Security and Privacy Practices for Electronic Health Records Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT.

Slides:

Advertisements

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Advertisements

MEDICAL HOME 1/2009 Mary Goldman, D.O., President of MAOFP.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Effective Integration of HIPAA Information Security with Privacy Compliance Richard B. Boyer, Privacy Officer Jody S. Hawkins, Information Security Officer.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

NAU HIPAA Awareness Training

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA Regulations What do you need to know?.

Are you ready for HIPPO??? Welcome to HIPAA

Copyright ©2011 Freedman Healthcare, LLC All Payer Claims Datasets: Big Data is Coming to Public Health Officials, Providers and Patients Near You StrataRx.

Integrated Care for Patients With Late-Stage Chronic Illness Advanced Illness Management (AIM) Medical Foundations & Groups Home-Based Services Hospitals.

Security Controls – What Works

Component 16/Unit 5 Health IT Workforce Curriculum Version 1/Fall Professionalism/Customer Service in the Health Environment Unit 5 Regulatory Issues:

Tracey Moorhead President and CEO May 15, 2015 No Disclosures ©AAHCM.

BIG DATA AND THE HEALTHCARE REVOLUTION FORD+SSPG 2014.

2002 Quality Report Presented to the Board of Trustees March 2003.

August 12, Meaningful Use *** UDOH Informatics Brown Bag Robert T Rolfs, MD, MPH.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Lecture 14 Policy, Legal, and Regulatory Issues in HIS (Chapters 18,19,20)

1 1 Improving the Quality and Value of Health Care Friday, May 30, 2008 National Association of Insurance Commissioners Summer Meeting Health Innovations.

Memorial Hermann Healthcare System Clinical Integration & Disease Management Dan Wolterman April 15, 2010.

MaineCare Value-Based Purchasing Strategy Quality Counts Brown Bag Forum November 22, 2011.

The Business Case for Bidirectional Integrated Care: Mental Health and Substance Use Services in Primary Care Settings and Primary Care Services in Specialty.

HIPAA COMPLIANCE WITH DELL

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

WORKSHOP IV Integrating Ethics, Compliance, Privacy and Security into a Single Organizational Initiative Geralyn Kidera JD Senior Vice President Council.

Integrating HIPAA Into Your Compliance Program Fifth Annual National Congress on Health Care Compliance February 7, 2002 Glenna S. Jackson Vice President.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Compliance with FDA Regulations: Collecting, Transmitting and Managing Clinical Information Dan C Pettus Senior Vice President iMetrikus, Inc.

Health Care Facts and Guiding Principles for Health Care Reform Public Employees Union, Local #1.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Component 16-Professionalism/Customer Service in the Health Environment Unit 5-Regulatory Issues: HIPAA and Standard Precautions This material was developed.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

Page 1 of 23 DMC’S COMMITMENT TO COMPLIANCE: COMPLIANCE PROGRAM CODE OF CONDUCT 2009 DMC Corporate Audit and Compliance Department Detroit Medical Center©

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

September 2008 NH Multi-Stakeholder Medical Home Overview.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)

1 The Effect of Primary Health Care Orientation on Chronic Illness Care Management Julie Schmittdiel, Ph.D., Stephen M. Shortell, Ph.D., Thomas Rundall,

Managing Transformational Change in Healthcare: The Integration of Mayo Clinic Robert E. Nesse MD Chief Executive Officer Mayo Clinic Health System Associate.

Improving Value in Health Care: Challenges and Potential Strategies Arnold M Epstein October 24, 2008 Congressional Health Care Reform Education Project.

Accountable Care Organizations: What is the role of the pathologist? What are the public policy implications?

Redefining Care for Seniors and the Chronically Ill Gary German President & CEO New York, NY

Flowers Hospital General Compliance Training-Students 2013.

HIPAA/HITECH TRAINING. Why are we here?  HIPAA  HITECH  PHI  Minimum Necessary “Need to Know”  Breaches and Fines.

 Health Insurance and Accountability Act Cornelius Villalon Jr.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

The Roadmap for Successfully Developing a Physician Led ACO: The Journey from Volume to Value based healthcare Amit Rastogi, MD President/CEO PriMed.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

BlueCross BlueShield of Tennessee, Inc., an Independent Licensee of the BlueCross BlueShield Association. This document has been classified as public Information.

