Embed Size (px)
Citation preview
Responding to OCR Inquiries: Will Your Privacy Program Measure Up?
July 30, 2014
#AnytimeAudit
Watch the Replay
Agenda
• Introductions & About The Everett Clinic
• Why FairWarning?
• Rolling Out the New Privacy Program
• Investigations, Findings & Results
• OCR Inquiry
• Doing the Right Thing for Patients
• Industry Update
• Q & A
Today’s Speakers
Janneen Lambert, CPC, CPC-H, CHC, CHPC
Associate Administrator Regulatory Compliance
Compliance and Privacy Officer
FairWarning Ready® Certified Professional
Sara Brown MHA, CHPC, CMPE
Privacy & Security Project Manager
FairWarning Ready® Certified Professional
• Physician owned, multispecialty since 1924
• 450+ Healthcare providers in multiple locations
• 1700 + Staff
• 880,000 + Annual visits with 307,000 + active patients
• Largest independent medical group in WA
• FORTUNE® Magazine 100 Best Companies to Work For: 2011, 2012, 2013
• Why FairWarning?
– Anticipation of future audit requirements
– Support from Board to automate
– Using Epic EMR
• Multiple support systems to audit– Multiple Epic environments
» Hyperspace, Care Link, Care Everywhere, test systems
– Softlab
– iSite
• Hired Privacy Project Manager
• Implementation Fall of 2011
– Validation testing for a few months
• Reviewed and updated privacy policy
– Made a change that staff could NOT view their records going forward.
• Started reviewing audit logs in an official capacity December 1, 2011
• No formal announcement to staff about implementation of software.
– Clinic policy outlined appropriate use; had been in place several years
– Audits were done, albeit randomly, but done
• Quickly realized policy change was ineffective
– Multiple people violating policy of self access
– During the first few months had numerous events of staff accessing family member charts inappropriately
• Not prepared for the volume of investigations
– 43 employees involving 55 patient records
• Standard practice for Compliance to investigate and partner with HR to interview staff
– HR was already at capacity
• Reversed policy related to self-access: look but don’t touch
• Developed internal criteria for applying fair and equitable enforcement
• Began formulating a plan to investigate and meet with list of offenders– All parts of the organization: Providers and Staff
– Around 45 violations to investigate• Handful were explainable and work related
• Friends and Family form confusion
• For those not work related
– Disciplinary action was imposed based on previous, similar violations
• Varied from verbal warning to dismissal
• TEC has an appeals process for dismissed employees– One person rehired based on additional information given
after the investigation.
• TEC does not share employee information publicly.
– Someone went to local media and we were obligated to respond
– One dismissed employee responded to an open invite from the paper to tell their side of the story
– We were limited in what we could say based on employee/former-employee privacy laws
• Media attention prompted informal inquiry from the Office for Civil Rights
– Wanted to verify 2 key aspects
• Patient Privacy
• Fair and equitable application of our policy and related disciplinary action
• Ethics Committee was asked for an opinion
– Why didn’t we notify providers and staff about the new software
– Committee comprised of community cross-section including patients
• Concluded our decision was appropriate
• Events brought
– Community support
– Awareness
– Level of fear
– Staff discord
– Hypersensitivity to accessing patient records
• After initial batch of violations, events that required follow up were/are almost nonexistent
• Currently running 9 automated policies across 6 systems
• Reports to review daily– Spending approximately 5-10 min/day reviewing
– 2 staff members who can perform audits quickly
– 3 total who can review for violations
• Reports help identify other issues:
– Providers who may be billing for services of family members
– Staff taking action on their own chart
• Important to acknowledge and thank
– HR team
– IT team
– Board of Directors
– Ethics Committee
– All part of the success
Kurt Long
• FairWarning® CEO and Founder
• Office: (727)576-6700 Ext. 101
Shane Whitlatch
• FairWarning® EVP of Customer Value Creation
• Office: (727) 576-6700 Ext. 115
Today’s Speakers
Growing Goodwill & Trust with Patients
PRIVACY EXCELLENCE AWARDWINNER
2014 WINNERS
Best Medium - Small Healthcare ProviderWestern United States
Excerpt from Oath of Hippocrates, 4th Century, B.C.E.
All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.
