Commonwealth Care Alliance Patient Privacy Monitoring Case Study
Built for us: Commonwealth Care Alliance’s success with SecureLink
Commonwealth Care Alliance (CCA) is a not-for-profit, community-based healthcare organization located in Massachusetts. CCA is nationally recognized as a leader in providing care for high-cost, high needs individuals through a proven model that improves quality and health outcomes, while reducing overall costs of care. CCA serves both patients and health plan members in a multitude of settings, generating a large amount of data that CCA receives. This prompted them to seek a scalable means to review all of this information.
CCA serves members and patients using a highly-integrated collaborative model in which external providers and vendors coordinate their services and care through CCA’s EMR system. This presented a challenge for CCA’s Privacy and Security team because it is essential that the team has a thorough understanding of all users’ levels of access and their corresponding scope of responsibilities. The CCA Privacy team also needed various types of data to complete reviews. “In a lot of cases, we either had to create our own queries to pull the information or ask our EMR provider to do it for us. It wasn’t a high-priority for them, so it didn’t always get done as quickly as we would have preferred,” explained CCA’s Privacy and Security Officer, Andy Seale.
Once CCA’s Privacy and Security team received the information, it was often difficult to interpret, unless the user was highly technical or particularly familiar with the EMR system. This promoted CCA’s Privacy team’s search for a solution that would be both easy to interpret and customizable to the CCA environment.
Searching for a Solution
CCA’s biggest concern was finding a vendor that could pull the data seamlessly and provide a user-friendly solution. As they did not have the capacity to write their own data extraction queries, an end-to-end solution was key. Moreover, given its unique organizational structure, CCA needed a vendor that understood it’s functional and business requirements. In the end, when it came down to two competitors, the Privacy Team chose SecureLink.
“What sold me on SecureLink was their willingness to work with us as an organization hand in hand,” Seale said.
Given CCA’s unique model of care, flexibility was critical. So when SecureLink showcased the solution’s flexibility and their willingness to jump right in, the CCA team knew it would be a good fit.
“The good thing about SecureLink is that we know if a staff member has a scheduled visit of an encounter with a member through the information provided. This allows us to remove false positives automatically in the system and focus on truly suspicious accesses,” explained Seale. SecureLink is able to provide an even more in-depth snapshot of various privacy and security matters than was previously available to CCA’s team.
With a custom-built solution, CCA is now able to focus on their access review and easily find the information they need.
Before SecureLink, pulling reports at CCA was a manual and laborious task. If users didn’t have a technical background, trying to determine what accesses were inappropriate was an even more difficult task. SecureLink solved this problem with its ability to easily search within the tool and provide natural language explanations on all accesses.
According to Seale, “CCA’s clinical personnel, for example, who are not particularly familiar with advanced privacy monitoring tools, can easily figure out [how to query SecureLink] if they need to look up ICD 9 or ICD 10 billing codes. They can pull that within three seconds… it’s that easy to use.”
Streamlining Data Searches
Equipped with an easy-to-use solution, the CCA Privacy team started pulling larger sets of descriptive data and delved further into reviews. It was essential to see as much information as possible and to have the ability to send that information to external organizations in an understandable format.
“You can slice and dice the information very easily. With the amount of information you can pull, having the built-in queries and customizations allows us to dig pretty deep into who was doing what and where,” stated Seale.
If the review needs to go to an external organization, CCA is now able to pull all the data into an interpretable PDF format. Seale noted that this is especially advantageous because “It’s easy to pull the report from SecureLink and send a PDF to an external organization if the organizations’ staff member is engaging in an activity that potentially constitutes a breach of privacy or security.
Implementing SecureLink has also helped CCA improve data quality initiatives. For instance, the tool has enabled CCA to gather additional data, thereby strengthening its review process and further protecting patient privacy.
Protecting Patients with SecureLink
The transition to SecureLink was seamless, and the CCA Privacy team quickly incorporated the tool into their daily routine. The amount of time needed to review accesses has significantly decreased. Seale reported that what started at about 15-20 hours a week on privacy reviews has dropped significantly. In 2017, the Privacy team started with approximately 300 privacy reviews which, decreased to approximately 240 reviews in 2018. This year, the Privacy team has only had 38 reviews. The reduction has allowed CCA to focus on high-risk accesses, rather than false positive alerts.
CCA also incorporated SecureLink into their on-boarding process, so that all newly hired employees are now informed that their accesses to patient records will be monitored. This HR process has ingrained the importance of patient privacy across the workforce.
In essence, SecureLink Analytics has helped CCA’s Privacy team go one step further to protect patient data in a customized way that conforms to how CCA operates. SecureLink is exactly what CCA’s Privacy and Security team needed.
* Note: Products referenced in this case study were under the Maize Analytics suite of products during the time this case study was written. Maize Analytics has been acquired by SecureLink as of May 11, 2021, and the Patient Privacy Monitoring Solution referenced in this study is now under the umbrella of SecureLink product offerings.
Access the Case Study
"What sold me on SecureLink was their willingness to work with us as an organization hand in hand."
- Andy Seale, CCA Director of Information Privacy and Security