Monitoring Compliance with HIPAA Privacy HIPAA Summit VII Session 1.05 9/15/03 Patricia Johnston, CHP, FHIMSS Texas Health Resources [email protected] 1 Session Objectives Define the purpose of Compliance Monitoring in a Privacy Program Identify monitoring targets, metrics and methods Present a model for compliance monitoring Provide examples of monitoring tools and reports Basic Assumption for this session: Privacy Program, including policies, procedures and training, is already in place. 2 Agenda Why Privacy Compliance Monitoring? The Monitoring Process A Monitoring Model Examples Q&A
3 Texas Health Resources Profile one of the largest faith-based, nonprofit health care delivery systems in the United States. serves more than 5.4 million people living in 29 counties in north central Texas. 13 acute-care hospitals with 2,405 licensed hospital beds, 1 million annual admissions. more than 17,000 employees, more than 3,200 physicians with active staff privileges. 4 Privacy Program Organization Design & Develop Coordinate & Collaborate Implement & Monitor System Compliance (System Privacy Officer) System Privacy/ Security Committee
Entity Privacy Officers Entity Privacy Committees 5 Why Privacy Compliance Monitoring? To ensure program goals for confidential protection of health information are achieved. To determine if policies, procedures and programs are being followed (protect our investment). To minimize consequences of privacy failures through early detection and remediation. To provide feedback necessary for privacy program improvement. To demonstrate to the workforce and the community at large, organizational commitment to health information privacy. 6 The Monitoring Process Establish goals & objectives What? Define target areas for review
How? Define metrics & methods When? Establish frequency Perform monitoring Act on results 7 The Monitoring Process Many options for target areas and populations, metrics and methods of measurement. Monitoring must be designed to demonstrate the implementation and achievement of the privacy program goals. Cost/benefit balance must be achieved. Degree of Risk Cost to Monitor 8
The monitoring process Establish goals and objectives Identify monitoring goals based on privacy program objectives, risk assessment, feedback from incident reporting system, and cost/benefit analysis. Determine the baseline (risk assessment). Identify the desired outcomes (where do we want to be?). 9 The monitoring process Establish goals and objectives Broad goals PHI is secured using appropriate physical and technical security techniques. Privacy program will be a differentiator with our customers. Specific goals 100% of PC placement is in compliance with
workstation guidelines. No more than 3 privacy complaints filed per quarter. 10 The monitoring process Define target areas to review (what?) Identify If not properly performed, pose a high probability of a breach and/or consequences are of high magnitude (e.g., release of information areas, high profile patients). Identify high volume areas Law of averages says there is potential for problems here (e.g., emergency departments) Identify high risk areas problem-prone areas Complex functions that are difficult to achieve (e.g., accounting of disclosures).
11 The monitoring process Define target areas to review (what?) Define minimum standards for routine monitoring in order to reinforce compliance (e.g., each department reviewed annually). Determine the ability to readily collect the needed data (may not be feasible or costeffective to measure). If results for a target area are always good, measure something else. Incident reporting should identify key targets. 12 The monitoring process Define metrics and methods (how?) Target Metric Compliance with Notice Policy
Required workforce training Providing patients with access to their PHI Method Signed Acknowledgment of receipt of Notice % of workforce trained Number of access requests fulfilled within timeframes Chart audits or computer system documentation
Learning management system reports or class rosters. Document all requests processed in ROI system; or file request forms and perform periodic sampling. 13 The monitoring process Define metrics and methods (how?) Chart audits (required documentation) Computer system audit reports (access controls) Walkthroughs (observations of compliance) Surveys and interviews (workforce awareness, patient satisfaction) Drills (hypothetical issues presented to staff) Mystery Shoppers (try to break the system) 14 The monitoring process Establish frequency (when?) Ongoing (high risk areas) Quarterly (past problem areas, new policies and procedures) Annually (departmental reviews)
Informally (e.g., workstation placement) Formally (e.g., business associate contracts) Perform Monitoring 15 The Monitoring Process Reporting Document results Compare results to objectives Identify non-compliant areas Highlight areas for root cause analysis Document areas for special attention in future monitoring Identify trends 16 The monitoring process Act on results (so what?) If no analysis and action, monitoring is a waste of time If results consistently meet expectations, monitor something else Monitor
