University of Kansas Health System

Creating a culture of compliance in healthcare organizations through collaboration

Privacy officials are responsible for adjudicating potential privacy violations in healthcare organizations. In the news of late, we have heard of cases of unauthorized access to patient data. Although what is considered unauthorized can take many forms, some examples include snooping on a family member’s medical record or looking at another employee’s chart. Traditionally, healthcare organizations have relied on manual processes to determine if a suspicious or questionable access is a violation. These manual processes require a privacy official to examine long lists of access events and interview employees in order to make a final determination regarding authorization.

Over the last couple years, The University of Kansas Health System (“UKHS”) has leveraged SecureLink Analytics’s machine learning auditing system to help automate the manual processes surrounding access and authorization in its process to ensure its compliance efforts and to best protect patient data. The auditing system allows privacy officials to focus on high-risk behavior, while reducing false positive alerts. The system learns to recognize when an access is necessary based on clinical context (e.g., an appointment, medication order, etc.) in order to identify and rank suspicious record entires which may be lacking a clinical or operational justification and flags these particular record entires for review.

Once a potential unauthorized record entry has been identified, the privacy team investigates the access. Instead of completing the review in isolation, the privacy officials uses SecureLink’s collaborative reviewer system to help streamline the process. For each suspicious access, the privacy official assigns the user’s manager (or other relevant personnel) to the investigation.

The manager then provides input on the employee’s involvement with the patient’s care (e.g., was the employee floating on a floor to provide clinical support). To date, over 150 managers have participated as a reviewer of an investigation, allowing the privacy office to more efficiently work through cases and attain relevant information more quickly than before.

The deployment of the auditing system and the collaborative privacy process is helping UKHS to ensure its culture of compliance. UKHS employees, like most healthcare institution employees, are continuously trained and educated regarding HIPAA compliance and UKHS’s policies and procedures related to HIPAA. A part of UKHS’s thorough compliance training includes making employees aware that their accesses are being monitored, which UKHS believes is helping to deter non-compliant behavior. Since the system has been deployed, UKHS has been more efficient in monitoring and investigating possible unauthorized medical record accesses and has been able to achieve and confirm its goals related to HIPAA compliance. Moreover, because privacy responsibilities are now shared visibly across the organization, privacy processes are increasingly becoming a visible component of day-to-day operations in addition to scheduled mandatory and annual compliance training.

Ensuring the privacy of patient data is one of UKHS’s paramount responsibilities. In collaboration with SecureLink Analytics, The University of Kansas Health System is working to deploy effective tools and successful processes to protect the privacy of patients entrusted to its care.

*Note: Products referenced in this case study were under the Maize Analytics suite of products during the time this case study was written. Maize Analytics has been acquired by SecureLink as of May 11, 2021, and the Patient Privacy Monitoring Solution referenced in this study is now under the umbrella of SecureLink product offerings.

Access the Case Study

Download

close close