Healthcare News & Insights

Electronic audits keep hospitals on top of possible data breaches

Electronic health record (EHR) systems make it easier for employees to access patient records, even when they aren’t supposed to. But they also make it easier to catch these employees through electronic audits.

Under the security standard of HIPAA, all EHR systems must have role-based or context-based access controls. This allows users to only access the data they need to perform their jobs. But unfortunately, some employees can’t avoid temptation.

Electronic audits are designed to nab those who expolit EHR systems. Your audit reports should look at:

  • who accessed what information,
  • when the information was accessed, and
  • how long it was looked at.

How often to audit

There is no hard-and-fast rule as to how often a hospital should conduct electronic security audits, but it should be done on a regular basis.

The Department of Health & Human Services recommends that at a minimum, a review of user activities within clinical applications should be conducted monthly. However, some facilities conduct weekly audits for near real-time reports.

You may also want to run “extra” audit reports if you have a celebrity or high-profile person staying at your facility whose presence might pique the interest of employees.

What you don’t want to do is conduct audits only when you suspect wrongdoing. By then it could be too late and you could be dealing with a major breach. Conducting regular audit reports keeps you on top of anyone who is overstepping their electronic data boundaries.

Caught red handed

Dale Munroe, an employee at Florida Hospital Celebration Health who registered emergency department patients, was arrested in August and faces federal fraud charges for allegedly selling the information of patients who had been in car accidents to lawyers and chiropractors.

Thanks to electronic audits of the hospital EHR system, the FBI discovered that during the time of Munroe’s alleged misdeeds, he accessed more than 763,000 patient records — the average employee accessed approximately 12,100. The audits also showed Munroe viewed the records of patients involved in car crashes longer than patients who were in the emergency room for other reasons.

Monro has pleaded not guilty.

Prevent access

Most EHR systems can be set up to give warnings if an employee strays beyond their access limits. After all, it’s better to prevent a breach than to have to deal with it after it happens.

Also, letting all employees know that your facility runs regular electronic audit reports — but not telling them exactly when you run them or what you look for — can help deter employees who are thinking of going beyond their limits.

Getting the message out that your facility takes compliance and protecting patients’ health information very seriously is a great preventive measure. Just don’t rest on your laurels. The audits need to be done without fail.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.