Auditing medical records may come across as a time-consuming and burdensome task, but the benefits far outweigh the inconvenience.
But ‘what’s the point of auditing medical records?’ you might ask.
Well, because electronic medical records have simplified ease of access, there needs to be adequate measures in place to prevent unauthorized individuals from accessing the data.
The threat is real. In 2015, thousands of patients across Toronto had their confidential records accessed seemingly for no medical reasons. In one case, a nurse viewed former Toronto mayor Rob Ford’s medical file when he checked in for cancer treatment.
A former clerk at a healthcare provider also sold medical records of new mothers to insurance companies and financial services firms.
These data violations are distressing. Electronic medical records are meant to shore up things like security and privacy, not undermine them. That’s where medical records auditing plays a vital role — it can catch the culprit and deter would-be ones.
Further Reading on EHR Implementation
- What is EHR implementation and why you need a strategy
- Top 5 challenges with EHR integrations
- When do you know you need an EHR assessment
Medical Record Auditing Guidelines
A Look into Each Medical Record Auditing Type
Let’s discuss the three major types of auditing medical records.
1. Reactive Auditing and Monitoring
Reactive auditing is triggered when there’s suspicion of a privacy breach. If, for example, a patient lodges a complaint or requests insight into access logs, then there’s a reason to suspect that something’s amiss.
2. Proactive Auditing and Monitoring
As the name suggests, proactive auditing takes place at random intervals throughout the year and not just when there’s suspicion of a data breach. Robust auditing mechanisms result in deterrents and make would-be snoopers think twice about the consequences of their actions.
In an ideal setting, proactive auditing applies on a selection of all users authorized to access personal health information. Just because a user is allowed to access medical files doesn’t mean they need to all the time. For example, if a nurse views information on patients that she’s not assisting that could be a potential red flag and a breach of confidentiality.
3. Consent-related Auditing and Monitoring
Electronic medical records do come with ease of access, but patients can request modifications to access levels. Auditing records helps understand when there’s a violation to said content or if there’s been an unauthorized modification to consent directives.
Are You Certain Your Medical Records are Secure?
Get a confidential data security review from True North
Frequency of Audits
We spoke about the three major types of audits, so the next question is, ‘how often an audit should take place?’
There’s no hard and fast rule, but the following factors usually apply:
Size of the Organization
Larger healthcare providers mean more patients and thousands of medical records stored. Of course, this requires systematic and frequent audits to ensure data compliance and integrity.
Number of Users
The higher the number of users, the greater the risk of unauthorized data access. But this isn’t restricted to large healthcare organizations alone. It’s entirely possible that smaller players have granted permission levels liberally and without proper due diligence.
Frequency of Access
There’s a direct relationship between the number of times staff members access medical records to the frequency of your audits.
Sensitivity of Information
If your medical records contain highly-sensitive information, then it’s a good idea to engage in frequent audits. This reduces the chances of a data breach.
Previous Privacy Incidents
If your organization has a history of frequent data breaches or violations to user privacy, then you’re going to want to maintain a robust audit mechanism. Prevention is, after all, better than cure.
What Should I Include in the Audit?
When you’re investigating a possible security breach, it’s vital that your EHRs have the necessary information. This allows auditors to determine when the breach took place and the possible culprit.
Hence, your audit should include:
- Who accessed the record, when, and for how long?
- What, if any, alterations took place?
- Which terminal was the record accessed from?
- When were tests ordered, results available/accessed, etc.?
To track compliance and ensure access logs are used only for authorized purposes, an inventory of all access logs generated or reviewed should be maintained, as well as any individual who used the access logs and the date of access.
In addition to setting roles for individuals conducting auditing and monitoring, responsibilities with service providers who are hosting, providing technology to conduct medical record audits and/or monitor them should be outlined in agreements and communicated to all relevant parties.