EHR“Navigating the Minefields”

Mina GatesDonation Process Consultant , CTDN

Carla HentzDonation Development Compliance Specialist, One Legacy

Glenn MatsukiProcess Improvement Project Manager, CTDN

Case Studies: Healthcare Data Breach Risks

https://www.youtube.com/watch?v=VDrWbjgM3Ik

Hackers exploit Ascension hospital in latest cyberattackHealthcareDIVE, March 10, 2015

3

St. Mary's Medical Center, which is part of Ascension Health, is the newest victim of a healthcare cyberattack.

The hackers stole employee user names and passwords and accessed their e-mail accounts in order to obtain personal data from 4,400 patients, including names, social security numbers, birth dates, insurance information and personal health data. The hospital has since shut down the compromised email accounts. 

This latest incident comes in the wake of the Anthem attack that compromised 80 million individuals, which one expert at Tripwire.com believes may have been caused by a simple login theft.

http://www.healthcaredive.com/news/hackers-exploit-ascension-hospital-in-latest-cyberattack/372547/

Donation and EHR: Inherent Risks

Donation and EHR: Inherent Risks

Regulatory Considerations

6

HIPAA

• At §164.512(h) HIPAA regulations allow HIPAA-covered entities to release information to organ procurement organizations or other entities involved in the procurement, banking or transplantation of cadaveric organs, eyes, or tissue for the purposes of facilitating organ, eye, or tissue donation and transplantation. This allows the release of information by and to donor hospitals, transplant hospitals, UNOS, tissue banks and laboratories.

• The preamble to the final rule also states that OPOs are not “health care providers” when they are engaged in the procurement or banking of organs, blood or tissues. Thus, with regard to hospitals affiliations, OPOs are neither covered entities, nor business partners, and are specifically permitted to perform their core functions, with stringent confidentiality, but outside the ambit of HIPAA.

• Pursuant to the above exemptions, HIPAA-covered entities do not need to obtain patient consent for OPOs to do their core jobs: the coordination of donation and transplant, and the review of records.

7

Federal and California Laws That Restrict Disclosure of SSNs

Federal LawsThe following federal laws establish a framework for restricting SSN disclosure:• The Freedom of Information Act (FOIA) (5 U.S.C. 552)• The Privacy Act of 1974 (5 U.S.C. 552a)• The Social Security Act Amendments of 1990 (42 U.S.C. 405(c)(2)(C)(viii))

California Laws• Confidentiality of Social Security Numbers (CA Civil Code Section 1798.85) To help control many of the common uses of SSNs that can expose people to the risk of identity theft.

Regulations

• California Law on SSN Confidentiality: Civil Code Section 1798.85

Recommended Practices for Protecting the Confidentiality of SSNs• Reduce the collection of SSNs• Inform individuals when you request their SSNs• Eliminate public display of SSNs• Control access to SSNs• Protect SSNs with security safe guards• Make your organization accountable for protecting SSNs

Table Discussions:

• Time allotment: 10 minutes• Report out: 5 minutes• Please appoint a spokesperson• Please appoint a scribe and timekeeper.

Table DiscussionQuestions to Run On

• In order of priority, what are the top three challenges you are facing with EHR Access?

• What initiatives that you have initiated would you consider your DSA’s EHR best practices in response to these challenges?

• Are there areas we can work together?

Table Discussions Report-out

Interview Results: 6/8 OPOsOrgan Donor Potential 258

Tissue Only Potential 287

100% DSA EHR Access OneLegacy, LifeSharing, New Mexico

50% DSA EHR Access48% DSA EHR Access36% DSA EHR Access

NevadaCTDN

Arizona

Read AccessWrite Access

100%Donor Network Arizona 100%

LifeSharing 58%CTDN and One Legacy 20%

Remote Nevada & New Mexico 100%Lifesharing: 28%

Arizona 29%CTDN 25%

OneLegacy 14%

Employee Identity Security 3 will not share SSN**3 have shared SSN

**Last 4 digit Solution

Interview Results: 6/8 OPOsEHR accommodation CPOE, GBIG, order-sets

Kaiser, Sutter, Providence, Banner + 33 stand alone

EHR accommodation: Death documentation, triggers, referrals, FPA status

16 in region

OPO Access Management Hospital services initial Admin. or HR after access obtainedAZ -EMR Specialist – Spreadsheet

/Centerpoint Folder System

EHR MOU / AA, lauguage 4 yes, 2 will not be incorporating

Challenges Training; Variability in protocols; Keeping access active; Ongoing staff

access justification, Agreements, Obtaining remote access.

Strengths OPO IT member of EHR team. Full time administrator, 100% remote

access, getting trust of hospital partner

Interview Results: 6/8 OPOsNext Steps: • Identity Access Management, and Single sign-on

• Working with vendors to integrate an organ & tissue donation module - triggers, smart-text, alerts, reports

• Align practice with federal & state regulations - employee private information.

• Strengthening CMS & TJC language to pave the way for /EHR on all hospitals. Distinct definitions of Federal and State requirements of hospitals regarding EMR, OPOs HIPAA compliance standards, creating standards for IT security (hospital and OPO/DSA) and greater OPO administrator privileges to lessen the responsibilities and workload of facilities.

• VPN & remotes access.,Auditor access• CMS mandating all EMR systems include donation.• Creation of support materials. Gain write access, order-sets initiation.

• Greater involvement with DSA IT department & IT/IS parties with facilities.

• Increased focus on discussion between DSA Leadership and Hospital Mgmt. to eliminate confusion and accelerate progress.

• Who are willing to be regional resources for EHR best practices addressing our challenges?

• Do we engage regulatory bodies for supportive guidance documentation?

• Are there hospital partners willing to be regional resources for EHR best practices?

• What other opportunities ideas do you have?

• Next steps....

Power of team effort

17

• References:– Healthcare Data Breach Studies youtube.

https://www.youtube.com/watch?v=VDrWbjgM3Ik – Hackers exploit Ascension hospital in latest cyberattack HealthcareDIVE,

March 10, 2015– Barry Buchanan Password Comic Aug 26 2010, “A More Complicated

Password” http://dontfeedthegeek.com/comic/a-more-complicated-password/

– Photo of frustrated nurse: http://www.citytowninfo.com/career-and-education-news/articles/nursing-grads-face-hiring-obstacles-10032201

– Social Security, “Avoid Identity theft: Protect Social Security Numbers.– Fisher & Phillips, Atty at Law “California’s New Social Security Number

Confidentiality Law.”– California Department of Consumer Affairs, “Recommended Practices for

Protecting Confidentiality of Social Security Numbers.”

EHR: “Navigating the Minefields” Table Worksheet

• In order of priority, what are the top three challenges you are facing with EHR Access and security?

• What initiatives that you have initiated would you consider your DSA’s EHR best practices in response to these challenges?

• Who are willing to be regional resources for EHR best practices addressing our challenges?

• Do we engage regulatory bodies for supportive guidance documentation and which ones?

• Are there hospital partners willing to be regional resources for EHR best practices?

• What other opportunities ideas do you have?