Act Analyze 17 The monitoring process Act on results Things that can cause problems include: Unclear policies and procedures Inconsistent (or non-existent) enforcement of policies and procedures Ineffective training Lack of employee motivation 18 The monitoring process Act on results Take corrective action Revise policies and procedures Refine or focus training Redesign processes Tighten supervision Modify monitoring program Re-monitor for compliance within 2 to 4 weeks
after corrective action is taken. Continue quarterly monitoring for some period, or flag for future monitoring reviews. 19 A Monitoring Model What Monitoring goals & targets Policies Training Safeguards How Metrics & Methods When Frequency What How When Compliance With P&P
Chart audits Observation Surveys Variable What How When Training Reports Monthly What How When Implemented Safeguards Walkthrough Quarterly Annually All workforce trained 20
A Monitoring Model Compliance with Policies Monitoring the organizations compliance with its own policies, not whether or not the policies are compliant with the Privacy Rule. 21 A Monitoring Model Policies Accounting Of Disclosures Notice of Privacy Practices Role-Based Access What How When Monitoring goals & targets
Metrics & Methods Frequency What How When Request an accounting; reconcile with chart Quarterly What How When Acknowledgmnt signed Chart Audit Quarterly What How
When Need-to-know Access only System audit logs Variable All required disclosures are tracked 22 Monitoring Model Role-based access Utilize information system audit capabilities. Determine criteria for audit: Random By patient By staff role Sensitivity of data High-profile patients All new employees during first 60 days
23 Monitoring Model Role-based access Requires maximization of system auditing capabilities. Consider the vulnerabilities of the system when deciding how stringent controls should be. Must determine audit log retention needs. Assignment of responsibility is key. 24 Monitoring Model - Training Documentation of training of workforce as of April 14, 2003 Training of new employees Within pre-defined timeframe
Training of students, volunteers, medical staff Training of contractors Average training scores Refresher training In response to privacy incidents In response to results of monitoring In response to new policies or procedures Document, track and report 25 Monitoring Model - Safeguards Monitor by walking around Develop checklists Formal, informal Track number of observances of noncompliance Reward good practices 26 Monitoring Model - Safeguards Areas to review PHI in trash or unsecured recycle bins Workstations not logged off or securely positioned Discussion of confidential information among staff in public areas PHI in open view in hallways, on desks
PHI left on faxes, printers PHI on whiteboards Doors propped open Sharing passwords Dictation conducted in public areas Business visitors not badged or signed in 27 Monitoring Model Business Associates Monitor compliance from two aspects Have you identified all of your business associates? Do you have required contract terms with your business associates? Ongoing challenge for most organizations Periodic sampling of invoices Reports from contract management systems Periodic departmental surveys Random sampling of contracts 28 Monitoring Model - Documentation Ensure that required documentation is in place: Authorizations,
court orders, subpoenas, satisfactory assurances Requests and responses for access, amendment and restrictions Documentation of disclosures available for accounting Accounting requests and responses 29 Monitoring Model - Documentation Ensure that required documentation is in place: Complaints and resolutions Privacy incident investigations Marketing and fundraising opt-out requests Minimum necessary protocols Current and past Notice of Privacy Practices Training records Policies and procedures 30 Monitoring Model - Documentation Ensure that required documentation is in place: Patient acknowledgement of receipt of Notice Designation of affiliated covered entity
Business Associate contracts Data Use agreements Research waiver requests and approvals Definition of designated record sets 31 Monitoring Model - Documentation Ensure that required documentation is in place: Title/Office of: person responding to access and amendment requests person responding to complaints privacy official 32 Key Steps - Summary
Identify targets for monitoring, based on program objectives, risk assessment, feedback from incident reporting system, cost/benefit analysis Establish metrics and methods Create baseline and performance goals Design tools Conduct monitoring Report results Analyze results Take corrective action Monitor again 33 Examples Monitoring Plan Walkthrough Checklist Survey Documentation Audit Chart Audit Training and Incident Reports Drills and Mystery Shoppers 34 # Metric How Measured 1 Number of substantiated breaches
2 Response to Patient Complaints: numbers of days between filing Information Privacy and response. Reports 3 Training Timeliness % new hires trained within 30 days 4 Observed compliance with P&P's Com 4a M e c n a i l p 4b r
o t i on Walkthroughs Chart Audits 4c 5 Information Privacy Reports Accounting of Disclosures Frequency Quarterly Quarterly n a l P ing Performance Goal look at trend to go down.
