HIPAA violations caused by access issues have made news in recent weeks, where current or past employees have abused their access to EHR patient records to snoop on or steal protected health information (PHI). One rather disturbing example of such abuse was uncovered just this week at the Canton, Ohio-based Aultman Health Foundation. In this case, the PHI of roughly 7,300 patients was compromised (including Social Security numbers, health insurance info, home addresses, birthdates and treatment details).
Surprisingly, all of these violations were the work of just one employee who inappropriately snooped at patient records over a span of more than eleven years (September 2009 to April 2021). The unidentified employee has since been terminated and had his/her access revoked. Of course, this does not undo the damage that has already been done.
The sad truth about a case such as this is that it was easily avoidable and should never have been allowed to happen in the first place. The employee most definitely should have known better, and the organization should have been doing regular access audits that would have alerted them to this person’s inappropriate activity. To help our readers avoid a similar situation, this blog will discuss the importance of regular access audits and how they can help your practice avoid HIPAA violations due to unauthorized or inappropriate activity in your EHR system.
The Importance of Access Audits
Had the leadership at Aultman Health Foundation required regular access audits to be conducted, the unusual EHR access activity of this lone employee would have been detected long ago (certainly far sooner than over a decade) and they could have avoided being responsible for over 7,000 patients having their data compromised.
To prevent your practice from winding up in a similar predicament, you need to recognize that performing access audits is important for more than just achieving Security Risk Assessment (SRA) compliance. Failing to do so could compromise your practice’s PHI data and cause harm to both patient trust and your brand’s reputation, not to mention the fines and penalties associated with HIPAA violations.
For best practice PHI security, we recommend that you perform audits of your EHR access logs on a quarterly basis (or more frequently if your practice is experiencing high staff turnover).
What to Look Out for During Access Audits
To perform an audit, you should begin by viewing your EHR’s audit log (sometimes called an “audit trail”). This feature should log nearly all accesses and other activity being performed in your practice’s EHR system. Of course, you can stare at it all day long and it won’t do you much good unless you know what you should be looking for. Just telling you to look for “unusual activity” isn’t very helpful, so let’s get a little more specific.
As you are viewing your audit log report, here are some tell-tale warning signs of unusual or inappropriate activity that you should be looking for:
- Anyone reviewing records after hours for no discernible reason
- Anyone accessing records for which they have no clear purpose to do so
- Pay close attention to any access being made to records belonging to patients who may be practice employees or their family members, practice leadership, celebrities (national or local) and/or other persons of interest
- Check for any accesses that occurred from a location that is uncommonly used (i.e., people accessing records from a non-clinic IP address)
- Review the log for changes that were made to medical records with no apparent reason for doing so or records that have been deleted for no clear purpose
Remember, performing regular access audits is about more than just SRA compliance. It’s about keeping your PHI safe, maintaining patient trust and protecting your practice’s brand reputation.
To learn how Nextech’s cloud-based EHR can help your practice keep its data safe and secure, fill out this form and a member of our team will be in touch!