Protecting Patient Privacy during COVID-19

With the rapid spread of COVID-19 across the country, and increasing numbers of infected patients at hospitals, compliance and privacy teams are taking extra precautions to protect sensitive patient information. Here are some tips to ensure your organization is protecting patient privacy during the COVID-19 outbreak include:

1. Stay up-to-date on all announcements from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). While rules and regulations under the HIPAA Privacy Rules are still operable and enforceable, the OCR has released several waivers for the disclosure of Personal Health Information (PHI) during the COVID-19 crisis. Some of these include Enforcement Discretion for community-based testing sites, business associates, and telehealth services. These announcements are critical for compliance and privacy teams to ensure they are staying compliant during this time. It is important to continually check the OCR website for any new information, visit the OCR website here.

Maize also has a page of these resources for quick access, find it here.

2. Daily tracking of COVID-19 patients. It is important to monitor accesses for all COVID-19 patients on a daily basis to ensure inappropriate accesses are found and mitigated in a timely manner.

3. Notify all employees to stay vigilant. During this pandemic, there has been an increase in cyberattacks on healthcare organizations. It is important for compliance and privacy teams to inform all employees of these risks, and communicate procedures to report suspicious activities. Scams have included calls from people claiming they work for the OCR, baiting healthcare employees to divulge PHI, phishing, and malware emails

Protecting patient information is always important, but during a pandemic, the significance of compliance and privacy teams within healthcare organizations becomes heightened. We hope these tips will help, and we thank you and all the employees at your organization for the work you have been doing to help during this time.

COVID-19 Resources

Maize Analytics wants to ensure that you have all the resources you need to help stay up-to-date on compliance and privacy news during the COVID-19 pandemic. We thank you and all the healthcare workers in your organization for all the work you do to protect and save lives. 

 

The Health and Humans Services (HHS) Office for Civil Rights (OCR) COVID-19 page includes announcements, notifications, guidance and more. Visit their page.

For all news releases from the HSS OCR, visit their Official News page.

To join the OCR Privacy Email List for direct updates, register here.

HealthIT.gov has compiled various resources from the HHS and CDC related to COVID-19 for the health IT community and healthcare providers. Visit their resource page.

 

ICD Codes for COVID-19 

The Centers for Disease Control and Prevention (CDC) has released 2 documents with ICD-10-CM coding guidelines for encounters related to COVID-19.

 

HHS OCR HIPAA Privacy Bulletin: February 3, 2020
The HHS OCR issued this bulletin for guidance on how patient information can be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation.

 

COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency
In March 2020 The Secretary of HHS, Alex Azar, exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with certain privacy rules.

 

Telehealth Enforcement Discretion Announcement
To help medical providers serve patients during COVID-19, the OCR announced it will waive potential penalties for HIPAA violations against providers serving patients using everyday communication technologies.

 

HHS OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures or Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
HHS OCR announced that it will not impose penalties against covered entities or their business associates for uses and disclosures of protected health information (PHI) by business associates for public health oversight activities during the COVID-19 public health emergency.

 

COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities
To help protect first responders and prevent further spread of the COVID-19 virus, the OCR released guidance on sharing PHI of individuals infected or exposed to COVID-19 with first responders.

 

HIPAA Enforcement Discretion Regarding COVID-19 Community Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020 the OCR issued a Notification Enforcement Discretion announcing that they will not impose penalties against covered entities or business associates for violations of HIPAA in the operation of a COVID-19 community-based testing site (CBTS) during this public health emergency.

Engagement with Executive Management: How to Arm Compliance with Specific Data That Informs Decision Making

I was recently listening to a webinar when someone asked a question that I often ask: “how do I get business executives to care as much about compliance as I do?” I expected the answer to be the same one I have heard a hundred times, “you have to make them understand the risks… you have to make sure they understand the potential for personal liability.. you have to explain the government’s expectations… etc.” The answer the speaker gave was more insightful; she said, “you can’t”. She went on to explain that if you, as the compliance officer, are not the individual in your company who cares most about compliance, who is the most excited about your compliance program, then you are probably in the wrong position.

