Recently, Ed Ricks, the CIO of Beaufort Memorial in Beaufort, S.C., told me how he successfully helped guide his hospital through a CMS audit for meaningful use in 2011. The CMS risk assessment audit included the HIPAA Privacy and Security rules under the meaningful use objective.
While the CMS risk assessment is not the same as the highly anticipated OCR HIPAA audits set to happen this year, the lesson from this CIO's experience applies to both situations: Technology can produce useful details to further prove your privacy compliance efforts to federal auditors.
The 200-bed hospital was able to pass the CMS audit with the help of Iatric Systems' Security Audit Manager, an application that manages patient privacy and automatically detects breaches.
"We've got all these disparate systems and our main HIE system," Ricks said at HIMSS 2016. "It's really difficult to audit access through those, and doing it manually was almost impossible."
Rob Rhodes, vice president of product management at Iatric Systems, based in Boxford, Mass., and a former healthcare CIO, explained the Security Audit Manager takes audit logs of any system within a hospital that contains protected health information (PHI).
"So we gather all that information, we bring it into our Security Audit Manger database, we normalize the data [and] we map all the fields to corresponding fields in other systems," he said.
For example, Rhodes said Security Audit Manager can bring in the main EHR audit log -- whether it's Epic or Cerner or Meditech -- then the application can also bring in the audit log from a picture archiving and communication system that may potentially use different terminology.
"We map all of that so it all makes sense for the different systems that we're bringing in," Rhodes said.
The system has built-in algorithms that can schedule reports, and privacy officials can go in and run additional reports to detect potential inappropriate access and use, he added.
"For example, we look for things like individuals who are accessing records of people who live on the same street or people with the same last name or individuals where [they] may have guarantor-subscriber relationships," Rhodes said. "We also do some behavioral analysis, as well. So we can look for things like a particular person. ... Nurse Allison, on a normal day, accesses 40 different records, but on this day she accessed 400."
Ed RicksCIO at Beaufort Memorial Hospital
The system would flag Nurse Allison's abnormal behavior, Rhodes explained.
The ability to identify outliers or abnormal behavior makes it easier for Beaufort Memorial and Ricks to not only detect a possible breach, but also to help educate employees who may be unknowingly accessing patient data they shouldn't be allowed to access.
"We go through an education process first and then move on from there," Ricks said.
Rhodes added that Security Audit Manager also provides some analytics.
"So as an investigator or auditor is looking at an access or [other] potential violation, we also provide analytics that show things like how many times this user and patient combination [has] been audited," Rhodes said. "Is this something that we happen to see frequently, where an individual is accessing a particular patient often? How many times have we investigated this user and found them to have accessed something inappropriately?"
For Beaufort Memorial, Security Audit Manager not only helped the hospital pass a CMS risk assessment and subsequent HIPAA audit, Rhodes said, it provided further help in the auditing process because of its ability to document possible violations in detail.
Rhodes said the application presents more information to auditors than simply noting that three violations occurred, for example. Instead of noting only that three violations occurred, healthcare organizations can show they investigated 500 possible violations and of those 500, 497 were found to be appropriate, Rhodes explained. "So it gives a little bit more documentation."
Tech spurs a cultural change
Ricks said Security Audit Manager also helped change Beaufort Memorial Hospital's culture.
He explained that once the technology was implemented, it motivated people to change.
"Whenever you really start aggressively managing a security program, ... it's just changing the way people think about what they do," he said. It's not that people don't know about HIPAA, PHI and what they are and aren't supposed to have access to. "Unless you put a little teeth behind that, ... it takes a while to turn that culture around."
"Technology is the easy part," Ricks said. "It's getting people to understand why you're doing it [and] developing the policy behind it that supports it [that is difficult]."
Now that OCR has issued HIPAA audit protocols, a sure sign that the HIPAA audit process will soon be underway, it's important that healthcare organizations begin to not only educate their staff, but also utilize technologies to ensure security and compliance, as Beaufort Memorial Hospital was able to do during the CMS risk assessment.
Use effective privacy and security controls for HIPAA compliance
Cloud computing in healthcare meets HIPAA, according to a CIO and analyst
Physical therapy mHealth app drives patient engagement, logs compliance