Q: We've had issues with employee snooping. Would SPHER detect this?
A: Yes, while the SPHER detectors are designed to identify any abnormality associated with a users access to protected health information (PHI), one of the first systems to start investigating user behavior is our Last Name Matching detector. From the Go-Live day on the system, SPHER will begin reviewing credentialed user's access to their records, any family member records, and any patient that has the same last name. Our analysis shows that incidents of Employee Snooping drop dramatically once SPHER is implemented, resulting in a more secure and HIPAA conscious culture within the client environment.
Q: How long does it take to integrate SPHER?
A: SPHER is operated and accessed via a secure internet (cloud) connection. This allows SPHER and your organization to rapidly include the SPHER user activity monitoring within your existing cybersecurity framework. A typical "integration," which includes connecting SPHER to your existing EMR/EHR, is measured in days, and worse case, a few weeks. If there is already an existing integration partner then it's simply a process of replicating the connections and setting up the secure transfer of the application audit logs.
Q: Can SPHER work with my EMR?
A: SPHER maintains business partnerships with many of the leading EMR/EHR manufacturers deployed across the healthcare landscape. In some cases, we will support multiple versions of the same EMR, since there are slight differences between 'on-premise' and 'cloud-based' connectivity. In most instances, we are able to integrate a new application within a week or two. Not only does SPHER support EMRs, we also have active integration with PACS systems, Practice Management solutions, and unique third-party in-house developed applications. We invite you to contact SPHER to discover the systems we do support and learn how quickly we can help you start monitoring activity.
Q: How difficult is it to install and maintain SPHER?
A: The installation associated with SPHER is easy; there is none! There is no software installed on site. Once the connection between your targeted application is established and the education and training is completed, your Compliance/Security/Privacy officer is ready to access the SPHER dashboard via our secure web interface. Log in using the browser of your choice, verify your account, and then start using SPHER to remediate abnormal activity.
Likewise, all maintenance of the SPHER system is managed centrally by SPHER Technical Support. In the event of a question, you can email or call our operations directly using the SPHER Support call in information.
Q: How long does SPHER keep the information from our daily audits?
A: The HIPAA administrative simplification rules require a Covered Entity, such as a physician's office, a clinic, or a Hospital, to retain required documentation for six (6) years from the date of its creation, or the date when it last was in effect. SPHER pledges to go one year beyond that requirement. We retain documented Events and Incidents for seven (7) years from the date of creation. Meaning, your group has access to every event, incident, and breach that was identified from the date SPHER goes live within the targeted EMR or ONC-certified application.
Q: How do we train our staff to use SPHER?
A: HIPAA, and multiple programs require every Covered Entity to name a Privacy or Security Officer. Typically, that person will oversee if the annual Security Risk Assessment is completed and documented and then corrective actions are updated in the group's Policies & Procedures. At SPHER, Inc., we find that this person, and possibly 1 or 2 of their staff members, will be directly responsible for receiving SPHER Alerts and, more importantly, logging in on a daily basis to remediate the activity. During the On-Boarding process with your group, the SPHER Customer Service Team will set up training sessions using your actual audit log data, teach them how to use the SPHER application and how to escalate an investigation to Breach status.
At SPHER, Inc. we also recognize that people get promoted and occasionally leave a company. Therefore, our training program is open-ended. If you need to train a new member, simply contact SPHER Customer Support and schedule a session to become proficient in using the solution.
Q: Does SPHER require a lot of our resources?
A: SPHER is not an application that requires a Full Time Employee (FTE). Obviously, there are varying types of organizations using SPHER on a daily basis, so the number of trained professionals assigned to interacting and reviewing SPHER Alerts may vary in proportion to the number of employees being monitored, and possibly the volume of PHI related records being accessed. A typical client may spend anywhere from 10 to 20 minutes a day investigating Alerts and ensuring that all SPHER messages have been cleared, leaving the organization in good standing from a PHI privacy and security perspective.
Q: Can we look at the entire activity history on our EMR with SPHER?
A: Once SPHER captures the daily user activity audit log it keeps that data for your forensic review for seven (7) years. With the increased attention to patient access to healthcare and consumer data across the United States (i.e. California Consumer Privacy Act), the necessity for healthcare groups to be able to document and efficiently audit historical activity has never been more important. SPHER extends the views into user and patient activity and enables organization to generate reports on the fly.
Have additional questions?