THR Compliance will provide quarterly reports to the entities, based on their incident reports. look for minimum response time THR Compliance will provide quarterly reports to the entities, based on their incident reports. Quarterly Every two weeks to a month; all departments surveyed at least once a year Compliance will audit for presence of acknowledgement of Notice and filled out authorization for verbal release during their Provide feedback to quarterly audits Admissions OPIC Privacy Offi cers will audit five No Information patient charts a month
Monthly Select a patient for an accounting, and then compare report to chart for completeness Quarterly Comments Entity Privacy Offi cers will run reports to determine new employees needing to complete training. See worksheet; 12-month schedeule developed by EPOs Acknowledgement of receipt of Notice; filled out authorization for verbal release; flagged charts for restrictions or no information patients 35 # 1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16 17 18 Activity Confidential information is discussed by staff in public areas. Conversations with patient/family regarding confidential information are held in public areas. Overhead and intercom announcements include confidential information. Phone conversations and dictation are in areas where confidential information can be overheard. Computer monitors are positioned to be observed by visitors in public areas. Unattended computers are not logged out or protected with password-enabled screen savers. Computer passwords are shared or posted for unauthorized access. Documents, films and other media with confidential patient information are not concealed from public view. Whiteboards in public areas have more than the allowable information. Medical records are not stored or filed in such a way as to avoid observation by passersby.
Confidential patient information is called out in the waiting room. Confidential information is left on an unattended fax machine in unsecured areas. Confidential information is left on an unattended printer in unsecured areas. Confidential information is left on an unattended copier in unsecured areas. Confidential information is found in trash, recycle bins, or unsecured pre-shredding receptacles. Patient lists, such as scheduled procedures, are readily visible by patients or visitors. Contractors, vendors and other non-patient visitor third parties not appropriately identified. Staff are not wearing name badges. 19 Patient records not filed in locking storage cabinets or rooms that are locked when unattended. 20 Security access mechanisms for buildings or departments are bypassed. 21 When questioned, staff demonstrate lack of privacy awareness. Observed (Y/N) # of occurrences o r h t
k l a W Comments t s i l k ec h C ug h 36 Surveys - Examples Employee Awareness
I know what a privacy breach is. I know how to report a privacy breach. I can locate our privacy policies. I understand how to protect health information on my computer. I understand when I need a patient authorization to release information. I know what patient information is allowable to use for fundraising. I understand patients privacy rights. Dont Agree Completely Agree 1 2 3 4 5 Patient Satisfaction 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5
I am confident my health information is treated confidentially by [hospital name]. I am aware of how the hospital uses my health information. I understand my rights regarding my health information. I know how to register a complaint concerning confidential treatment of my health information. I am satisfied with the protection of my health information. 37 Requirement Requests and responses for access Requests and responses for amendments Accounting of Disclosures Complaints and resolutions Fundraising: authorizations, opt-out requests
Marketing: authorizations and opt-out requests Minimum Necessary protocols Current and past versions of Privacy Notice Restriction requests and response Sanctions Designation of SACE Business Associate contracts Location Compliant Y or N Correspondence section of chart Medical record Correspondence section of chart; disclosure tracking system. Privacy officer files Foundation department files Marketing department system IntraNet Research Waiver requests and approvals Privacy Officer files and hospital website on Internet Medical Record Employee records System Privacy Officer files Legal Department, Supply Chain Management
