The U.S. Department of Health and Human Services (HHS) sent a clear message to hospitals last month when it fined a Florida hospital $5.5 million-dollars because several employees had inappropriately accessed patient information.
Although HIPAA mandates hospitals audit all access to patient data to detect and deter potential "Impermissible Use", HHS has repeatedly only threatened to impose fines. Clearly, HHS is now serious about enforcement.
Detecting such "Impermissible Use" by employees, contractors, and others in a healthcare setting, however, is a significant challenge. In many hospitals and healthcare facilities virtually all physicians and other clinical staff have access to all patient records. While this is usually necessary, identifying unauthorized "browsing" or access outside an employee's job responsibilities is not easily accomplished.
For example, consider two workers, in the same department and with identical titles, each accessing the same patient data just once. In this scenario, discerning which worker's access is "Impermissible Use" and requires follow-up action, and which is appropriate given their job responsibilities, is not a simple proposition.
Fortunately, the healthcare industry can benefit from lessons learned by many financial services firms who have addressed "Impermissible Use". In addition, recent technical advances in data analytics can help companies solve the "Impermissible Use" problem at a fraction of the cost paid by Wall Street firms years ago.
As the first Chief Information Security Officer (CISO), I was on the front lines at Citibank/Citigroup, JPMorgan and Merrill Lynch in the battle to detect and deter "Impermissible Use". Today, my work advising healthcare companies has me once again addressing the same problem. Here's what you need to know.
In healthcare, the central challenge in identifying "Impermissible Use" is that so many employees need broad access to patient data. Since lives are at stake, ready access to patient data is critical. Imposing strict limits on employee access to patient data and requiring pre-approval for exceptions is not realistic. Any delays could endanger patient safety, while the volume of exception requests would be unmanageable.
To compensate for employees having broad access to patient data, HIPAA requires hospitals to continuously audit for possible "Impermissible Use". This is usually done by analyzing logs of employee access to patient data and highlighting issues based on a detailed understanding of the employee's expected job responsibilities. The challenge is understanding each employee's job responsibilities in fine detail and knowing whether those responsibilities justify an employee's access to a particular piece of patient data at a given point in time.
While some industries have developed explicitly defined job descriptions that are tied to an employee's title and department, healthcare is much more fluid. For example, two different nurses in the same department may have completely different job responsibilities and therefore completely different "Permissible/Impermissible Use" profiles. Moreover, a worker's job responsibilities and "Permissible/Impermissible Use" profile can change if they are temporarily redeployed to a different assignment or faced with an emergency.
To date, attempts to define each worker's job responsibilities at the level of detail required by HIPAA, and track all temporary reassignments, have failed. Primarily because of the high rate of false positives and the large number of staff required to analyze audit logs.
Fortunately, advances in data technology, such as Structural Analytics, are enabling hospitals to automatically and accurately determine the specifics of each employee's job responsibilities, and their "Permissible/Impermissible Use" profile, by analyzing data in their EHR and other clinical and business systems. Hospitals can also use these technologies to recognize when an employee is temporarily or permanently reassigned, in order to automate the appropriate changes to their job responsibilities and "Permissible/Impermissible Use" profile.
By automatically comparing each employee's access to patient data with their job responsibilities and associated "Permissible/Impermissible Use" profile, data analytics can detect and deter "Impermissible Use". This approach also eliminates false positives and does not require adding more staff.
When implemented correctly, these analytics can reliably distinguish between "Impermissible Use" and "Permissible Use" even when two workers, in the same department and with identical titles, access the same patient data just once. These technologies can even be used to automate the identification of "Impermissible Use" by contractors, third parties, providers and the provider's staff with access to a hospital's patient data.
They can also be used to implement procedures for reviewing, modifying and/or terminating users' right of access, as required by HIPAA.
The Memorial Healthcare fine should be a wake-up call for the healthcare industry to get serious about the "Impermissible Use" problem. An excellent starting point for investigating which technology approaches work, and which don't, with respect to "Impermissible Use", is the National Health Information Sharing and Analysis Center (NH-ISAC). It provides an open forum for sharing IT experiences and best practices between healthcare organizations across the United States.
About the Author: Steve Katz is an Advisor to the Board of the NH-ISAC (National Health Information Sharing and Analysis Center), was a founder of the FS-ISAC (Financial Services Information Sharing and Analysis Center), and is currently an executive advisor on privacy and security for Deloitte. He has been Chief Information Security Officer for Citigroup, head of Information Security for JPMorgan and helped manage the Information Security program at Kaiser Permanente.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.