Upload
roberta-marsh
View
213
Download
0
Embed Size (px)
Citation preview
EHR“Navigating the Minefields”
Mina GatesDonation Process Consultant , CTDN
Carla HentzDonation Development Compliance Specialist, One Legacy
Glenn MatsukiProcess Improvement Project Manager, CTDN
Case Studies: Healthcare Data Breach Risks
https://www.youtube.com/watch?v=VDrWbjgM3Ik
Hackers exploit Ascension hospital in latest cyberattackHealthcareDIVE, March 10, 2015
3
St. Mary's Medical Center, which is part of Ascension Health, is the newest victim of a healthcare cyberattack.
The hackers stole employee user names and passwords and accessed their e-mail accounts in order to obtain personal data from 4,400 patients, including names, social security numbers, birth dates, insurance information and personal health data. The hospital has since shut down the compromised email accounts.
This latest incident comes in the wake of the Anthem attack that compromised 80 million individuals, which one expert at Tripwire.com believes may have been caused by a simple login theft.
http://www.healthcaredive.com/news/hackers-exploit-ascension-hospital-in-latest-cyberattack/372547/
HIPAA
• At §164.512(h) HIPAA regulations allow HIPAA-covered entities to release information to organ procurement organizations or other entities involved in the procurement, banking or transplantation of cadaveric organs, eyes, or tissue for the purposes of facilitating organ, eye, or tissue donation and transplantation. This allows the release of information by and to donor hospitals, transplant hospitals, UNOS, tissue banks and laboratories.
• The preamble to the final rule also states that OPOs are not “health care providers” when they are engaged in the procurement or banking of organs, blood or tissues. Thus, with regard to hospitals affiliations, OPOs are neither covered entities, nor business partners, and are specifically permitted to perform their core functions, with stringent confidentiality, but outside the ambit of HIPAA.
• Pursuant to the above exemptions, HIPAA-covered entities do not need to obtain patient consent for OPOs to do their core jobs: the coordination of donation and transplant, and the review of records.
7
Federal and California Laws That Restrict Disclosure of SSNs
Federal LawsThe following federal laws establish a framework for restricting SSN disclosure:• The Freedom of Information Act (FOIA) (5 U.S.C. 552)• The Privacy Act of 1974 (5 U.S.C. 552a)• The Social Security Act Amendments of 1990 (42 U.S.C. 405(c)(2)(C)(viii))
California Laws• Confidentiality of Social Security Numbers (CA Civil Code Section 1798.85) To help control many of the common uses of SSNs that can expose people to the risk of identity theft.
Regulations
• California Law on SSN Confidentiality: Civil Code Section 1798.85
Recommended Practices for Protecting the Confidentiality of SSNs• Reduce the collection of SSNs• Inform individuals when you request their SSNs• Eliminate public display of SSNs• Control access to SSNs• Protect SSNs with security safe guards• Make your organization accountable for protecting SSNs
Table Discussions:
• Time allotment: 10 minutes• Report out: 5 minutes• Please appoint a spokesperson• Please appoint a scribe and timekeeper.
Table DiscussionQuestions to Run On
• In order of priority, what are the top three challenges you are facing with EHR Access?
• What initiatives that you have initiated would you consider your DSA’s EHR best practices in response to these challenges?
• Are there areas we can work together?
Interview Results: 6/8 OPOsOrgan Donor Potential 258
Tissue Only Potential 287
100% DSA EHR Access OneLegacy, LifeSharing, New Mexico
50% DSA EHR Access48% DSA EHR Access36% DSA EHR Access
NevadaCTDN
Arizona
Read AccessWrite Access
100%Donor Network Arizona 100%
LifeSharing 58%CTDN and One Legacy 20%
Remote Nevada & New Mexico 100%Lifesharing: 28%
Arizona 29%CTDN 25%
OneLegacy 14%
Employee Identity Security 3 will not share SSN**3 have shared SSN
**Last 4 digit Solution
Interview Results: 6/8 OPOsEHR accommodation CPOE, GBIG, order-sets
Kaiser, Sutter, Providence, Banner + 33 stand alone
EHR accommodation: Death documentation, triggers, referrals, FPA status
16 in region
OPO Access Management Hospital services initial Admin. or HR after access obtainedAZ -EMR Specialist – Spreadsheet
/Centerpoint Folder System
EHR MOU / AA, lauguage 4 yes, 2 will not be incorporating
Challenges Training; Variability in protocols; Keeping access active; Ongoing staff
access justification, Agreements, Obtaining remote access.
Strengths OPO IT member of EHR team. Full time administrator, 100% remote
access, getting trust of hospital partner
Interview Results: 6/8 OPOsNext Steps: • Identity Access Management, and Single sign-on
• Working with vendors to integrate an organ & tissue donation module - triggers, smart-text, alerts, reports
• Align practice with federal & state regulations - employee private information.
• Strengthening CMS & TJC language to pave the way for /EHR on all hospitals. Distinct definitions of Federal and State requirements of hospitals regarding EMR, OPOs HIPAA compliance standards, creating standards for IT security (hospital and OPO/DSA) and greater OPO administrator privileges to lessen the responsibilities and workload of facilities.
• VPN & remotes access.,Auditor access• CMS mandating all EMR systems include donation.• Creation of support materials. Gain write access, order-sets initiation.
• Greater involvement with DSA IT department & IT/IS parties with facilities.
• Increased focus on discussion between DSA Leadership and Hospital Mgmt. to eliminate confusion and accelerate progress.
• Who are willing to be regional resources for EHR best practices addressing our challenges?
• Do we engage regulatory bodies for supportive guidance documentation?
• Are there hospital partners willing to be regional resources for EHR best practices?
• What other opportunities ideas do you have?
• Next steps....
• References:– Healthcare Data Breach Studies youtube.
https://www.youtube.com/watch?v=VDrWbjgM3Ik – Hackers exploit Ascension hospital in latest cyberattack HealthcareDIVE,
March 10, 2015– Barry Buchanan Password Comic Aug 26 2010, “A More Complicated
Password” http://dontfeedthegeek.com/comic/a-more-complicated-password/
– Photo of frustrated nurse: http://www.citytowninfo.com/career-and-education-news/articles/nursing-grads-face-hiring-obstacles-10032201
– Social Security, “Avoid Identity theft: Protect Social Security Numbers.– Fisher & Phillips, Atty at Law “California’s New Social Security Number
Confidentiality Law.”– California Department of Consumer Affairs, “Recommended Practices for
Protecting Confidentiality of Social Security Numbers.”
EHR: “Navigating the Minefields” Table Worksheet
• In order of priority, what are the top three challenges you are facing with EHR Access and security?
• What initiatives that you have initiated would you consider your DSA’s EHR best practices in response to these challenges?
• Who are willing to be regional resources for EHR best practices addressing our challenges?
• Do we engage regulatory bodies for supportive guidance documentation and which ones?
• Are there hospital partners willing to be regional resources for EHR best practices?
• What other opportunities ideas do you have?