Mayo Clinic Home Connection Thomas R Harman, M.D. Mayo Clinic, Rochester.

IT Solutions – Improving Timely Access to Health Care

Understanding HIPAA Dr. Jennifer Lu.

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

Bending the Cost Curve A Case for Integration.

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

Final HIPAA Security Rule

Turning the Tide in Health Care Starts with Chronic Disease

Risk Management: why and how to protect your health center

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

Auditing Compliance with the Privacy Rule

RIBGH 2019 Healthcare Summit Kim Keck President & CEO

Presentation transcript:

Security and Privacy Practices for Electronic Health Records Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT

Intermountain Healthcare Formed 1975 Not-for-profit Integrated system 20 Hospitals > 100 clinics 6M patient encounters/yr (2007) $3.6B revenue (2007) Clinical Programs

Information Systems Internally-developed systems Enterprise-wide, longitudinal record Nationally recognized leader Clinical decision-support –Chronic disease management –Hospital-acquired infection detection –Adverse drug event detection –Resistant strain infection monitoring

Outcomes at Intermountain Dartmouth Atlas of Healthcare “The Mayo Clinic and Intermountain Healthcare have reputations for excellence and are noted for their leading research efforts in rationalizing the clinical pathways for managing chronic illness. Because they provide higher quality care at lower cost, the utilization rates in Salt Lake City, Rochester, Minnesota, and Portland, Oregon are useful benchmarks for estimating the potential savings from a successful national effort to improve efficiency in managing chronic illness… The Salt Lake City benchmark results in the greatest estimated reduction in acute care hospital spending. If, over the four years of our study, hospital utilization rates had been at the level of Salt Lake City, Medicare spending for inpatient care would have been reduced by 32.4%, with physician visit savings of 34%.”

Outcomes at Intermountain Dennis A. Cortese, MD President and CEO, Mayo Clinic “If I were ever diagnosed with diabetes, I would want to be treated by Intermountain Healthcare in Salt Lake City. They have the best outcomes in the country – and the lowest costs.” KARE-NBC, Channel 11 (Minneapolis) “Utah Gets it Right,” February 8, 2008

Outcomes at Intermountain

Intermountain Information Systems Intermountain Healthcare is able to deliver –Consistent, high quality medical care –At the lowest possible cost …in part because of enterprise-wide information systems that permit users to –Share data across time and space between providers –Analyze data across populations to eliminate inappropriate variation

Technical Safeguards Harmonization of HIPAA, SOX, PCI, GLB Physical network security Encryption –Mobile devices –Backup media User security –Single master directory –Provisioned according to role using templates –Log user activity

Proactive Auditing and Monitoring Scan 16+ million access events per month Triggers for further investigation –employees looking at records of family members –Employees looking at records of co-workers Review ALL access to records of high profile patients (VIPs, individuals in the news, etc) –2008 – 47 patients audited, 0 inappropriate accesses –2007 – 50 patients audited, 4 inappropriate accesses Demonstrated reduction in inappropriate access violations over last 5 years through consistently auditing access and disciplining employees

Policy and Education

Policies and procedures on intranet Ongoing employee education – New employee orientation –Annual mandatory compliance training –Job-specific privacy training –Employee newsletter articles Annual risk assessment of privacy and security concerns

Holding Employees Accountable Matrix of recommended sanctions –Unintentional, intentional or malicious –Access or Disclosure –Number of records involved –First offense or repeat offense Employees have been terminated for privacy/security violations (incl. MDs) Ensures consistent application of sanctions for similar actions

Summary We use information systems in order to achieve consistent, high quality outcomes at lower cost for every patient We protect patient privacy through –“Best practices” in technical security –Establishing a culture of individual accountability

HIT Legislation Intermountain supports legislation that encourages adoption of HIT Intermountain is concerned about unrealistic expectations about HIT capacity –We currently do not have the capacity to fully comply with the proposed accounting for disclosures requirement contained in the Ways & Means and Energy & Commerce HIT bills