Q&A: Auditing user activity
Q: What type of activity must be audited to comply with the HIPAA requirement to audit electronic medical record (EMR) activity? Does this include every action a user takes within a record and the length of time a user spends in a record?
A: You need to audit actions taken by users. This includes additions, changes, deletions, and viewing. Additionally, you need to look for red flags such as an employee looking at the records of family members, or when it appears an employee is looking at a chart because of a headline in the paper about an injury or accident. It is not necessarily as important to look at how long a user was accessing an individual record.
There are a variety of ways you can conduct your audit. Large and medium-sized healthcare providers can invest in an automated audit monitoring system such as those available from organizations like Maize Analytics, FairWarning, or Spher. These solutions provide active monitoring of your EMR and alert you to anomalies. That way, there is no need to look at all records your employees are accessing. Smaller healthcare providers may not have sufficient budget to pay for these solutions. In that case, a workable idea is to audit a percentage of your workforce monthly and audit a different percentage of your workforce’s activity as it relates to your EMR.
Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.