I think rather than asking how to get business executives excited about compliance, we should ask how we can frame our compliance metrics in a way that supports the things that make the business executives really excited about the work compliance does.

Metrics: What’s Important to Executives?

Many of us in the compliance field produce benchmarking data for the board and executive management teams. A small sampling of typical metrics include:

  • Number of hotline calls received (by location, business unit, anonymous/identified, allegation, etc.)
  • Length of time to respond to hotline call
  • Source of hotline awareness
  • Number and type of privacy violations
  • Number of active compliance investigations (by type, location, allegation, etc.)
  • Length of time to close investigation
  • Number of training programs delivered
  • Training completion rates
  • Policy dissemination acknowledgements

While these metrics can give important information about the performance of the compliance program, they don’t really convey meaning to the executive team and its impact on the business. I would argue that it is often difficult to engage executive management in your compliance program because you are not providing them with any information that is framed in a manner that helps them mange their critical strategic and operational priorities. 

So, let’s think about some of those business priorities. In my experience, healthcare executives are focused on quality, revenue, costs, growth, patient, employee and physician satisfaction, and reputational, financial and operational risk. How do you use these priorities to effectively show executives what is going well in your compliance program and what requires their attention? How can your metrics help executives understand their risk position? How do you help executives establish a meaningful risk tolerance level?

To answer these questions, you first need to determine the types of data you will provide. Generally, there are two types of metrics: process metrics and outcome metrics. 

 

Process Metrics and Outcome Metrics

Process metrics are those data that show program effectiveness (hotline reports received, number responded to timely, trainings completed, policies distributed, etc.). Process metrics should include an indication of how the measure is trending over time and some indication of criticality to help your executives understand those data that require their attention, those that don’t, and those that should be celebrated.

Outcome metrics are those data that show the results of your auditing, monitoring, and investigation programs which address specific risk areas (new physician coding audit, focused claim coding audits, employee access audit, etc.). Outcome measures should be tied to your risk assessment priorities and are often easier to align with strategic priorities.

 

Gather and Connect Metrics

Your metrics should derive from the seven elements of an effective compliance program , your risk assessment priorities, and specific risk areas. It is important, however, that you don’t try to use data to develop metrics for every aspect of your compliance program. Remember, your executives are getting data from various departments across the organization, and data fatigue is a very real problem. Copious amounts of data will cause your executive’s eyes to glaze over and the messaging you are trying to convey will be lost.

Consider aggregating some of your department data into a few key metrics that can drive a story aligned with the organizational strategy. For example, you may want to take all of your compliance program effectiveness measures and provide a single effectiveness score which can be trended over time. Similarly, you can take specific risk area measures that affect one of the key strategic priorities and aggregate them into a single strategy score (i.e. provide a Readiness for Growth measure that combines your auditing results that affect Growth).

Keep in mind that not every audience requires the same data. Your compliance Committee may need significantly more information about specific reporting elements than other members of your executive management team. Know what actions, decisions, or discussion you want to elicit from the group and tailor your data and metrics specific to the audience charter.

Finally, consider how to connect your information with other information gathered by the organization. For example, if Quality is collecting information specific to patient satisfaction, think about how your data may inform the quality data. Are you seeing more hotline calls coming in from units that are reporting poor patient satisfaction? Are you seeing more data breaches from units that are reporting poor patient satisfaction? When you can integrate your data with other data collected in the organization executives can better understand what the data means on an overall scale.

 

Engage Executives

To engage your executive management in your compliance program you need to provide them with information that can help inform their strategic priorities. This approach requires a different mindset by compliance officers. Most compliance data provided to the executive team is designed to express potential compliance risk without being tied more closely to the organization’s strategic priorities. However, the data your provide should include both process measures as well as outcome measures and should be tailored to the audience you are presenting the information to. By aligning your compliance metrics with the organization’s strategic priorities, you are seen as a partner in achieving organizational goals rather than just managing goals separate from the rest of your organization.

