With rising regulatory requirements and an increasing number of independent applications accessing patient information, UPMC decided it was time to implement an integrated patient privacy solution.
When you are a very large and prestigious health system, placed on the U.S. News & World Report “America’s Best Hospitals” Honor Roll, it can feel “like having a target on your back,” explains Dave Sanborn, Identity Management Specialist and Data Security Manager at UPMC (University of Pittsburgh Medical Center).
UPMC has been at the forefront of innovative approaches in protecting patient privacy. Core to UPMC’s strategy is their Identity Management System in correlation with FairWarning® Patient Privacy Monitoring. UPMC combined these solutions to develop a system-wide privacy compliance program, including monitoring, training and sanctions. UPMC has now expanded this program to fully comply with the ARRA-HITECH Privacy Rules.
“FairWarning is vital to our regulatory compliance. We in the healthcare industry have existing as well as new regulatory obligations and FairWarning is absolutely crucial to us meeting those regulations.”
VP of Privacy and Information Security
One of the key business challenges was conducting investigations. John Houston, UPMC’s Vice President of Privacy and Information Security & Assistant Counsel, wanted a centralized source for application audit logs.
During each investigation, the facility Privacy Officers (more than 20 across the health system) needed access log information for each application thought to be involved. Investigations required extensive time from the technical support staff to run access log reports on a system-by-system basis. Due to the effort to collect access log information from disparate systems, it often took up to several weeks to obtain necessary information.
The next step was to ensure that access was appropriate which required collecting access logs for many applications in a centralized repository. Once collected, log information needed to be deduplicated and made available to management staff and Privacy Officers.
UPMC has a mature Identity Management System (IdM) that is in use across the enterprise that manages all user accounts for UPMC’s enterprise systems. Accordingly, they wanted to deduplicate log information by integrating Authoritative User Data managed by IdM. They began seeking a solution that could handle this integration with Authoritative User Data (from IdM, but may also come from HR and Active Directory systems).
After an exhaustive analysis that included gathering requirements from UPMC’s facility Privacy Officers and others, UPMC embarked on a search that took several months and involved investigating numerous commercially available tools. After a thorough RFP process, UPMC elected to implement FairWarning Patient Privacy Monitoring.
Through their foresight in implementation of IdM with FairWarning®, UPMC is well positioned to fulfill even the most demanding ARRA-HITECH provisions, including Accounting of Disclosures.
Positive impacts of UPMC’s solution include improved dissemination of information and a reduction in incidents. “We can aggregate logs and alerts into one bucket with a single reviewer who has the ability to look at all of the logs and alerts across an organization, or send logs and alerts to a user’s manager, so that the manager or Privacy Officer can perform a more focused investigation and/or reviews as necessary,” Dave Sanborn explains.
In terms of adoption, UPMC reports that their managers have had a positive experience, mainly due to being able to review aggregate information from one single place. UPMC averages over 300 distinct users reviewing information in the FairWarning® system on a weekly basis.
UPMC’s FairWarning® implementation will ultimately integrate logs from over one hundred applications, involving aggregating access log information for over 75,000 users, making it a very complex environment.
Phasing the project to meet critical milestones was a key to success. UPMC project sponsors aimed to “first prove it could be done,” to build momentum and ensure long-term use and overall adoption. The first phase was to gather log information from a couple of data sources, integrate user information from IdM and successfully deploy it to a “Phase One” group of UPMC managers and Privacy Officers. The second phase involved integrating log information from six data sources, the training of UPMC’s Privacy Officers and the deployment to UPMC’s management staff.
Today, UPMC is collecting audit log data from more than forty applications, representing all major clinical systems in the enterprise. Ultimately, UPMC expects to collect data from more than one hundred clinical information systems.
400 clinical locations
Over 4,500 beds
Over 62,000 employees
International markets in Italy, Ireland, Cyprus, Qatar, and the United Kingdom