- The American Health Information Management Association (AHIMA) recently published its “Privacy and Security Audits of Electronic Health Information” guide, which laid out some healthcare security audit best practices. While maintaining equilibrium between making the data useful and available for users and keeping it secure, AHIMA provided some reminders and tips security audits using audit trails and audit logs to peer into back-end systems.
In addition to changing an organization’s culture and reducing risk, intermittent reviews of audit logs may be useful for detecting unauthorized access to patient information as well as providing forensic evidence during security investigations. Furthermore, auditing helps organizations track disclosures of PHI, learn of new threats and intrusion attempts, and determine the overall effectiveness of the organization’s policy and user education.
After going through healthcare federal regulatory requirements such as HIPAA, PCI and Meaningful Use, AHIMA detailed how organizations should establish a security audit strategy, decide what and how often to audit, and the best practices for implementing audit tools. Starting with a diagram of how ePHI flows within the organization, it must learn applications’ and systems’ capabilities to understand what is auditable and how frequently the audits will occur. Organizations should also get the right people, such as users, human resources, and board members involved in the audits. Additionally, according to AHIMA, organizations would be smart to develop a standard set of documents used to investigate and record potential violations and breaches. These were some examples of the types of instances where organizations should audit internal user viewing:
- The record of a patient with the same last name or address as the employee
- VIP patient records (i.e., board members, celebrities, governmental or community figures, physician providers, management staff, or other highly publicized individuals)
- The records of those involved in high-profile events in the community (i.e., motor vehicle accident or attempted homicide)
- Patient files with isolated activity after no activity for 120 days
- Other employee files across departments and within departments (Note: Organizations should set parameters to omit legitimate caregiver access)
- Records with sensitive health information, such as those involving psychiatric disorders, drug and alcohol records, domestic abuse reports, and HIV/AIDS
- Files of minors who are being treated for pregnancy or sexually transmitted diseases
- Records of patients the employee had no involvement in treating (i.e., nurses viewing patient records from other units)
- Records of terminated employees (Note: Organizations should verify that access has been rescinded)
- Portions of a record that an individual would not ordinarily have a need to access based on his or her discipline (i.e., a speech therapist accessing a pathology report)
Finally, specialized, third-party audit tools use prewritten queries and reports and automatically analyze data and quickly generate audit reports based on search criteria that match an organization’s audit “triggers”. This allows an organization to collect and analyze information as soon as the following day in some cases.