As your organization’s compliance professional, you have a lot of data available to you. Your challenge is taking all that data and leveraging it into meaningful and actionable information for your executives that aligns with the organization’s strategic, financial, and operational objectives. This engagement will form the partnership you need to minimize risk and grow your program’s visibility.

OIG HHS Healthcare Compliance Program Tips 

 

Margaret has over twenty years of experience in healthcare compliance, including roles as Cheif Compliance officer for large integrated health systems providing services in multi-state geographies. She is recognized as an industry thought leader and speaker, including addressing the US Senate Finance Committee and other government agencies. Margaret is also the past President and current member of the Board of Directors of the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) supporting and promoting integrity programs nationally and internationally.

Three Essential Elements of the Compliance Toolkit

Compliance officers regularly navigate one of the most complex systems in our country—health care. To protect patient privacy, they are charged with creating (and enforcing!) policies that align with changing regulations, while juggling practical limitations at their own facility.

There are many resources available to help compliance teams develop effective programs. The Office of Inspector General provides online education, and private companies offer products that address everything from technical needs to emotional stressors associated with the job.

Our team recently attended the Health Care Compliance Association’s regional conference in Dallas, Texas, where we had the opportunity to listen and learn from compliance experts about other ways to support compliance teams. We heard from Bret Bissey, MBA, FACHE, CHC, CMPE, and Healthcare Compliance Executive with over 30 years experience. He spoke on “What Every Compliance Officer Needs in Their Toolkit.” Three themes emerged:

1) Support. Compliance teams deserve access to the board (or hospital executives), an appropriate budget, and a respectable level of authority. Without these elements, it is hard for compliance teams to implement changes that steer staff toward a culture of compliance.

2) Independence. By acting independently from clinical operations, compliance officers can remain objective. What if a senior-level physician, or board member, violates a policy? Compliance officers must be empowered to make proper decisions without fear of retaliation. Independence allows this—but it must be clear who, or what policy, validates this independence.

3) Metrics. Certifications, analytics, audits, and documentation are essential elements of any compliance program. Quantitative data are not only important to measure success, but they can also help “sell” compliance programs to staff. Data can support compliance teams in showing why policies are needed.

As compliance teams work to oversee all aspects of healthcare operations, it’s easy to see why so many products have emerged to support their day-to-day activities. Compliance teams can choose resources and tools that integrate with their workflow. Tools designed to help teams attain organizational goals—that also keep compliance officers feeling supported and motivated—are most likely to lead to success.

Thoughtfully Connecting EMRs

One of the largest EMR vendors in the country is expanding its services. Epic Systems recently launched “One Virtual System Worldwide,” an initiative to help connect EMRs across institutions. The multifaceted platform helps customers go beyond simply viewing patient data at other institutions and allows them to take action. Customers can message outside care teams, book appointments across the country, and view merged patient data from multiple EMRs—even those from rival vendors.

Interoperability can improve patient outcomes, but also raises data potential data security concerns. Epic customers currently exchange over 2.3 million patient records daily. With their new initiative, data exchanges will rise across institutions with varying security protocols. It is important that as an industry we move forward with interoperability, but do so with security and privacy controls always in mind. Any sacrifices in data security or patient data privacy may erode patient trust in their providers, negatively affecting utilization of the healthcare system.

Reference: http://www.healthcareitnews.com/news/epic-introduces-new-one-virtual-system-worldwide-interoperability-initiative

SIEM to PIEM: Privacy Information and Event Management Systems

Some in the privacy community have looked to their security counterparts to adapt SIEM tools to the challenges of protecting patient data. However, there are stark differences between network monitoring and EMR access auditing. Privacy Information and Event Management (PIEM) systems are an emerging class of privacy monitoring system geared for medical record protection.

SiemToPiem.com

Empowering Compliance Officers With Technology

Big Data and Artificial Intelligence technology are improving medical data privacy and security every day. New technologies promise increased efficiency, improved accuracy, and better risk management. But to fully realize the potential of these technologies and maximize outcomes, we need tools that also empower the compliance officer to succeed.

