Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Leveraging Automation for a More Effective Compliance Program by mfuw0ekd999

VIEWS: 0 PAGES: 37

									Leveraging Automation for a More
  Effective Compliance Program
    4th Academic Medical Center
  Privacy and Security Conference
           June 11, 2007
          Panelists:
          Brian Bates
          Joan Hicks,
          Joan Podleski, and
          Pat Pritchett
“The Way”
 “You belong to a small select
  group of confused people”

Message in a Fortune Cookie
Assessing Vulnerabilities: What
does it take to make us change?
 Data portability (lack of knowing where data resides)
 Lack of data classification
 Weak backup practices
 Lack of contingency planning
 Weak boundary definitions
 Weak operating system and AV patching practices
 Lack of auditing, control monitoring, and incident
 response
 Weak workstation controls/practices
 Lack of management involvement in IT decision
 Inconsistent change control/configuration
Legal and Regulatory Pressure
Health Insurance Portability and Accountability Act of
1996; HIPAA Security Rule/HIPAA Privacy Rule
AIDS, Mental Health, Substance Abuse, Domestic
Violence, Genetic Testing
CMS HIPAA Security Guidance for Remote Use of and
Access to Electronic Protected Health Information
Voluntary Compliance Request from the Department of
Department of Veterans Affairs relatives to “Restrictions
on Transmission, Transportation and Use Of, and Access
To, VA Data Outside VA Facilities”
Federal Rules of Civil Procedure and E-Discovery
Fair Credit Reporting Act
Common Law Causes of Action for
    Data Security Breach
Negligence
Invasion of privacy
Breach of contract
Breach of fiduciary duty
              Consequences
Enforcement is complaint driven
Public intolerance (and anxiety) about identity theft
Lass of consumer confidence in our health care
enterprise
OCR “knocking” on your door
Lawsuits
Loss of jobs
Unbudgeted (and unexpected) costs associated with a
breach such as credit monitoring subscriptions, increased
staff, attorney’s fees, etc.
Jail time
                IT Strategy
IT strategy must include:
  Clear definition as to how information travels through
  our organization
  Core competencies for IT staff
  Clearly defined roles and responsibilities with respect
  to shared applications, server administration, network
  systems, desktop support, and information access
  Enterprise level senior management group that
  oversees IT risks and controls across the system
  Common standards on core issues to minimize
  confusion
        Unanswered Questions
Can department IT staff be “all things to all people” and realistically
meet all of the regulatory demands?
Are departments capable of meeting all of the administrative and
technical requirements for an effective IT program?
Do executive leaders have adequate oversight over IT risks and
vulnerabilities at the corporate level?…department level?…division
level?
What problems are created by having no common platform for
communication?
Do faculty appreciate the risks associated with the security
vulnerabilities?
Are we sending mixed messages about IT risks and solutions that
frustrate our management?
“Have I reached the person to
whom I am speaking?”
  Lily Tomlin as “Ernestine”
A bit about the “Oyster Summit”
               Top Priorities
All components of the business enterprise are collectively
accountable and responsible to address security risks
recognizing the interconnectivity of the parties in the use
and transfer of data
Data security is a corporate, department, division and
individual responsibility
Build a solid foundation for awareness, active
participation, commitment to managing risk and
compliance
Define core elements of an effective governance system
Develop a clear communication strategy
“An appeaser is one who feeds a
crocodile hoping it will eat him
last!”
  Sir Winston Churchill
“The Truth”
“We Gotta Long Way To Go And
A Short Time To Get There”

Jerry Reed “Smokey and The Bandit”
          The Truth Hurts!
The Health Care delivery system has long been
mired in a series of labor intensive, paper
intensive processes
The Compliance Programs overseeing these
processes have fallen in to these same
processes
Void of useful, standardized, organized, and/or
automated internal controls/processes
The Truth Hurts…There’s More!

Fragmented, manual compliance
processes have led to duplication of effort,
inefficient monitoring/education
processes, and dated information
If Compliance is to be effective, manual
processes that require the involvement of
employees, consultants, or auditors are
not sustainable.
 Through Automation There Is
    Hope! (i.e., The Light)

Automation of education, documentation,
monitoring, testing, and enforcement
provides a more stable and coherent
Compliance framework
Automation better enables a repeatable,
reliable, and predictable solution
    Automation Initiatives

Auditing and Monitoring
  Intelicode = Automated Auditing Software
    Standardized Reports
    Macros
    Improved Data Mining Capabilities
  SiteMinder
    Fiscal Approval Process
    Clinical Trial Billing Notices
    Automation Initiatives
Communication
  Website
    Regulatory Guidance Repository
    Educational Calendar
    Frequently Asked Questions
    Hot Topics
  Hotline
    Third Party Administrator
    Enterprise-Wide Number
    Management Reports
   Automation Initiatives

Education and Training
  Web-based Modules
    HealthStream and WebCT
    Enterprise Developed Core Curriculum
    Improved completion tracking
    Reciprocity between business units
  Unified Compliance Message
           The Bottom Line:
           Run To The Light!
More than ever, it is imperative for an Academic
Medical Center to proof “effective” compliance
throughout its enterprise
  Research
  JCAHO
  Patient Safety
  Quality
  Reimbursement
     Fraud and Abuse
     Pay For Performance
  HIPAA/IT Privacy and Security
“The Light”
Tools for Compliance in the Future

Extraction versus Abstraction
Natural Language Processing
Data Surveillance and Predictive Modeling
         Data Extraction

Functionality to extract data from
databases/data stores using parameters
for a specific dataset
Examples: CMS reporting, registries, and
public health reporting
Natural Language Processing

Technologies that can extract data and
information from free text documents for
further processing
Examples: E&M coding and JCAHO
summary list management
Support billing and reimbursement process
Occurrence screening
       Predictive Modeling

Statistical tools that identify clusters of
information. Pattern identification.
Current tools for laboratory data but
expand to text data.
Similar to thought processes in Rapid
Response Team
So we hope the light at the end of the
  tunnel is not a train.
Case Studies
Our Age of Anxiety is, in
 great part, the result of
trying to do today's jobs
 with yesterday's tools.

               Marshall McLuhan
 Survival Strategies: Training

Training 8000 faculty, staff & students in 3
months in person is not feasible: make it
available 24/7 on the web
Access to clinical systems given only upon
completion of HIPAA training
Completion status available on-line for IS
and departments
       Survival Strategies
Developing ‘decision tree’ of job functions
which drive any compliance requirements
(not just HIPAA)
Will be completed on hire and confirmed
annually by individual
All compliance areas will report status data
into ‘master’ system for management of
compliance requirements at individual,
group, department, School and
compliance office levels
       Survival Strategies

Flexibility demands tools: 23 Procedure
templates developed for editing by each
department (42), then electronically
submitted for review by Privacy Office
(966), and auto posted to internal HIPAA
website when approved for easy access
across institution
 Technology... is a queer
    thing. It brings you
   great gifts with one
  hand, and it stabs you
   in the back with the
           other.
Carrie P. Snow
   Survival Strategies: EMR
Develop screening audit process for EMR:
reporting developed to identify potential
mismatches of access to patient with
clinical specialty of user; also removes
clearly appropriate accesses off audit
reports for more efficient audit process
Define employees as a security group
Move toward biometric identification
based access
“Acomputer lets you make
   more mistakes faster
   than any invention in
 human history - with the
  possible exceptions of
  handguns and tequila.”
                  Mitch Radcliffe
         Session Closing

Thanks to you all!
Remember to complete your session evals.

								
To top