There are no specific requirements that the Department of Health and Human Services provide with regards to how often to perform patient records audits (understandably so, since it should be based upon an organization’s own risk environment), and so many healthcare providers wonder what others are doing, or what is “standard” practice. So, to help determine this, from mid- to late-August (two weeks) I posted a very short, completely unscientific, survey specifically to get a feel for what some other hospitals and clinics are doing with regard to auditing patient records access and disclosures, as required by HIPAA. Here are the results…
Survey was posted for 2 weeks
Total who took the survey: 21
- 19 healthcare providers
- 1 BA doing work for a healthcare provider
- 1 teacher
Total Completed Survey: 21 (100%)
1. How often do you audit the access logs to electronic patient records? If none of these apply to your organization, please provide your answer in the “Other” area.
MY NOTES: Almost half do not regularly perform audits, instead auditing only where activities occur that flag potential misuse. Are these misuse flags clearly defined? Or, is it just up to whoever happens to be looking at the files to determine if there is possible misuse or improper disclosure? These issues need to be clearly defined and consistently followed.
- Once a week 19.0% 4
- Once a month 33.3% 7
- Once a quarter 14.3% 3
- Bi-annually 0.0% 0
- Annually 0.0% 0
- Whenever certain activities occur that flag potential misuse 42.9% 9
- Never 19.0% 4
- Other (please describe)
- I am a teacher; do not work in a hospital
- Non-employee providers audited once a month, employees once a quarter
- Have been working for 4 years on getting an electronic patient record going, still having issues with the vendor.
2. How do you determine the sample size for auditing electronic patient records? Please choose all that apply.
MY NOTES: Healthcare providers have huge amounts of patient records; digital and hard copy. For most organizations that perform regular audits, it would not be feasible to perform an audit of all of them, even if automated, unless it was for a comparatively small type of file. So the challenge is to determine how many to audit to hopefully capture a representative sample. The survey respondents show that the most common practices really fall at both ends of the spectrum; either all or a very small number percentage. I was a little surprised none use a formula such as Slovin’s Formula to determine sample size; perhaps that is something not well known in the healthcare provider space.
- Audit all of them 23.8% 5
- Sample 50% – 100% 0.0% 0
- Sample 25% – 49% 4.8% 1
- Sample 10% – 24% 9.5% 2
- Sample 5% – 9% 0.0% 0
- Sample 1% – 4% 23.8% 5
- Use Slovin’s formula 0.0% 0
- Use some other sample size formula 4.8% 1
- Use some other method to determine sample size 38.1%
- Other (please describe the other type of method you use) 6
- I am a teacher; do not work in a hospital
- All employees and 25% sample of non-employee providers
- Have been working for 4 years on getting an electronic patient record going, still having issues with the vendor
- Up to the discretion of the facility but include looking for patterns of unusually large access by an employee and paying special attention to high risk areas.
- Varies depending on the type of audit
- We do not use sample size, but audit based on flagged records.
3. What position or department is responsible for auditing the electronic patient records? Please check all that apply.
MY NOTES: It seems that the two areas doing most of the auditing in hospitals are the privacy and information security departments. This aligns pretty much with what I’ve seen.
- Internal Audit Department 14.3% 3
- Information Security Department 42.9% 9
- Privacy Department 42.9% 9
- Compliance Department 19.0% 4
- Information Technology Department 14.3% 3
- Nursing Staff 4.8% 1
- Office Management Staff 14.3% 3
- Other (please describe the area or type of entity that performs the audits) 2
- I am a teacher; do not work in a hospital– You should have had a HIM Department option
- Have been working for 4 years on getting an electronic patient record going, still having issues with the vendor
4. To assist with analyzing the results, please check all the following that apply. Please provide any additional information you believe it is important to share about your organization within the “Other” area:
MY NOTES: It appears most of the respondents were from large hospital systems.
- Your organization is officially considered to be an Affiliated Covered Entity (ACE) under HIPAA 23.8% 5
- Your organization is working to become an ACE 0.0% 0
- Your organization is not an ACE and is not working to become one 4.8% 1
- Your organization is a single hospital with no clinics 0.0% 0
- Your organization is a single hospital with one or more clinics 19.0% 4
- Your organization has multiple hospitals and clinics within one state 28.6% 6
- Your organization has multiple hospitals and clinics throughout more than one state 14.3% 3
- None of the above. Please provide some information about your type of organization in the “Other” field below. 19.0% 4
- Other (please specify) 3
- I am a teacher; do not work in a hospital
- Local government public health and behavioral health agency
- Business Assoc
5. What comments, questions, concerns or advice would you like to share with the survey participants about auditing patient records?
MY NOTES: I found it interesting to see that some hospitals view their DLP systems as their audit tools. While they are tools to catch PHI before it leaves the network, they typically are not able to catch insiders who are inappropriately accessing patient files, which is a growing concern because of increasing numbers of such incidents.
This and previous answers show that determining how often to audit, and how much to audit, are challenges for a large portion of hospitals and clinics.
- I have worked with a number of hospitals/hospital systems in the past year and few are regularly reviewing access logs. This is a people/process/technology issue that I am counseling CIOs to budget to address by early 2012.
- I am a teacher. I look forward to the results of your survey and find it interesting that you did not include the Health Information Management/Medical Record Department as a choice in #3.
- Approaches to determining sample size
- We do not audit record access anywhere near enough, and the peers I talk with do not do so either.
- We also have deployed a real-time, network-based Data Leak Prevention system to prevent disclosures in email, Web, or any other IP-based communication. Also allows us to monitor Business Associates who may not be implementing data security measures as strongly as they need.
- Securing patient records is a collaborative effort between the security office that detect in-appropriate access and triage with the help of management, to management that owns the data who reviews users access privileges to the records, to internal audit verifying that the process of preventing, detecting, triaging, and remediation are effective and working as intended.
Tags: accounting, audit, auditing, clinics, disclosures, hospitals, privacy, survey