See the rest of the article on The Compliance and Ethics Blog

Leveraging Deep Mind’s Block Chain EMR Access Log

Machine learning (ML) offers incredible promise in the diagnosis and treatment of advanced medicine. Whether it is IBM’s Watson or Google’s DeepMind Health, it seems like many of the world’s biggest technology companies are getting involved in innovative approaches to improving patient care. One area gaining more ML healthcare interest is data privacy and security. For example, DeepMind has started to take important steps to enhance the security of clinical data by creating tamper-proof logs of access using block chains.

At Maize Analytics, we think that machine learning has a roll to play, not only to improve patient’s health, but also to improve data privacy and security. Just as ML systems can help doctors and nurses better evaluate and treat patients, Maize’s technology can empower compliance officers to better protect the privacy of patients.

Maize’s technology takes the symptoms provided by access logs – the “who,” “what,” “where,” and “when” of a record’s access – and uses novel ML techniques to determine the diagnosis of “why” the access took place. Our peer-reviewed and published work has shown that Maize can filter 95-99% of all accesses, allowing privacy officers to focus on the real threats.

We know that the work of a compliance officer can be just as stressful and high stakes as that of a doctor or nurse and that’s why we are committed to putting the same high-powered machine learning technology to work to improve outcomes.

Read more about the technology in the Compliance Today Magazine

Trade-offs of EMR access monitoring

Health care organizations are working to better monitor accesses to patient data for inappropriate use. In September’s Compliance Today Magazine, the Maize Analytics team discusses trade-offs of popular monitoring approaches.

  • Manual EMR auditing techniques cannot scale to meet the needs of modern healthcare, necessitating automated monitoring systems.
  • When selecting an EMR monitoring system, privacy officers should consider system responsiveness, false positive rates, and monitoring coverage.
  • Machine-learning systems can leverage clinical context to reduce false positives, decreasing the time to complete access audits.

You can read the full article here.

A Risk-Reducing Pair: Epic’s “Break the Glass” with Clinical Context

You may be familiar with Epic’s privacy tool called “Break the Glass”. In short, it forces users to think twice about the patient information they are about to access. It displays a security screen that requires users to enter the reason why he or she needs to access a record that has been marked sensitive. The goal is to prevent users from accidentally looking at or clicking into a record that they did not actually intend to access.

The name fits: don’t break the glass… unless it’s absolutely necessary.

Epic organizations that implement this feature are essentially applying an extra layer of security on specific records, which they deem extremely sensitive. The list of sensitive records could be created one-record-at-a-time, or applied across an entire department or floor (e.g. psychiatric units). Each time an employee accesses one of these sensitive records, it is recorded and sent to the privacy office.

It is not always clear what privacy officers should do with all of these escalated accesses. Should they audit every one of them?

If privacy officers are to audit each escalated access, there are some challenges they should consider:

Legitimate accesses
There are many legitimate reasons why a provider would “Break the Glass” to access a patient’s record. What if there was an emergency? What if they had an appointment with that patient?

Massive amounts of accesses
The sheer volume of “Break the Glass” accesses can be overwhelming. Legitimate or not, it takes time to comb through the “Break the Glass” alerts.

All other non-protected accesses
To limit the number of “Break the Glass” accesses, hospitals often choose to deploy “Break the Glass” only on specific patient sub-populations. As a result, snooping or other inappropriate accesses to unprotected populations will never be detected.

In short, “Break the Glass” accesses can waste privacy officer time and overlook violations due to the massive number of accesses needing manual review. Moreover, privacy officers might miss violations because “Break the Glass” only protects subpopulations.

A critical question then remains for privacy officers: Is this small, albeit helpful, security measure enough to keep PHI secure?

