Memorial Healthcare System (MHS) is a longtime leader in high-quality healthcare services for South Florida residents. With over 13,000 employees, 1,800 beds, and 2,500 physicians, MHS is one of the largest public healthcare systems in the nation. It’s also highly regarded for its exceptional patient and family-centered care and its patient privacy program.
Patient privacy has always been a priority for MHS, but in 2012, the organization detected that a former employee of a third-party entity had accessed patient data, compromising the privacy of 80,000 patients. In response, MHS notified the Office of Civil Rights (OCR) — and immediately began its journey toward world-class patient privacy.
Richard Leon, MHS’s Chief Information Security Officer, outlined his 10-point plan for data privacy, which led to the patient privacy excellence MHS boasts today.
Memorial Healthcare System’s 10-Point Plan for a Better Patient Privacy Program:
#1. Create a Process for Automated Periodic Access Review
MHS implemented a quarterly automatic periodic access review process for employees, physicians, students, and vendors in their EHR and cloud applications. Furthermore, MHS has implemented a monthly automated access review process for non-employee physicians, office staff, ACO, and population health organizations. This helps ensure that only permitted users have access to their EHR and that users who no longer need access be deprovisioned. Leon described how FairWarning painted the full picture of access to their applications to reduce risk of non-permitted users, users who need training, or those who need sanctioning for inappropriate activities.
“FairWarning provided the data to understand workflows, pinpoint workforce data access and privacy challenges, and guide training,” Leon said.
#2. Gain Full Visibility of User Identity Data
In a study of 1 million users, FairWarning learned that, on average, 26 percent of a healthcare organization’s users are poorly known or unknown. This creates extreme security risk, as even if you catch those engaging in inappropriate activity, you may have no way of knowing who to address, train, or sanction. MHS leveraged FairWarning’s patented Dynamic Identity Intelligence technology to correlate user information in its EHR with the data in Lawson, PeopleSoft, and Active Directory. With the resulting data from Active Directory, MHS now has full visibility into the activity of both employees and contracted workers like affiliated physicians.
“Tracking access to our integrated Epic EHR by employed and affiliated physicians, as well as outside case reviewers and third parties, was essential, and we knew it would require more than just looking at logs for true cross-system transparency,” said Leon.
#3. Create a Dedicated Privacy Department
MHS has hired a Corporate Director of Privacy to build on their program. This will allow MHS to grow while navigating new and existing regulatory compliance to ensure the privacy and security of their patients’ data.
#4. Define Access Requests for Physicians and Their Staff
MHS now has a strict and binding Enterprise Systems Access Policy, with defined sanctions for policy violations. Every new organization it works with must identify the organization leaders who will be responsible for monthly verification. They ensure that users only have access to the data they need to perform their job. They answer questions like : “Do users still need access?” “Have workflows or projects changed?” “Can user permissions be rolled back to reduce risk?”
“Those entities are bound to a monthly access verification process and a yearly re-certification process,” he said.
#5. Track Vendor Access and Business Associate Agreements
MHS has focused on comprehensively vetting all vendors including a privacy and security checklist review before they obtain access. In doing so, they can help reduce risk of data breaches and hold business associated accountable for the privacy and security of their data.
“When it comes to PHI, we say, ‘No BAA, no access,'” Leon said.
#6. Dedicate a System Access Team to Provision and De-Provision Users
MHS now has a dedicated System Access Team that manages all automated and manual provisioning processes. The team also manages the periodic access review process.
#7. Adopt a Zero Tolerance Policy for Privacy Violations
MHS adopted a zero-tolerance policy for privacy violations. Zero-tolerance may not work for other organizations, but this was the right choice for MHS. Through the privacy program, all violations are investigated – and employees have been terminated.
“That was a challenge,” Leon said. “We had to have discussions around impacting the rights of employees.”
#8. Develop a Laser Focus on IT Security
Leon has worn many IT hats at MHS; now, as CISO, he explains, he is laser focused on privacy and security. He also has a manger of IT security.
#9. Partner with Vendors to Create a World-Class Privacy Program
After a lengthy and thorough vetting process, MHS in 2017 chose FairWarning as its partner in patient privacy monitoring. Shortly after implementing the Patient Privacy Intelligence platform, MHS began to see real results in the number of incidents occurring and the overall culture of privacy, compliance, and security. The health system now gets detailed reporting when users access or print PHI, as well as information on who accessed the information, what they accessed, and why they may have done it.
“FairWarning gave us a 360-degree understanding of potential risks and the ability to build privacy rules around them, which positions us for future implementation uses of the platform,” Leon said.
MHS is planning to expand its use of FairWarning into accountable care organization (ACO) activities. “We’re currently working with two ACOs in fairly new arrangements,” explained Leon. “ACOs don’t necessarily have definitive patient populations, so we’ll need to make sure that all PHI access is authorized and above board without any patient-pilfering attempts, which is a major concern for us.”
#10. Save Time with Managed Privacy Services
To help save time and dedicate more resources to all aspects of their patient privacy program, MHS partnered with FairWarning’s Managed Privacy Services, a team of certified privacy analysts that acts as an extension of Leon’s team. Leon is especially excited about the reduction of false positives thanks to MPS’s work.
“The 90 percent reduction in false positive alerts through the use of FairWarning’s Managed Privacy Services have saved us the time equivalent of two more FTEs (full-time employees) to handle the past quantity of false alerts,” Leon said
Today, the MHS journey to continually improve patient care and privacy goes on. With the agility and flexibility offered by the FairWarning Patient Privacy Intelligence platform and Managed Privacy Services as a foundation, MHS has designed a roadmap for proactively mitigating risks and continually developing a culture dedicated to patient privacy. This will enable them to continue to improve patient care as their organization continues to grow.