Health systems are beginning to realize the untapped potential of compliance analytics for efficiently auditing the roughly 60 million electronic health record queries occurring each month in an average-sized U.S. hospital. With an artificial intelligence-powered compliance analytics program, organizations can surface unusual access patterns that warrant human investigation, thereby fortifying patient data security and creating new workflow efficiencies.
Once a compliance analytics program is implemented, however, there is still essential work to be done: establishing key performance indicators. KPIs, or quantifiable measures of progress toward business objectives, serve three main purposes in any compliance analytics program:
- To objectively measure the program's success.
- To determine whether adjustments should be made (for instance, a compliance team may decide to incrementally increase the percentage of EHR accesses that are monitored).
- To frame the return on investment reported to C-suite executives.
By developing KPIs that are specific, measurable, attainable, relevant, and time-oriented — a set of standards known as SMART criteria — organizations can be confident that they're on the path to significant improvements in compliance management.
Learn more about building an effective compliance analytics program by downloading Protenus’ newest white paper.
Fortunately, compliance teams don't need to start from scratch when it's time to set KPIs; they can build off of what has worked for other organizations. Here are eight examples of measures that have historically been effective, along with explanations as to why they are important:
Percent of transactions reviewed
Organizations should aim to review 100 percent of activity within their EHR and associated applications. This approach provides a comprehensive ability to accurately classify actions as inappropriate or appropriate. With report-running and periodic manual reviews, most organizations currently only capture a single-digit percentage of total transactions.
Percent of users reviewed
- Calculating what percentage of the total workforce is represented in reviews helps to ensure that all roles and individuals within the institution are held equally accountable. When certain personnel are logging transactions on paper versus electronically, their behaviors cannot be closely monitored, leaving the possibility for noncompliance events to go unchecked.
Number of cases reviewedBy knowing how many alerts surfaced for investigation have actually been reviewed, compliance teams gain insight into the number of full-time equivalents necessary to achieve meaningful results. It is important to note that AI is an extension of compliance teams, not a replacement for human expertise — human input is needed to train the software and tie analytics to business objectives.
Number of violations detected annually
Measuring risk and compliance productivity requires calculating the number of compliance violations detected each year. In the early stages of a compliance analytics program, an increase in violations detected may indicate improvement in monitoring rather than an increase in improper behavior.
Workflow opportunities for improvement
The number of noncompliant practices detected each year is useful for assessing how effectively the compliance team is driving operational improvements. Detecting and resolving violations whenever they arise is critical to fostering new organizational efficiencies and conserving resources.
False positive rate
Teams can measure the effectiveness and sophistication of their analytics by determining the percentage of investigations in which individuals are cleared, commonly referred to as "false positives." Protenus also empowers organizations to identify "good catches," which are behaviors that aren't problematic in one case but may indicate impropriety in future circumstances. For instance, a nurse redeployed to a different unit during COVID-19 may generate a high suspicion score because he/she doesn't typically access records in that unit. While the nurse's behavior in this case would be acceptable, the compliance team can mark it as a "good catch" to be notified of similar cases in the future.
Time spent per case
The length of time from incident detection to final resolution is a measure of workflow efficiency, reflecting how much effort and how many workers are involved in achieving a certain outcome. Without compliance analytics, many health systems devote dozens of hours to reviewing reports, gathering data, making requests and taking other steps necessary to resolve cases.
Time to detection/resolution
By knowing the amount of time it takes to uncover and resolve an event, as well as the time between when an event is reported and when it is resolved, organizations can hold themselves accountable for preventing noncompliance events that threaten patient safety. The longer it takes to catch and resolve noncompliance, the more harm is done to patients, employees and organizations as a whole.
At their core, KPIs reflect the success of a healthcare compliance analytics program. They can be used to identify gaps in monitoring capabilities and other opportunities for improvements in data security and regulatory compliance. When tailored to support organizational objectives, these measures enable compliance departments to demonstrate ROI while providing a template for future growth.
For more insights on building a compliance analytics program, download the latest white paper from Protenus.