msonger
Networker
Our entity has decided that we should conduct random chart access audits for compliance 164.308. Essentially we will be auditing random charts to see which staff have been accessing the chosen random charts during a period of time to confirm that they were within their employed "role" when accessing the chart.
Please share your best practices to include:
1- How many charts do you audit for access? 10% annually is too many (13K pts = 1300 = 109 per month) --- I can't find a reference that advises how many
2- How often you conduct audits vs review access reports?
3- How do you document the review as completed?
4- How do you track workforce members' roles and responsibilities in the chart to compare to the information system activity in the chart?
5- How do you determine which activities require further investigation?
6- Components in your audit logs and access reports=
Athena does allow us to limit user access to the chart by the role of the user which is a huge benefit and HIPAA rule. This audit will confirm the Athena user roles are working as designed and that staff who may have access to a certain portion of the chart has official business to be accessing that chart. For example, a provider clinical staff access the record of a patient not in the care of the provider they are assigned to.
Here are the items I have come up with so far, but much of it is manual since are new to Athena and not sure how much Athena can do for us should we find the name of the field that records the data that I am looking for:
1- Are we primary care provider? (Adult, Peds, OB)
2- Specialty services of care to pt (Women's Health, Psychiatry, HIV, counseling)
3- Visit dates during period to be audited
4- Were there any chart accesses that were not appropriate as defined by user role compared to visit dates and care coordination? (Yes/No)
5- Description (if Yes)/Comments
6- Should this be forwarded to Corporate Compliance Officer for further investigation?
7- Investigation findings:
8- Note: If random chart chosen is a staff member, our Corporate Compliance Officer will conduct the audit instead of myself.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
Please share your best practices to include:
1- How many charts do you audit for access? 10% annually is too many (13K pts = 1300 = 109 per month) --- I can't find a reference that advises how many
2- How often you conduct audits vs review access reports?
3- How do you document the review as completed?
4- How do you track workforce members' roles and responsibilities in the chart to compare to the information system activity in the chart?
5- How do you determine which activities require further investigation?
6- Components in your audit logs and access reports=
Athena does allow us to limit user access to the chart by the role of the user which is a huge benefit and HIPAA rule. This audit will confirm the Athena user roles are working as designed and that staff who may have access to a certain portion of the chart has official business to be accessing that chart. For example, a provider clinical staff access the record of a patient not in the care of the provider they are assigned to.
Here are the items I have come up with so far, but much of it is manual since are new to Athena and not sure how much Athena can do for us should we find the name of the field that records the data that I am looking for:
1- Are we primary care provider? (Adult, Peds, OB)
2- Specialty services of care to pt (Women's Health, Psychiatry, HIV, counseling)
3- Visit dates during period to be audited
4- Were there any chart accesses that were not appropriate as defined by user role compared to visit dates and care coordination? (Yes/No)
5- Description (if Yes)/Comments
6- Should this be forwarded to Corporate Compliance Officer for further investigation?
7- Investigation findings:
8- Note: If random chart chosen is a staff member, our Corporate Compliance Officer will conduct the audit instead of myself.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html