UTH hltli The University of Texas Health Science Canter at Houston

Similar documents
EFFECTIVE DATE: 10/04. SUBJECT: Primary Care Nurse Practitioners SECTION: CREDENTIALING POLICY NUMBER: CR-31

Delegation Oversight 2016 Audit Tool Credentialing and Recredentialing

2014 Complete Overview of the URAC Standards

2015 Complete Overview of the NCQA Standards Session Code: TU13 Time: 2:30 p.m. 4:00 p.m. Total CE Credits: 1.5 Presenter: Frank Stelling, MEd, MPH

The Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice. May 2016 Report No.

Values Accountability Integrity Service Excellence Innovation Collaboration

Keywords: Credentialing, Practitioner, PSV. Last Review Date: 10/11/2004, 1/31/2005, 3/28/2005, 3/13/2006, 4/24/2006

Cancer Prevention & Research Institute of Texas

Final Report. PrimeWest Health System

July 1, June 30, 2019

Practitioners may be recredentialed at any time, but in no circumstance longer than a 36 month period.

Ongoing Monitoring of Practitioner Sanctions and Complaints Policy

Charge Capture Multidisciplinary Care Centers

Richard Dawson, CPA, CIA, CRMA; Interim Chief Audit rrr.ci~

Cancer Prevention & Research Institute of Texas

September 2011 Report No

Report No. D May 14, Selected Controls for Information Assurance at the Defense Threat Reduction Agency

DEPARTMENT OF DEFENSE FEDERAL PROCUREMENT DATA SYSTEM (FPDS) CONTRACT REPORTING DATA IMPROVEMENT PLAN. Version 1.4

Report of the Auditor General to the Nova Scotia House of Assembly. December Independence Integrity Impact

Subject: Re-Credentialing Verification (Page 1 of 5)

Credentialing Standards

Medicare Manual Update Section 2 Credentialing (pg 15-23) SECTION 2: CREDENTIALING. 2.1 : Credentialing Policies & Procedures

The Plan will not credential trainees who do not maintain a separate and distinct practice from their training practice.

Why do we credential practitioners?

Medi-cal Manual Update Section 9.14 Credentialing Program (pg )

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

May 1, Internal Audit Report Child Care Assistance Program Health and Human Services

2017 Complete Overview of the NCQA Standards

Internal Audit Report. Public Transportation Grant Management TxDOT Office of Internal Audit

CLINICAL STAFF CREDENTIALING AND PRIVILEGING MANUAL

CREDENTIALING Section 5

Request for Proposal PROFESSIONAL AUDIT SERVICES

CHAPTER 5: SUBMISSION AND CORRECTION OF THE MDS ASSESSMENTS

Credentialing Standards Presenters: Mei Ling Christopher Veronica Harris Royal

INCOMPLETE APPLICATIONS WILL NOT BE PROCESSED

Department: Legal Department. Approved by:

STONY BROOK UNIVERSITY HOSPITAL CREDENTIALING POLICY - REVISIONS 2014

NCQA STANDARDS & SURVEY PROCESS UPDATES

CHAPTER 5: SUBMISSION AND CORRECTION OF THE MDS ASSESSMENTS

Peace Corps Office of Inspector General

Downloading Application Viewer

Subject: Audit Report 18-16, Student Health Services, California State University San Marcos

Provider Credentialing

Clinical Credentialing & Recredentialing

O L A. Perpich Center for Arts Education Fiscal Years 2001 through 2003 OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

TABLE OF CONTENTS. Page OBJECTIVES, SCOPE AND METHODOLOGY... 1 BACKGROUND Organizational Structure and Personnel... 4

Medical Marijuana Licensing Follow up Report

UPMC PINNACLE PROVIDER ENROLLMENT CREDENTIALING POLICIES AND PROCEDURES

Provider Rights. As a network provider, you have the right to:

Delegation Oversight 101: How to Pass Oversight Audits Session Code: TU01 Time: 8:00 a.m. 9:30 a.m. Total CE Credits: 1.5 Presenter: Angela Dorsey,

Inspector General. Summary of Internal Control Issues Over the. Peace Corps. Financial Reporting. Office of. Background FISCAL YEAR 2017

Office of Internal Audit 800 W. Campbell Rd. SPN 32, Richardson, TX Phone Fax January 10, 2017

STATE OF NORTH CAROLINA

Office of the Inspector General Department of Defense

TEXAS LOTTERY COMMISSION INTERNAL AUDIT DIVISION. An Internal Audit of CHARITABLE BINGO LICENSING

HPRP REPORTING UPDATES

CREDENTIALING APPLICATION Please complete all sections. Incomplete applications may delay the credentialing process.

