monitoring and audit platform(s) for each organization

• Evaluated audit and monitoring tools in the market

• Developed use cases for monitoring privacy incidents throughout Enterprise

• Created a single platform to manage all three organizations multiple alerts, reports and investigation requirements

• Currently testing application

Privacy Tri-institution Platform

Epic PACs NYP Apps

Privacy Auditing Platform: Multi-Entity-NYP/Columbia/Cornell

1. Continuous Automated Review and Analysis of Logs2. Continuous 24x7 logging of critical events3. Privacy Dashboard4. Data Capture Application for Alerts and Reports5. Workflow for reporting and tracking alerts

Incident ManagerPrivacy Officer

Dashboard

HIPAA Breach Reports

& Corrective ActionsSeparate Systems

Applications providing Audit logs

Manual Updates

Correlating Apps

• Human Resources Info• Student Info• Employee MRN• LDAP

WC Apps CU Apps

Privacy Platform Architecture Overview

Privacy Platform• The Privacy Platform includes:

• Dashboard to track key performance indicators

• Alerts to trigger anomalous activity

• Reports to communicate information/summarize data

• Information required to perform patient/workforce member investigations

• Other key data points relevant for monitoring, audits and investigations

• Developed User Manual

• Established “mailbox” for each organization designated for monitoring and alert related communications

15

Privacy Platform Operational Workflow

Privacy Event Lifecycle

Start – Alert Initiated

Incident Manager Alert

High Medium

Start

Incident Manager Alert Manual Entry

Low

Investigation email to End User

Manager

Risk Analysis Mgt System

Risk Assessment Repository

Change Status to Closed-Privacy

Incident

Pri

vacy

Pla

tfo

rmP

riva

cy O

ffic

er

End

Use

r (U

nd

er

Inve

stig

atio

n

Assign Owner

Change Status to Work in Progress

Conduct Investigation

Change Status to Mitigation in Process

Evidence Capture

Change Status to Closed-Non Privacy Incident

Privacy Issue - YES

Privacy Issue -NO

Change Status to Closed-Privacy Incident

Monitoring and Alerts1. Higher that user normal (User specific)

2. Excessive hours with activity

3. Compare usage among peers

4. Employee Patient Record Access

5. Access to consecutive MRN’s

6. Excessive Demographic Access / Access to Deceased Demographics

7. VIP Access

8. Break the Glass / Bump the Glass

9. Failed login attempts

10. Access by inactive user

Implementation Plan for Alerts and Reports• Define Alert

• Agree on parameter to trigger Alerts- High, Medium, and Low

• Develop process to communicate Alerts to the organization/department

• Track Alerts to resolution

• Review and approve resolution

• Escalate issue(s) as required

Example of Alert Process

Higher that user normal (user specific)• User Jane Doe normally accesses 25 records a day

• Yesterday Jane Doe accessed 150 records

• Alert triggered • User is a Nurse assigned to work at Columbia

• Issue entered into Incident Manager

• Issue sent via email to Columbia Department Administrator and copied to Columbia’s Privacy Office

• Response returned to Incident Manager and copied to Columbia’s Privacy Office

• Follow-up managed by appropriate organization

Investigations

• Audit & Monitoring Platform supervised by tri-institutional Privacy and Security Architect team

• The case is entered into the Incident Manager

• Privacy and Security Architect team send automated notification to appropriate Privacy Officer, Department Administrator

• Privacy Officer reviews Departmental response and enters update in the Incident Manager

Investigations - Independent Investigation

• Each Organization can obtain data from all systems to investigate an issue, complaint, allegation, etc.

• User Access – all records access by a user over “x” period of time

• Patient Access – all users that accessed a specific medical record, including reason for access, tasks performed in record (view, update, create, delete, etc.)

• VIP patient – instant Alerts

Thank you

Karen Pagliaro-Meyer, CHPC, CHC, CHPQChief Privacy OfficerColumbia University Irving Medical Centerkpagliaro@Columbia.edu

Tanisha Raiford, JD, MPA, CIPP/US, CCEP, CHPC, CHRC, CHCChief Privacy Officer & Senior Billing Compliance OfficerWeill Cornell Medicinetar9009@med.cornell.edu