IRB files Designated Record Sets Privacy officer files Titles and Offices Privacy Officer files Training Records Learning Management System; employee files Employee files; vendor and agency files Confidentiality agreements Docu o i t a t men t i d u nA 38
t i d u a rt A 1 patient was unable to sign due to condition Admit document was not witnessed or dated, 1 case contained no forms to audit 29 cases were for < 4/14/03 date of service 1 patient left AMA, no paperwork to audit 1 case without admission paperwork completed Admit document was not witnessed or dated. 10 cases where Admission acknowledgments were incomplete. 2 cases admit notes state patient is unable to sign admission documents, discharge condition described as awake and alert. 1 case, the patient refused to sign, 2 cases, signatures were incomplete. 5 cases with admission paperwork incomplete. 4 cases were for < 4/14/03 date of service. 39 Cost Center Name 160100 - Nursing Admin. 160130 - Station 13-Pediatric 160140 - Med. Surg. Admin. 160230 - Station 23-LDRPN 160310 - Station 31-Telemetry 160320 - Station 32-Oncology 160330 - Station 33-Postpartm 160420 - Station 42-Medical 160430 - Womens Services 160520 - Station 52-Ortho/Neu 160910 - NICU
161210 - Intensive Care 161400 - Cardiac Care 162110 - Inpatient Surgery 162150 - Cardiac Cath. Lab 162180 - Post Anesthesia Care 162300 - Emergency Services 162500 - Central Supply 170100 - Laboratory 170400 - Radiology 170410 - Special Procedures 170420 - CT 170440 - Ultrasound Total Employees 70 22 2 69 50 43 49 42 27 45 68 51 51 115 19 52 100 21 97 66
98% 110 96% 19 100% 50 96% 98 98% 19 91% 86 89% 63 96% 4 100% 11 100% 8 100% C g n i rain n o i t e l omp
40 e R t iden Not properly discarded Inc Computer logons 25 20 15 10 5 0 Accidental disclosure Faxing Physical security Unauthorized release Patient/family disatisfaction
Problem Type g n i t po r Category 41 Drills and Mystery Shoppers Drills Ask staff how they respond to amendment requests. How does an incident get reported? What documentation is required with a subpoena? What identifiers need removal to de-identify PHI?
Mystery Shopper Request information over the phone. Start reviewing medical charts. Ask for a password. Pretend to be a family member with a privacy complaint. Access secured areas. 42 Patricia is Director of Health Information Privacy/Security for Texas Health Resources (THR) in Arlington, Texas. She is responsible for the development and management of THRs HIPAA Program Management Office, as well as serving as THR's System Privacy Officer. Her background and work experience is focused exclusively on health care, including a variety of management positions in Information Technology and clinical laboratory science. Patricia has published a variety of articles and conducted seminars related to healthcare computing as well as HIPAA compliance for the healthcare provider. She holds a certification in Healthcare Privacy. She is a fellow of the Healthcare Information and Management Systems Society, as well as a member of the American College of Healthcare Executives and the International Association of Privacy Officers. Patricia received her Masters Degree in Information Management from University of Texas at Dallas, and her Bachelors Degree in Medical Technology from University of North Texas.
"The art and science of helping adults learn." ... Brainstorm choices with clients and possible positive and negative consequences. Write these consequences down and give the list to the clients. Ways to Build Personal Power in Self and Clients.
ENTREPRENEURSHIP AND THE ECONOMY Employment- Small businesses are responsible for most new employment. (Over 60% of new jobs were created by businesses with fewer than 500 employees.) Financing Most money to needed to start a new business comes from the...
Guidelines on Allocations. 2019 WSJ. Guidelines for a WSJ are that no contingent (youth, unit leaders and IST - International Service Team, what we in the BSA refer to as staff) is allotted more than 10% of the expected attendance.
The Chernobyl Nuclear Disaster. Saturday, 26 April 1986: The accident at reactor 4 occurred during an experiment to test a potential safety emergency core cooling feature. 2 workers died on the night of the accident. 28 people died within a...
Modern systems are skyscapers built on the ISA foundation of a bungalow Secure, Reliable, and Predictable from the Hardware Up Current architectures are fragile do not fail gracefully, poor isolation mechanisms unsecured by default; impossible to truly keep a secret...