EPCS FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES. Revised: March 2016

MENTAL HEALTH MENTAL RETARDATION OF TARRANT COUNTY. Operating Procedure MC-033 Effective: January 1999 Managed Care Revised: April 2008 Page 1

COMMUNITY HOWARD REGIONAL HEALTH KOKOMO, INDIANA. Medical Staff Policy POLICY #4. APPOINTMENT, REAPPOINTMENT AND CREDENTIALING POLICY

Department of Health and Mental Hygiene Alcohol and Drug Abuse Administration

BOOKLET ON RECERTIFICATION MAINTENANCE OF CERTIFICATION

Uniform Data System for Medical Rehabilitation

2018 CREDENTIALING COMMITTEE PROGRAM DESCRIPTION

I. Grant Inquiries and Declinations 3

Texas A&M University: Review of Human Subjects Protection Program PROJECT SUMMARY. Summary of Significant Results. Protocol Tracking and Reporting

University of San Francisco Office of Contracts and Grants Subaward Policy and Procedures

Use PowerPoint templates for internal presentations and that promote the chapter/institution s meetings and events.

UnitedHealthcare. Credentialing Plan

Final Report. UCare Minnesota 2005

HIPAA Privacy & Security

Checklist for Minimum Security Procedures for Voting Systems 1S Section (4),F.S.

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

REQUEST FOR PROPOSAL AUDITING SERVICES. Chicago Infrastructure Trust

Child Care Program (Licensed Daycare)

OREGON HEALTH AUTHORITY, DIVISION OF MEDICAL ASSISTANCE PROGRAMS

Credentialing and. Recredentialing. Plan

(Area Agency Name) B. Requirements of Section 287, Florida Statutes: These requirements are herein incorporated by reference.

Please Note: Please send all documentation related to the credentialing portion of this documentation to:

Stanford Health Care Lucile Packard Children s Hospital Stanford

2012/2013 ST. JOSEPH MERCY OAKLAND Pontiac, Michigan HOUSE OFFICER EMPLOYMENT AGREEMENT

LA14-22 STATE OF NEVADA. Performance Audit. Department of Education. Legislative Auditor Carson City, Nevada

UnitedHealthcare of Insurance Company of New York The Empire Plan. CREDENTIALING and RECREDENTIALING PLAN

CRIMINAL AND PERSONAL BACKGROUND CHECK POLICY

HealthCare Administrative Solutions, Inc. Credentialing Manual

Department of Human Resources Department of Housing and Community Development Electric Universal Service Program

Friends of the Military Museum Historical Association of Southern Florida, Inc. St. Augustine Lighthouse and Museum

ALLIED PHYSICIAN IPA ADVANTAGE HEALTH NETWORK IPA ARROYO VISTA MEDICAL IPA GREATER ORANGE MEDICAL GROUP IPA GREATER SAN GABRIEL VALLEY PHYSICIANS IPA

Optima Health New Provider Application Packet

UNIVERSITY OF CALIFORNIA, SAN FRANCISCO AUDIT SERVICES. UCSF Medical Center Hospital Charge Capture - Emergency Services Project #

BOARD OF FINANCE REQUEST FOR PROPOSALS FOR PROFESSIONAL AUDITING SERVICES

Credentialing Verification Organization (CVO) Provider FAQ

NEW COLLEGE OF FLORIDA BOARD OF TRUSTEES Meeting Date: March 7, 2015 PROPOSED BOARD ACTION BACKGROUND INFORMATION

.Health MEMO RANDUM TO: Deborah A. McGrew Vice President & Chief Operations Officer, UTMB Health System FROM:

To Apply for BlueCross BlueShield of South Carolina and BlueChoice HealthPlan

CHAPTER 6: CREDENTIALING PROCEDURES

GAO DOD HEALTH CARE. Actions Needed to Help Ensure Full Compliance and Complete Documentation for Physician Credentialing and Privileging

Credentialing and privileging are the processes by which health centers

LIBERTY DENTAL PLAN. Provider Credentialing Application. (* Required Fields) *OFFICE PHONE #: ( ) EMERGENCY PHONE #: ( ) *FAX #: ( )

