HIPAA regulations place strict rules on patient privacy, with steep penalties for noncompliance. It’s a cultural, technology, and resource challenge in many hospitals, since it means daily monitoring of unauthorized patient access in thousands of records located in many disparate systems.
Sacred Heart Health System is meeting its patient privacy challenges using iatricSystems Security Audit Manager to monitor systems from multiple vendors and immediately detect potential access violations. “Security Audit Manager allows us to proactively monitor the inappropriate accesses that may be out there, which none of our existing systems could do on their own,” explains Jan Sizemore, Director, HIM and Privacy Officer. The easy-to-use software solution consolidates and automates tracking of all accesses to patient records across the enterprise, making a normal routine out of what was once a virtually impossible task.
“Before implementing Security Audit Manager, investigations usually took many hours,” Jan adds. “In addition to my time, I also had to ask IT to run audits on their side to be sure we had fully investigated the complaint. Now when I receive a request to check on a patient or staff member, Security Audit Manager has the report ready within minutes.”
Sacred Heart Health System currently uses Security Audit Manager to audit patient information in its Siemens MS4 main Hospital Information System (HIS), its McKesson Horizon Clinical Infrastructure (HCI), Horizon Expert Documentation (HED), and Horizon Patient Folder (HPF) systems, and its Picis IBEX system used in the Emergency Department. Using Security Audit Manager, Jan and her colleagues Jon Runnels, HIPAA Security Officer and Ginger Nowling, HIM Ops and Sys Manager, can track all accesses of patient records from the time patients register at the hospital and throughout their stay.
“Using Security Audit Manager, it’s very easy to determine if a breach has occurred,” Ginger says. “Some people may have thought we couldn’t do it before, but now we can truly see what’s going on!” The Privacy and Security team can look up a patient’s medical record number and instantly see everyone who accessed that medical record within any given timeframe. They get frequent requests to perform a Same Last Name audit that shows all accesses of a patient record by users with the same last name. Other audits include all accesses of a specific patient, all accesses by a specific user, and custom audits using a combination of criteria.
Ginger explains that Security Audit Manager is much easier to use than manually sifting through multiple paper reports. “When we received a complaint in the past, we had to run reports from up to five different systems to determine if there had been unauthorized access. Now all those systems and reports have been integrated into Security Audit Manager so we can run one easy audit from a single screen.”
Helps Educate Staff Security Audit Manager is also helping Sacred Heart Health System’s Privacy and Security team educate hospital staff about patient privacy and the ability to audit. Team members are currently spreading the word about Security Audit Manager and the importance of protecting patient privacy in articles in the hospital newsletter, in orientation for new employees, and in annual education.
Jon Runnels says that the ability to show actual screen shots and reports of activity hits home with associates. “They see we truly can drill down to individual user violations, and this has really helped us with compliance. They know we have a true auditing system in place, and that alone has helped us begin a culture change.”
From Customer to Partner
Sacred Heart Health System is not just a satisfied Security Audit Manager customer—their experience with iatricSystems has also made them an enthusiastic partner. Sacred Heart’s Security and Privacy team worked closely with iatricSystems on enhancements to Security Audit Manager, now part of the new 5.1 release. In one key contribution, they helped define the Breach Risk Assessment and Notification process that determines risk of harm due to unauthorized use of Protected Health Information. They also provided valuable input for the executive dashboard that provides an at-a-glance view of a hospital’s privacy compliance program. “With the new features in 5.1, we’re making Security Audit Manager even stronger and more beneficial,” Ginger notes.
Streamlining HIPAA Compliance
“Security Audit Manager is helping us comply with HIPAA guidelines, and iatricSystems understands what we need to do to stay in compliance,” Jan adds. “With its reporting, Security Audit Manager even provides documentation to support disciplinary action should that become necessary. The new features will allow us to streamline privacy auditing immensely and accomplish more with the resources we have.”
To learn more about Security Audit Manager please contact us using the information below.