I am currently serving as the Interim Compliance Officer for a client with a pretty sophisticated electronic health record. This client has been without a formal compliance officer for a while so the compliance program is in need of some attention. One of the first things I was asked to do was conduct an access audit of the EHR to see if anyone was viewing records they shouldn’t. The HIPAA Security Rule requires Covered Entities to utilize audit logs and audit trails to determine who is accessing electronic protected health information, and to prevent anyone, internally or externally, from tampering with the records or using information inappropriately.
It is important for providers to become familiar with the audit capabilities of their EHR and establish a procedure for using audit logs and audit trails to examine information system activity. The Security Rule does not dictate what information should be collected, or how often access audits should be done, but, as is stated in the OIG Guidance document, “it is imperative for Covered Entities and Business Associates to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations.” Access audits also have a strong deterrent effect; when staff are aware their activity is being audited, they are far less likely to access records they have no work related reason to access.
So what happened with the client who had not done an access audit in a couple of years? We found one employee who was routinely accessing records the employee had no work related reason to access. The employee was properly disciplined, and a strong message was sent that the Minimum Necessary Rule is alive and well in the organization.