One of the requirements of the HIPAA Security Rule is to audit access to Protected Health Information (PHI). Auditing is the recording of access to PHI. It usually includes: who accessed PHI, when was PHI accessed and what PHI was accessed? Many EHRs and all certified EHRs for Meaningful Use have the ability to audit system access to PHI.
Even if you have an EHR that provides auditing of access to PHI, it will do you no good if you are not reviewing the access logs. Employees can be stealing patient records or inappropriately accessing patient records. Hackers could be in your EHR stealing records. Without reviewing the audit logs you may never know what is happening.
A report came out that two hospital employees were caught inappropriately accessing over 5,000 patient records.
During an April 2013 audit of a patient’s medical record, the health system identified suspicious access that prompted an investigation,” according to a notice the hospital issued. “The investigation revealed that two members of the patient care team accessed patients’ medical records in a manner that was inconsistent with their job functions and hospital procedures, and inconsistent with the training they received regarding appropriate access of patient medical records.”
Without reviewing the audit logs, the hospital would have never known that the employees were inappropriately accessing patient records.
So the question to ask yourself is:
Do you know what is going on in your EHR?
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
understand the HIPAA Risk Assessment process