August 1, 2016

Getting Schooled on Patient Privacy Analytics

Summer school is still in session! In an effort to help cure vendor fatigue, we’ve decided to put together a Privacy Analytics Primer to demystify all the similar-sounding solutions and phrases out there. We’re focusing on how compliance and security officers can ensure that EHR access is reviewed and patient privacy protected, per 45 CFR 164.308 and 45 CFR 164.312.* Our aim is to help you better determine which type of privacy program is right for your institution.

The Primer details eight privacy programs from basic to full-strength. While not every organization is ready from day one to put into place a full Proactive Patient Privacy Analytics platform, knowing where you stand today is a good start!

Basic to Full-Throttle Privacy Programs

Nothing.png

Nothing

The unfortunate truth is that many institutions don’t have the time to really perform audits of their EHR audit logs in any substantive way. They may do required HIPAA training for all new employees, investigate breaches that get reported, and maintain records of past breach reporting.

Random.png

Random Audits

One step above doing nothing is, once per month, year or quarter taking a sample of users and auditing their work. This can help you check a box, and occasionally find an inappropriate actor, but it doesn’t really move the needle on building a better privacy culture.

Regular.png

Regular Algorithmic Audits

Another approach to create a “just enough” program is to do regular rule-based audits, like last name matching, checking medical students, or users that view an abnormally large number of records.

RandReg.png

Random Audits + Regular Algorithmic Audits

Some departments combine random audits and regular rule-based audits (we find this to be one of the more common types of programs currently in place).

AlgoAudits.png

Traditional Patient Privacy Monitoring

This approach refers to purchasing a rule-based system to check all or some of your EHR logs for simple patterns, like last names, addresses, or odd departments.  Though automated, the alerts produced by a system like this are inaccurate and have to be manually reviewed.

Trad.png

Patient Privacy Intelligence

This term also refers to patient privacy monitoring, but can sometimes incorporate some additional summary functions and overall dashboarding capabilities.

UserBehavior.png

User Behavior Analysis/Machine Learning

Takes into account patterns, user behavior - technology that leverages some “machine learning” but looks at simple access behaviors.  

Proactive.png

Proactive Patient Privacy Analytics (P3A) Platform

A proactive patient privacy analytics platform has a number of unique features including user-by-user patterns and clinically-driven explanations, and represents the best-possible option for institutions seeking to be leaders in protecting patient privacy.

Where does your privacy program currently stand on this continuum vs. where would you want to be?

For more details, get our Proactive Patient Privacy Analytics Primer today.

Download Privacy Primer


*45 CFR 164.308(a)(1)(ii)(D) “Information System Activity Review” and 45 CFR 164.312(a-d) “Technical Safeguards”, to be precise.