To make “Break the Glass” more manageable, false positives must be drastically reduced or eliminated. Filtering false positives requires a system that considers clinical context: if the system can determine the clinical or operational reason why an access occurred (e.g., an appointment, medication, oncology treatment, etc.), the access is likely appropriate. By filtering appropriate accesses, there are fewer for manual review, thus saving privacy officers’ limited time.

Clinical context is not limited to Break the Glass alerts. Privacy officers can deploy similar filtering methods across the entire access log to identify high-risk accesses. This type of access monitoring with filtering allows privacy officers to go beyond static rules-based methods and investigate suspicious behavior that was previously buried in the data.

You can find more on that topic in my previous blog Under the HIPAA Radar.

Protect Our Data: The Modern Day C-Suite Challenge

There is a lot of buzz around the security of our personal information as of late. Every day it seems we hear about another new “breach”. Target, Anthem, the US Government…

The C-Suite faces new risks that their predecessors never had to face. Managing the plethora of threat vectors, from external phishing scams to malicious insider attacks, is a daunting task for any CIO.

The healthcare industry specifically has become the target for hackers, malicious actors, and snooping employees. A recent study by the Ponemon Institute estimates that more than 90% of healthcare organizations represented in their study had a breach on their data, with an average cost around $2.1 million/breach; an expensive proposition. Similarly important, but more difficult to measure, is the loss of trust that comes with a breach.

While the healthcare industry has some of the toughest regulations due to the value of information contained within its environment (e.g. the average medical record on the black market is now valued at 10x that of a credit card), it is unclear if hospitals are doing enough to protect their data.

Take for instance the hit that Jackson Health took a couple weeks  regarding the leak of NFL player Jason Pierre-Paul’s private health information. While there is likely to be a fine and audit by the Office for Civil Rights, the PR hit for what appears to be a negligent employee looking to make headlines, or worse, make money from their position is devastating. (To be clear we don’t know the full story yet, and may never know the exact motivation behind such actions.)

The Ponemon study highlights employee negligence as the #1 issue for concern regarding the security of their organizations. Negligence can mean many things from a lost laptop to a snooping employee. While well-known technologies exist to help manage physical security threats (e.g. encryption), few mechanisms are available to ensure the appropriate use of patient data by employees or ensure that outsiders acting under the guise of an insider are not present.

Managing employee negligence requires a combination of IT security and compliance expertise. While much focus has been given to IT security over the years, CIOs will be increasingly challenged to think of ways to ensure their compliance offices operate effectively. Compliance officers works tirelessly to ensure rules and regulations are followed through training sessions, but are often understaffed and overworked,  and lack technology to automate current manual tasks. Going beyond “best practices” to actively providing feedback and education to deter future negligence is an important next step.

One specific challenge is that of monitoring employee accesses to ensure appropriate use of data. Monitoring employee accesses has proved especially difficult in electronic medical record (EMR) systems because of their open access environments. Open access allows any employee to obtain a patient’s record (while there may exist some exceptions, we find this construction to be the norm). Access permissions are granted broadly because blocking an emergent and appropriate access may result in patient harm. US legislation requires all EMR accesses to be logged, but currently little is done to monitor and search through the millions of accesses produced weekly.

A lack of monitoring access creates a huge compliance and security gap for the C-Suite. With attacks from the external and internal alike becoming more sophisticated, organizations must deploy monitoring technologies to bridge that gap and keep up with modern day threats.

Some have argued that monitoring tools are not frequently deployed due to a lack of technological advances in the space. Connecting millions of points of data to create meaningful and contextual information to identify suspicious activity without technology is implausible. Rules and signatures approaches no longer do enough in this sophisticated environment; the C-Suite must seek out big data processing technologies to manage the massive amount of data produced daily.

What is next for the future CIO when it comes to data security? It is and will continue to become harder to prevent breaches to their organizations. Therefore the more proactive organizations can become regarding risk assessment, monitoring, and remediation, the better the chance they’ll have at finding problems before they become attacks on the organization.

Maize Analytics provides healthcare organizations with a state of the art EMR access monitoring platform to reduce risk up to 95%.

References: Ponemon Institute; Forbes Pierre Paul