Hippocratic Oathhttp://en.wikipedia.org/wiki/Hippocratic_Oath
FairWarning® and our customers envision a healthcare industry in which patients
confidently share their sensitive medical details to receive the best care possible
without regard to privacy concerns.
Communications Plan
Managed Privacy Services
Operating Your Patient Privacy Monitoring Program
Managed Privacy Services
The Business Case• Most rapid and pragmatic approach to
HIPAA privacy audit cycle
• Instant access to expertise & best practices
• Sustainable, robust, accurate
• Dramatically lower cost without hiring
Value to Your Compliance Team
• Expert advice on navigating an OCR Audit
• Stay current with ongoing knowledge transfer
• Mitigates staffing turn-over risks
• Broader proactive monitoring coverage
• One less compliance priority to worry about
45% of All Data BreachesAttributable to Healthcare
Source: ID Theft Center http://www.idtheftcenter.org/id-theft/data-breaches.html
Criminals Have Their Eyes on Your Patients’ Records
Source: EMR & HIPAA http://www.emrandhipaa.com/emr-and-hipaa/2014/06/26/criminals-have-their-eyes-on-your-patients-records/
Crimeware Helps File Fraudulent Tax Returns
Source: KrebsonSecurity http://krebsonsecurity.com/2014/04/crimeware-helps-file-fraudulent-tax-returns/
Spike in Tax Fraud Against Doctors
Spike in Tax Fraud Against Doctors
An unusual number of physicians in several U.S. states are just finding out that they’ve been victimized by tax return fraud this year.....So far, Colby has heard from 111 doctors, physician assistants and nurse practitioners in New Hampshire who have been victims of tax fraud this year. “I’ve been here four years and this is the first time this issue has come across my desk,” Colby said.
Source: KrebsonSecurity http://krebsonsecurity.com/2014/04/states-spike-in-tax-fraud-against-doctors/
Medical identity theft can threaten health as well as bank account
Anndorie Sachs had her life turned upside down when authorities showed up at her door in Salt Lake City and threatened to take her four children away - all because another woman had stolen her identity and given birth to a baby who tested positive for drugs.
When CBS News first reported her story back in 2006, it was estimated that 200,000 Americans each year were the victims of what is called medical identity theft, but in the years since, the problem has gotten dramatically worse. According to a recent report by the Ponemon Institute, an independent research organization specializing in privacy and security issues, the number of victims grew to 1.85 million in 2013 - a 19 percent jump from the year before.
"In the criminal world, medical identity theft is now the low-hanging fruit," says Ann Patterson, the program director of the Medical Identity Fraud Alliance, which sponsored the Ponemon report.
Patterson told CBS News' Crimesider that while financial institutions like banks and credit card companies have created protections for their account holders, the health care industry lags behind, making medical data particularly vulnerable.
Source: CBS News http://www.cbsnews.com/news/medical-identity-theft-can-threaten-health-as-well-as-bank-account/
By JULIA DAHLCBS NEWS July 28, 2014
Summer 2014• Pre-audit surveys
sent to covered entity pool
2014 OCR Audit Timeline
Fall 2014• Notification and
data request letters to selected entities
October 2014 – June 2015• Round 1 Covered entity audits
conducted• Security (Risk analysis & risk
management), Breach Notifications, Privacy Notice & Access
2015• Round 1 Business associate
audits conducted• Round 2 Covered entity
audits conducted• Security (Device & Media
Controls, Transmission), Privacy Safeguards & Training
Source: http://www.hcca-info.org/Portals/0/PDFs/Resources/Conference_Handouts/Compliance_Institute/2014/tue/710print2.pdf
Patient Privacy Monitoring
Solve the #1 HIPAA Security Deficiency
More Information
• Sign up for an upcoming Managed Services demonstration at http://tinyurl.com/moxu8yl
• Download The Everett Clinic Success Story at http://tinyurl.com/kfn5woj
• FairWarning®’s Vision, Focus and Investments in Patient Privacy Align to Meet Care Provider Needs http://www.fairwarning.com/whitepapers/2014-07-WP-FAIRWARNING-ALIGNMENT.pdf
Questions for the Panel
• Please submit any questions via the Q&A module on the right-hand side of your screen.