Request for Proposal PROFESSIONAL AUDIT SERVICES. Luzerne-Wyoming Counties Mental Health/Mental Retardation Program

Transcription:

-- UTH hltli The University of Texas Health Science Canter at Houston Office of Auditing & Advisory Services 16-120 Echo Credentialing System We have completed our audit of the Echo Credentialing System. This audit was performed at the request of the UTHealth Audit Committee and was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. BACKGROUND UT Physicians' (UTP) Credentialing department has been delegated by various health plans to perform the credentialing and recredentialing verifications for all UT Health providers (except for those in the Pathology department). Echo, a web-based credentialing and provider management software, is used to assist with the credentialing activities. The UTP Credentialing department performs the credentialing activities in accordance with the executed delegation agreement with each respective health plan and follows the standards and guidelines from the National Committee for Quality Assurance (NCQA). The credentialing process is reviewed annually by the health plans for compliance with the delegation agreement and authoritative regulations. The credentialing and recredentialing verifications for pathologists are performed by an outside third party vendor, McKesson. OBJECTIVES The initial objective of this audit was to review the physician credentialing process to determine whether controls are in place to ensure physicians are properly licensed to practice and are in compliance with state and federal regulations. Since the UTP credentialing process is reviewed annually by the health plans and the credentialing for pathologists is performed by a third party vendor, Auditing & Advisory Services' (A&AS) review focused on improvement opportunities related to the operation's efficiency and effectiveness. SCOPE PERIOD The scope period was January 2016 through March 2016 for review of supporting documentation related to new providers and providers with changes reported to the health plans. For electronic data analysis, a data extract from Echo was obtained and analyzed as of March 17, 2016. A followup analysis of Echo data as of March 31, 2016 was also performed. METHODOLOGY The following procedures were performed: Reviewed departmental policies and procedures as well as state, federal and other authoritative requirements related to the credentialing and recredentialing process. Interviewed key employees responsible for credentialing and monitoring of critical expiration dates to understand the roles and responsibilities currently in practice. Performed a walkthrough and observation of the UTP Credentialing department noting how the physical copies of the credentialing files are maintained and stored. A suggestion 713 500.3160 phone 7'.3 500.3170 "' PO. Box 20036 Houscon. Texas 77225 www.urhousron.edu

was made to Credentialing to update departmental policy QM-003-09 clarifying how the credentialing files are retained. Reviewed the Echo system noting the field used to classify the status of each provider. A suggestion was made to Credentialing to review the 24 classification codes available and limit the codes to only relevant and applicable status. Duplicates and no longer applicable codes should be removed from the list to prevent the codes from being used erroneously. Obtained an understanding of the process for granting, terminating, and monitoring user access to Echo and reviewed for compliance with information technology policies and standards. Conducted an electronic data analysis to identify anomalies in Echo such as incomplete provider information, missing data fields, expired date fields, incorrect recredentialing date based on the initial credentialing date or the last recredentialing date, and reasonableness of the provider's status classification. Selected a sample of new providers (5) and reviewed for the Credentials Committee's approval. All new providers selected in the sample were properly approved by the Credentials Committee prior to being reported to the health plan. Selected a sample of changes to provider's information (20) reported to the health plan and reviewed supporting documentation for compliance with departmental policy and procedures. Reviewed the process for monitoring of critical expiration dates for active providers to verify the process is functioning as intended. Inquired about the process for ensuring the credentialing of pathologists performed by McKesson is in accordance with state, federal and other authoritative requirements. AUDIT RESULTS A&AS identified areas of improvement related to Echo Credentialing System: A process has not been implemented to monitor critical expiration dates of active providers in Echo. Analysis of Echo data as of March 17, 2016 resulted in various missing or expired information in Echo for active providers. The current version of Echo does not allow providers to complete and submit their application electronically. Supporting documentation for changes to provider's information is not received and retained in accordance with departmental policy QM-013-09. Confidentiality Forms are not completed by individuals accessing the credentialing files as required by departmental policy QM-003-09 A periodic review of McKesson's delegated responsibilities for compliance with the contractual agreement as well as other authoritative regulations has not been performed by Pathology. The password configuration for Echo does not contain two of the four password standards required by ITPOL-002 at the time of review. The password configuration standard related to password length was corrected in April 2016. Periodic user access review is not performed to ensure user access granted is appropriate. Additionally ail users were granted the same level of access in Echo and the user account for two terminated employees were not deactivated at the time of review. Access to the user security permission settings was restricted in March 2016 and the two user accounts were deactivated in February 2016. 2

