June 22, 2021//Dan FabbriLast Updated: July 27, 2022
Privacy officers are responsible for adjudicating potential privacy violations in healthcare organizations. In recent news, we have heard of cases of security breaches in healthcare, including unauthorized access to patient data. Although what is considered unauthorized access can take many forms, some examples include snooping on a family member’s medical record or looking at another employee’s chart. Traditionally, healthcare organizations have relied on manual processes to determine if a suspicious or questionable access is a violation. These manual processes require a privacy officers to examine long lists of access events and interview employees in order to make a final determination regarding authorization.
Over the last couple of years, The University of Kansas Health System (“UKHS”) has leveraged SecureLink’s machine learning auditing system to help automate the manual processes surrounding access and authorization in its process to ensure its compliance efforts and to best protect patient data. The auditing system allows privacy officials to focus on high-risk behavior, while reducing false positive alerts. The system learns to recognize when access is necessary based on clinical context (e.g., an appointment, medication order, etc.) in order to identify and rank suspicious record entries which may be lacking a clinical or operational justification and flags these particular record entries for review.
Once a potential unauthorized record entry has been identified, the privacy team investigates the access. Instead of completing the review in isolation, the privacy officer uses SecureLink’s collaborative reviewer system to help streamline the process. For each suspicious access, the privacy officer assigns the user’s manager (or other relevant personnel) to the investigation. The manager then provides input on the employee’s involvement with the patient’s care (e.g., was the employee floating on a floor to provide clinical support). To date, over 150 managers have participated as a reviewer of an investigation, allowing the privacy office to more efficiently work through cases and attain relevant information more quickly than before.
The deployment of the auditing system and the collaborative privacy process is helping UKHS to ensure its culture of compliance. UKHS employees, like most healthcare institution employees, are continuously trained and educated regarding HIPAA compliance and UKHS’s policies and procedures related to HIPAA.
A part of UKHS’s thorough compliance training includes making employees aware that their accesses are being monitored, which UKHS believes is helping to deter non-compliant behavior. Since the system has been deployed, UKHS has been more efficient in monitoring patient privacy and investigating possible unauthorized medical record access and has been able to achieve and confirm its goals related to HIPAA compliance. Moreover, because privacy responsibilities are now shared visibly across the organization, privacy processes are increasingly becoming a visible component of day-to-day operations in addition to scheduled mandatory and annual compliance training.
Ensuring the privacy of patient data is one of UKHS’s paramount responsibilities. In collaboration with SecureLink, the University of Kansas Health System is working to deploy effective tools and successful processes to protect the privacy of patients entrusted to its care.