Leveraging Automation for a More Effective Compliance Program 4th Academic Medical Center Privacy and Security Conference June 11, 2007 Panelists: Brian Bates Joan Hicks, Joan Podleski, and Pat Pritchett “The Way” “You belong to a small select group of confused people” Message in a Fortune Cookie Assessing Vulnerabilities: What does it take to make us change? Data portability (lack of knowing where data resides) Lack of data classification Weak backup practices Lack of contingency planning Weak boundary definitions Weak operating system and AV patching practices Lack of auditing, control monitoring, and incident response Weak workstation controls/practices Lack of management involvement in IT decision Inconsistent change control/configuration Legal and Regulatory Pressure Health Insurance Portability and Accountability Act of 1996; HIPAA Security Rule/HIPAA Privacy Rule AIDS, Mental Health, Substance Abuse, Domestic Violence, Genetic Testing CMS HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information Voluntary Compliance Request from the Department of Department of Veterans Affairs relatives to “Restrictions on Transmission, Transportation and Use Of, and Access To, VA Data Outside VA Facilities” Federal Rules of Civil Procedure and E-Discovery Fair Credit Reporting Act Common Law Causes of Action for Data Security Breach Negligence Invasion of privacy Breach of contract Breach of fiduciary duty Consequences Enforcement is complaint driven Public intolerance (and anxiety) about identity theft Lass of consumer confidence in our health care enterprise OCR “knocking” on your door Lawsuits Loss of jobs Unbudgeted (and unexpected) costs associated with a breach such as credit monitoring subscriptions, increased staff, attorney’s fees, etc. Jail time IT Strategy IT strategy must include: Clear definition as to how information travels through our organization Core competencies for IT staff Clearly defined roles and responsibilities with respect to shared applications, server administration, network systems, desktop support, and information access Enterprise level senior management group that oversees IT risks and controls across the system Common standards on core issues to minimize confusion Unanswered Questions Can department IT staff be “all things to all people” and realistically meet all of the regulatory demands? Are departments capable of meeting all of the administrative and technical requirements for an effective IT program? Do executive leaders have adequate oversight over IT risks and vulnerabilities at the corporate level?…department level?…division level? What problems are created by having no common platform for communication? Do faculty appreciate the risks associated with the security vulnerabilities? Are we sending mixed messages about IT risks and solutions that frustrate our management? “Have I reached the person to whom I am speaking?” Lily Tomlin as “Ernestine” A bit about the “Oyster Summit” Top Priorities All components of the business enterprise are collectively accountable and responsible to address security risks recognizing the interconnectivity of the parties in the use and transfer of data Data security is a corporate, department, division and individual responsibility Build a solid foundation for awareness, active participation, commitment to managing risk and compliance Define core elements of an effective governance system Develop a clear communication strategy “An appeaser is one who feeds a crocodile hoping it will eat him last!” Sir Winston Churchill “The Truth” “We Gotta Long Way To Go And A Short Time To Get There” Jerry Reed “Smokey and The Bandit” The Truth Hurts! The Health Care delivery system has long been mired in a series of labor intensive, paper intensive processes The Compliance Programs overseeing these processes have fallen in to these same processes Void of useful, standardized, organized, and/or automated internal controls/processes The Truth Hurts…There’s More! Fragmented, manual compliance processes have led to duplication of effort, inefficient monitoring/education processes, and dated information If Compliance is to be effective, manual processes that require the involvement of employees, consultants, or auditors are not sustainable. Through Automation There Is Hope! (i.e., The Light) Automation of education, documentation, monitoring, testing, and enforcement provides a more stable and coherent Compliance framework Automation better enables a repeatable, reliable, and predictable solution Automation Initiatives Auditing and Monitoring Intelicode = Automated Auditing Software Standardized Reports Macros Improved Data Mining Capabilities SiteMinder Fiscal Approval Process Clinical Trial Billing Notices Automation Initiatives Communication Website Regulatory Guidance Repository Educational Calendar Frequently Asked Questions Hot Topics Hotline Third Party Administrator Enterprise-Wide Number Management Reports Automation Initiatives Education and Training Web-based Modules HealthStream and WebCT Enterprise Developed Core Curriculum Improved completion tracking Reciprocity between business units Unified Compliance Message The Bottom Line: Run To The Light! More than ever, it is imperative for an Academic Medical Center to proof “effective” compliance throughout its enterprise Research JCAHO Patient Safety Quality Reimbursement Fraud and Abuse Pay For Performance HIPAA/IT Privacy and Security “The Light” Tools for Compliance in the Future Extraction versus Abstraction Natural Language Processing Data Surveillance and Predictive Modeling Data Extraction Functionality to extract data from databases/data stores using parameters for a specific dataset Examples: CMS reporting, registries, and public health reporting Natural Language Processing Technologies that can extract data and information from free text documents for further processing Examples: E&M coding and JCAHO summary list management Support billing and reimbursement process Occurrence screening Predictive Modeling Statistical tools that identify clusters of information. Pattern identification. Current tools for laboratory data but expand to text data. Similar to thought processes in Rapid Response Team So we hope the light at the end of the tunnel is not a train. Case Studies Our Age of Anxiety is, in great part, the result of trying to do today's jobs with yesterday's tools. Marshall McLuhan Survival Strategies: Training Training 8000 faculty, staff & students in 3 months in person is not feasible: make it available 24/7 on the web Access to clinical systems given only upon completion of HIPAA training Completion status available on-line for IS and departments Survival Strategies Developing ‘decision tree’ of job functions which drive any compliance requirements (not just HIPAA) Will be completed on hire and confirmed annually by individual All compliance areas will report status data into ‘master’ system for management of compliance requirements at individual, group, department, School and compliance office levels Survival Strategies Flexibility demands tools: 23 Procedure templates developed for editing by each department (42), then electronically submitted for review by Privacy Office (966), and auto posted to internal HIPAA website when approved for easy access across institution Technology... is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other. Carrie P. Snow Survival Strategies: EMR Develop screening audit process for EMR: reporting developed to identify potential mismatches of access to patient with clinical specialty of user; also removes clearly appropriate accesses off audit reports for more efficient audit process Define employees as a security group Move toward biometric identification based access “Acomputer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.” Mitch Radcliffe Session Closing Thanks to you all! Remember to complete your session evals.
Pages to are hidden for
"Leveraging Automation for a More Effective Compliance Program"Please download to view full document