Echo does not have the reporting capability to provide a detailed log of changes made to the provider's information. Echo only identifies when a change has been made to the overall provider's record. NUMBER OF PRIORITY & HIGH FINDINGS REPORTED TO UT SYSTEM None We would like to thank the staff and management within the UTP Credentialing and Pathology teams who assisted us duridg our review. ~ Assistant Vice President. L MAPPING TO FY 2016 RISK ASSESSMENT Risk () Physicians are not properly credentialed to practice in accordance with state and federal re lations Medium. AUDITING & ADVISORY SERVICES ENGAGEMENT TEAM Assistant Vice President Audit Manager Auditor Assittned End of Fieldwork Issue Daniel G. Sherman, MBA, CPA, CIA Nathaniel Gruesen, MBA, CIA, CISA, CFE Kathy Tran April 1, 2016 June 2, 2016 Copies to: Audit Committee Dr. Robert Hunter 3

Issue #1 Departmental policy QM-002-09 UT Physicians Credentialing & Recredentialing Policy and Procedures states, "UT Physicians will conduct continuous credentialing of its providers. Such activity will be conducted monthly to monitor the expiration of documentation in the credentialing file. Such review of expired documentation will include, at a minimum, DEA, DPS, Texas State License, and Professional Liability Insurance coverage. Delinquent documentation will be requested prior to expiration." A&AS obtained a data extract of all providers in Echo as of March 17, 2016. We reviewed all 1,575 active providers to determine whether each had current and complete information related to medical license, DEA license, and DPS controlled substance registration. We found that 950 or 60% of the current providers in the Echo database had missing or expired information. A&AS met with Credentialing to discuss our test results. It was explained a major project to clean-up and verify all of the information for each provider had been performed of the Echo database. This initial review which was undertaken to verify the accuracy of the listing of provider information was completed with significant assistance from School of Medicine departments early in fiscal year 2016. This update did not include verifying licensing data. Credentialing explained they have not been able to keep Echo updated due to staff shortage and time constraints. However, based on our inquiries, credentialing identified they were not fully utilizing an Echo system module, primary source verification (PSV) that assists in the performance of licensing verification. We obtained a second data extract a week after our meeting for the same 1,575 providers previously reviewed, we noted the number of providers with missing or expired information had been reduced to 251 or 16%. #1 At the time of our audit the process to monitor the expiration of licensures was being performed in each of the medical school departments. We contacted the assigned department contact m Anesthesiology, Dermatology, Family Medicine, Neurology, and Ob-Gyn to verify these activities were being performed. In addition, we selected a sample of 10 providers who were listed with expired medical license in Echo and confirmed that the medical license has been renewed and is current using the Texas Medical Board website. We recommend Credentialing develop and implement procedures that detail the responsibilities and procedures to be followed by the Credentialing department and the various School of Medicine departments. In addition, the information in Echo should be updated so that the functionality of the software can be fully utilized. Medium The Echo credentialing database tool is a valuable software system and 4

we plan to continue using the system to aid in the management and monitoring of provider credentialing and recredentialing. UTP has been involved in a complete rebuild of the database since September 2015 in preparation for enhancements that are available to us. This process is expected to take 12 to 14 months. Review of expired dates - The clinical departments are responsible for updating licenses and have been very reliable in doing so, this area of the rebuild was considered a lower priority in our Echo database rebuild efforts. All license expiration dates have been updated in the database which gives the department the ability to monitor expiring licenses on a monthly basis automatically. Policies will be updated to reflect current roles and responsibilities. Implementation Monthly monitoring has been implemented. made by July 31, 2016. Policy changes will be 5

