Getting Schooled on Patient Privacy Analytics

by Caroline Hacker on August 1, 2016

Summer school is still in session! In an effort to help cure vendor fatigue, we’ve decided to put together a Privacy Analytics Primer to demystify all the similar-sounding solutions and phrases out there. We’re focusing on how compliance and security officers can ensure that EHR access is reviewed and patient privacy protected, per 45 CFR 164.308 and 45 CFR 164.312.* Our aim is to help you better determine which type of privacy program is right for your institution.

The Primer details eight privacy programs from basic to full-strength. While not every organization is ready from day one to put into place a full Proactive Patient Privacy Analytics platform, knowing where you stand today is a good start!

Basic to Full-Throttle Privacy Programs

	Nothing The unfortunate truth is that many institutions don’t have the time to really perform audits of their EHR audit logs in any substantive way. They may do required HIPAA training for all new employees, investigate breaches that get reported, and maintain records of past breach reporting.
	Random Audits One step above doing nothing is, once per month, year or quarter taking a sample of users and auditing their work. This can help you check a box, and occasionally find an inappropriate actor, but it doesn’t really move the needle on building a better privacy culture.
	Regular Algorithmic Audits Another approach to create a “just enough” program is to do regular rule-based audits, like last name matching, checking medical students, or users that view an abnormally large number of records.
	Random Audits + Regular Algorithmic Audits Some departments combine random audits and regular rule-based audits (we find this to be one of the more common types of programs currently in place).
	Traditional Patient Privacy Monitoring This approach refers to purchasing a rule-based system to check all or some of your EHR logs for simple patterns, like last names, addresses, or odd departments. Though automated, the alerts produced by a system like this are inaccurate and have to be manually reviewed.
	Patient Privacy Intelligence This term also refers to patient privacy monitoring, but can sometimes incorporate some additional summary functions and overall dashboarding capabilities.
	User Behavior Analysis/Machine Learning Takes into account patterns, user behavior - technology that leverages some “machine learning” but looks at simple access behaviors.
	Proactive Patient Privacy Analytics (P3A) Platform A proactive patient privacy analytics platform has a number of unique features including user-by-user patterns and clinically-driven explanations, and represents the best-possible option for institutions seeking to be leaders in protecting patient privacy.