Security and Privacy Practices for Electronic Health Records Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT.

Security and Privacy Practices for Electronic Health Records

Joseph W. Hales, PhD, FACMI

Intermountain Healthcare

Salt Lake City, UT

Intermountain Healthcare

• Formed 1975

• Not-for-profit

• Integrated system

• 20 Hospitals

• > 100 clinics• 6M patient encounters/yr (2007)

• $3.6B revenue (2007)

• Clinical Programs

Information Systems

• Internally-developed systems

• Enterprise-wide, longitudinal record

• Nationally recognized leader

• Clinical decision-support– Chronic disease management– Hospital-acquired infection detection– Adverse drug event detection– Resistant strain infection monitoring

Outcomes at Intermountain

Dartmouth Atlas of Healthcare

“The Mayo Clinic and Intermountain Healthcare have reputations for excellence and are noted for their leading research efforts in rationalizing the clinical pathways for managing chronic illness. Because they provide higher quality care at lower cost, the utilization rates in Salt Lake City, Rochester, Minnesota, and Portland, Oregon are useful benchmarks for estimating the potential savings from a successful national effort to improve efficiency in managing chronic illness…

The Salt Lake City benchmark results in the greatest estimated reduction in acute care hospital spending. If, over the four years of our study, hospital utilization rates had been at the level of Salt Lake City, Medicare spending for inpatient care would have been reduced by 32.4%, with physician visit savings of 34%.”

Outcomes at Intermountain

Dennis A. Cortese, MDPresident and CEO, Mayo Clinic

“If I were ever diagnosed with diabetes, I would want to be treated by Intermountain Healthcare in Salt Lake City. They have the best outcomes in the country – and the lowest costs.”

KARE-NBC, Channel 11 (Minneapolis)“Utah Gets it Right,” February 8, 2008

Outcomes at Intermountain

Intermountain Information Systems

• Intermountain Healthcare is able to deliver– Consistent , high quality medical care– At the lowest possible cost

• …in part because of enterprise-wide information systems that permit users to – Share data across time and space between

providers– Analyze data across populations to eliminate

inappropriate variation

Technical Safeguards

• Harmonization of HIPAA, SOX, PCI, GLB• Physical network security• Encryption

– Mobile devices– Backup media

• User security– Single master directory– Provisioned according to role using templates– Log user activity

Proactive Auditing and Monitoring

• Scan 16+ million access events per month• Triggers for further investigation

– employees looking at records of family members – Employees looking at records of co-workers

• Review ALL access to records of high profile patients (VIPs, individuals in the news, etc)– 2008 – 47 patients audited, 0 inappropriate accesses– 2007 – 50 patients audited, 4 inappropriate accesses

Demonstrated reduction in inappropriate access violations over last 5 years through consistently auditing access and disciplining employees

Policy and Education

Policy and Education

• Policies and procedures on intranet

• Ongoing employee education– New employee orientation – Annual mandatory compliance training – Job-specific privacy training– Employee newsletter articles

• Annual risk assessment of privacy and security concerns

Holding Employees Accountable• Matrix of recommended sanctions

– Unintentional, intentional or malicious– Access or Disclosure– Number of records involved– First offense or repeat offense

• Employees have been terminated for privacy/security violations (incl. MDs)

• Ensures consistent application of sanctions for similar actions

Summary

• We use information systems in order to achieve consistent, high quality outcomes at lower cost for every patient

• We protect patient privacy through– “Best practices” in technical security– Establishing a culture of individual

accountability

HIT Legislation

• Intermountain supports legislation that encourages adoption of HIT

• Intermountain is concerned about unrealistic expectations about HIT capacity– We currently do not have the capacity to fully

comply with the proposed accounting for disclosures requirement contained in the Ways & Means and Energy & Commerce HIT bills