Issue #2 #2 Implementation The current version of Echo does not have the functionality to allow new applications to be completed and submitted electronically. Currently, providers complete a paper application which is submitted to their respective department for processing. The application is submitted to the UTP Credentialing department who completes the review to credential the provider. This process can take up to 30 days to compete. However, A&AS was advised approximately 40% of the applications are either incomplete or contain errors. In these situations, the application and a checklist detailing what is needed are returned to the department for correction, which can add additional time to the process. If Echo contained the functionality to allow for electronic submission, system controls could be built into the process. Typically, electronic submission includes built-in data input controls that prevent a user from skipping required fields on the application. We recommended Credentialing work with the vendor to determine whether Echo has the capability to allow online completion and submission of provider applications. If the capability is available, Credentialing should consider implementing the functionality to facilitate the credentialing process. Low Echo has the capability for online applications via a module for which we are licensed. Another reason for the rebuild is to drive systems controls, which will not allow an application to be submitted online until all electronic data entry required fields are completed. This functionality will also allow departments to identify locations and other important data field requirements but limit the selection to valid clinical and hospital locations. This information will be consistent in the Web application and billing areas. UTP utilizes the Texas Standardized Credentialing Application (TSCA) template. We are waiting on a timetable from Echo for completion of the template. At this time Echo has notified us that the online TSCA template is 95% complete. UTP will be able to implement the online tool and roll the functionality out to the clinical departments when the template is completed by Echo. Once completed, our providers will have access to: Complete their credentialing forms and packets online and in paperless format Check their credentialing status in real-time Pay dues Update their information off-cycle for directory November 1, 2016 6

Issue#3 Departmental policy QM-013-09 Adds, Changes, Terminations (A.C. T.) requires all notification of changes to provider's information be submitted in writing from the department Director of Operations (DMO) or the assigned contact person selected by the department DMO or chairman. The written request should be printed and placed in the provider's file as well as maintained electronically. A&AS selected a sample of 20 providers with changes reported to the,, health plan in January 2016 through March 17, 2016 for review. The supporting documentation of the request to change provider's information was not found in the hardcopy credentialing files for all 20 providers but they were located and printed from the Clinical Services Representative I's email inbox in Outlook. In addition, the review also noted the following: 1 (or 5%) of the 20 provider files requested could not be provided at the time review and the request for change did not come from the DMO or assigned department contact. 16 (or 80%) of the 20 providers reviewed showed the request for change did not come from the DMO or assigned department contact. #3 15 of the 17 change requests noted above were submitted by the Manager of Provider Enrollment Services and 1 of the 17 change requests was submitted by the Manager of Revenue Cycle which, according to Credentialing are appropriate sources. We recommend Credentialing : a) Should update policy QM-013-09 to include a comprehensive listing of authorized submitter' s. b) Review the practice of maintaining documentation in both hardcopy and electronic format. If selecting electronic, a designated space on the department server should be used to store these files. Low The individuals who submitted the change requests were considered appropriate. UTP will update the policies to reflect the list of individuals who have the authority to request provider data changes by title. Changes will be maintained electronically as well in the Echo database. Implementation Policy will be updated by July 31, 2016. 7

Issue #4 Departmental policy QM-003-09 UT Physicians Credentialing Confidentiality, procedures #1 and #2 requires individuals accessing the credentialing files to sign a Statement of Confidentiality. The Statement of Confidentiality forms required by departmental policy QM-003-09 are not being completed by all individuals accessing the credentialing files. No documentation could be located for review. Subsequent to the end of fieldwork, Credentialing developed a Confidentiality form to be completed by individuals accessing the credentialing files. We recommend Credentialing work with the Office of #4 Legal Affairs to determine whether Confidentiality forms are required for individuals accessing the credentialing files. If required, Credentialing should develop processes to ensure all individuals accessing the credentialing files complete the Confidentiality form. If not required, Credentialing should review and evaluate the necessity of requiring users to sign a confidentiality form. Low A Confidentiality Agreement has been created and is being utilized. Partv Implementation April 1, 2016 8

Issue #5 #5 The credentialing of providers in the Pathology department is performed by a third party vendor, McKesson; However, a periodic review of McKesson's delegated responsibilities for compliance with the contractual agreement as well as other authoritative regulations has not been performed by Pathology. We recommend Pathology develop and implement a process to perform a periodic review of McKesson's delegated credentialing and recredentialing responsibilities to ensure compliance with contractual agreement as well as other authoritative regulations. Evidence of the review should be documented and retained. Medium The UTHealth department of pathology will create an annual review of McKesson's delegated credentialing and recredentialing responsibilities. This will be done on an annual basis going forward and will include a review of a 10% sample of active providers that were recredentialed in the previous year and a 100% review of new providers that were credentialed in the previous year. The department of pathology will create a checklist to document review of files from McKesson. Any errors or omissions found will be reported to McKesson for correction and documented in the checklist. Once McKesson shows the correction or omissions are complete in the file, it will be documented in the pathology checklist. The checklists will be kept on file as evidence of review going forward. Implementation The review will be done by a designated employee that works with McKesson on credentialing and recredentialing. The designated employee will review files and complete the checklist based on what is found in the files. It will then be reviewed by the DMO and signed off as complete. Mathew Axcell The checklist will be created for pathology by September 1, 2016. The review will be performed annually in October to be complete by November 1, 2016 and will be completed on an annual basis by November 1st of each year going forward. 9

