HIPAA: A tool that helps you sniff out EHR snoops

The case of entertainer Britney Spears and her peeked-at digital chart illustrates the value of an EHR audit trail.

Earlier this month, the Los Angeles Times reported that UCLA Medical Center was set to fire at least 13 employees and suspend six more for perusing the electronic record of the pop star during a recent psychiatric hospitalization. Six physicians also got in trouble for taking an unauthorized look.

UCLA Medical Center would neither officially confirm or deny that Spears was a patient, but what’s clear is that the hospital identifies snoops through the audit-trail function of its EHR. This tool reveals who looked at a record, when they looked at it, and much, much more, says Carole Klove, the institution’s chief compliance and privacy officer.

“We can tell how someone searched for a patient record-whether they used a name or a record number,” says Klove. “We can tell what particular document or screen a person looked at, and for how many seconds. With most of our hospital systems, we can tell what computer was used.”

An EHR must be able to create an audit trail to comply with the security requirements of HIPAA. Accordingly, the Certification Commission for Healthcare Information Technology, or CCHIT, won’t certify an EHR unless it has this capability.

Audit trails play less of a security role in solo offices, where a handful of trusted employees eyeball virtually every record, notes Marlene Jones, vice president for group operations at the consulting firm PivotHealth in Brentwood, TN. However, as practices grow in size, says Jones, the need to police recreational record-reading increases.

Your patients may not include a headline-making entertainer, but it’s likely that you have some lower-level VIPs whose records might tempt a nosey employee-the mayor, a partner’s wife, or a high school football star. If you use an EHR, you can detect snooping by checking the audit trails of select records on a monthly or quarterly basis. Some EHRs even allow you to study the audit trail of a particular employee across multiple records, as opposed to zeroing in on a particular record.

There’s deterrence power in warning employees that someone is watching. “They need to understand that when they look at a record, they leave an electronic fingerprint,” says Carole Klove, whose hospital actively monitors log-ins to high-profile records.

As an extra safeguard, consider using administrative controls in an EHR to prevent certain employees from reviewing certain records, or portions of all records as a matter of course. However, you’ll still need to monitor audit trails because employees often latch on to the IDs and passwords of more privileged computer users, says Syracuse healthcare IT consultant Rosemarie Nelson. A biller, for example, may open Mr. Smith’s file by logging in as a doctor. In that instance, an audit trail might reveal suspicious activities-the doctor is shown reviewing a record when he was actually in the operating room at the time.

Sign up to receive Medical Economics’ InfoTech Bulletin newsletter, our update on medical technology news delivered every two weeks. You can also subscribe to our new issue alerts, personal financial advice newsletter, and conference updates.