Issue #6 Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C, Rule 202.76 Security Control Standards Catalog (T AC-202) specify the mandatory security controls required for all state information and information systems. Based on best practices related to the safeguarding of information systems required by T AC-202, UTHealth has developed and implemented ITPOL-002 Password Policy. ITPOL-002 requires that all information resources at UTHealth requiring system access accounts to comply with the university password standards. The password configuration for Echo does not contain two of the four password standards required by ITPOL-002 as follows: Passwords must have a minimum length of 10 characters. A password may not be reused for a minimum period of two years. #6 Upon A&AS notification to Credentialing, the password length for Echo was updated to 10 characters in April 2016. The update has been verified by A&AS. We recommend Credentialing work with the system administrator at Echo to configure the password parameters for compliance with ITPOL-002. Medium We requested password requirement changes from the Echo Support Desk to comply with UT IT policy requiring 10 characters and completed in April 2016. Echo has been made aware of this requirement and it was sent to their application support specialist for consideration. Implementation November 1, 2016 10

Issue #7 Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C, Rule 202.76 on Security Control Standards Catalog (TAC-202) specify the mandatory security controls required for all state information and information systems. Based on best practices related to the safeguarding of information systems required by TAC-202, UTHealth has developed and implemented ITPOL-004 Access Controls. ITPOL-004, section 6.2.6 states, "Owners or their designee must review access lists regularly to ensure access privileges are appropriate. Timeframe for access list review should be established based on documented risk management decisions." In addition, departmental policy QM-003-09 UT Physicians Credentialing Confidentiality, procedure #4 also states, "UT Physicians has the obligation to secure the electronic security of confidential data or information maintained by the credentialing software at all times. This process includes the issuance of user identifications and passwords to authorized credentialing staff only." A&AS reviewed the user access controls for Echo and noted the following at the time of review: Periodic user access review is not performed to ensure user access granted is appropriate. All users are granted the same user security permission settings including the ability to view and modify their own or someone else's user security permission settings. Two user accounts were still active for employees no longer working in the Credentialing department. #7 Upon A&AS notification to the Clinical Services Representative I, access to the user security permission settings screen in Echo was restricted in March 2016 and the two user accounts were deactivated in February 2016. Both updates have been verified by A&AS. We recommend Credentialing develop and implement formalized procedures for granting, terminating, and monitoring user access to Echo and ensure compliance with T AC-202, IPOL-004, and QM- 003-09. a) Evidence of the periodic user access review performed should be documented and retained. b) The level of access needed when adding new users to Echo should be considered and documented. c) Users granted with administrator privileges should be limited to only those assigned to perform the function on a regular basis. Medium Administrator privileges have already been limited. We will run an Access Profile Sheet quarterly for all Echo users to ensure users have appropriate access for their job functions. Departing employee privileges 11

will be terminated on their last day of employment. Implementation June 1, 2016 12

Issue #8 Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C, Rule 202.76 on Security Control Standards Catalog (TAC-202) specify the mandatory security controls required for all state information and information systems. Based on best practices related to the safeguarding of information systems required by T AC-202, UTHealth has developed and implemented ITPOL-026 Application Logging and Monitoring Policy requiring all applications containing confidential information be configured to generate event logs. Application event logs should be reviewed periodically and monitored for security incidents based on risk management decisions. #8 Echo does not have the reporting capability to provide a detailed log of changes made to the provider's information. Echo can only identify when someone has made a change to the overall provider's record. We recommend Credentialing work with the vendor to determine whether Echo has the reporting capability to provide a detailed log of changes made to the provider's record by users. If the capability is available, Credentialing should implement the functionality to assist in the periodic review required by ITPOL-026 to ensure that no inappropriate changes were made to provider's information. If the capability is not available, Credentialing should develop and implement appropriate mitigating controls to ensure compliance with ITPOL-026. Medium An Audit Trail Tool is available from Echo. This is not currently part of our licensure agreement. An order for this module was placed with Echo in May and UTP has been informed that we will have the Audit Trail functionality added to our license at no charge. Implementation As soon as Echo can install the module. later than June 30, 2016. We expect this to be done no 13

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback