Wiki Best practices neeed: HIPAA Security -Information Sys Activity -Chart Access audits

msonger

Networker
Messages
33
Location
Myrtle Beach, South Carolina
Best answers
0
Our entity has decided that we should conduct random chart access audits for compliance 164.308. Essentially we will be auditing random charts to see which staff have been accessing the chosen random charts during a period of time to confirm that they were within their employed "role" when accessing the chart.

Please share your best practices to include:
1- How many charts do you audit for access? 10% annually is too many (13K pts = 1300 = 109 per month) --- I can't find a reference that advises how many
2- How often you conduct audits vs review access reports?
3- How do you document the review as completed?
4- How do you track workforce members' roles and responsibilities in the chart to compare to the information system activity in the chart?
5- How do you determine which activities require further investigation?
6- Components in your audit logs and access reports=

Athena does allow us to limit user access to the chart by the role of the user which is a huge benefit and HIPAA rule. This audit will confirm the Athena user roles are working as designed and that staff who may have access to a certain portion of the chart has official business to be accessing that chart. For example, a provider clinical staff access the record of a patient not in the care of the provider they are assigned to.

Here are the items I have come up with so far, but much of it is manual since are new to Athena and not sure how much Athena can do for us should we find the name of the field that records the data that I am looking for:

1- Are we primary care provider? (Adult, Peds, OB)
2- Specialty services of care to pt (Women's Health, Psychiatry, HIV, counseling)
3- Visit dates during period to be audited
4- Were there any chart accesses that were not appropriate as defined by user role compared to visit dates and care coordination? (Yes/No)
5- Description (if Yes)/Comments
6- Should this be forwarded to Corporate Compliance Officer for further investigation?
7- Investigation findings:
8- Note: If random chart chosen is a staff member, our Corporate Compliance Officer will conduct the audit instead of myself.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
 
Having done this for previous practices, here is what I did and it worked well (granted, I had audit logs in the EHRs to reference as well):

Please share your best practices to include:

1- How many charts do you audit for access? 10% annually is too many (13K pts = 1300 = 109 per month) --- I can't find a reference that advises how many

There is no guidance that I know of that specifies the number of charts to audit in this instance. Pulling from the OIG Compliance Guidance for Individual/Small Physician Practices that recommends auditing 5 to 10 charts per physician annually for a baseline audit (in terms of coding and billing), which serves as a starting bench mark. For a small practice (under 15 employees), I would audit 15-20 charts monthly. For a larger practice (15+ employees), 50 to 75 -charts quarterly (aimed for 75, but tried to do at least 20 charts a month). The best practice is to be random. One month, I would select 1 chart from each day's schedule that month. Another month, I would select all 10 patients from one physician's schedule and 10 from another. Your EHR should be able to generate a list of charts access over a certain period of time and give you the last visit /note date, which should narrow your focus. If the audit report shows an account has not been accessed since the last visit, then why audit it? However, if the report shows a patient was last seen in 2013 and someone opened the chart in January of 2017, that would be a red flag. The patient could have called with a question (authorized access) or someone could be snooping (unauthorized access). It also helps if the EHR report would show start/end time or duration. Access that last 2 seconds could simply be similar patients and someone accidentally selected the wrong chart. I would certainly get in touch with your EHR vendor to determine exactly what reports you can create as this will help you significantly in your random selection.​

2- How often you conduct audits vs review access reports?

Depending on the size of the practice, I audited monthly to quarterly. If quarterly, I tried to spread the charts out over that quarter. (see above answer) I reviewed access reports monthly, or weekly with new staff or staff with problems identified on a previous audit. Though, I found it was easier to review them weekly no matter what. It was less to look at. Some EHRs/Practice Management systems have a dashboard that will display user access on a daily basis to an administrator. FYI.​

3- How do you document the review as completed?

I had a audit checklist where I would list the date, method of chart selection, account #'s of the charts audited, provider names, employees names, what I audited, any findings or corrective action, any required/planned follow-up, and signed/dated the checklist.​

4- How do you track workforce members' roles and responsibilities in the chart to compare to the information system activity in the chart?

This is going to depend on your EHR/PM and the resources available to you. Most of the EHRs/PMs I have worked with list system activity using "Add", "Deleted", "Changed", "Created", etc. terms. For example, "Added to PFSH", "Add Medication", "Deleted Allergy", etc. I found it easiest to create an Excel spreadsheet for each member role with a list of approved activities and red flag activities based on the available options in the EHR/PM. For example, a front desk member should not be creating an office visit note, entering PFSH, accessing the medication module. I then use this to help me create my checklist. I always have to add extra criteria for things that are not generated by the EHR, such as is the items you listed at the end of your post. These will vary greatly by practice.​

5- How do you determine which activities require further investigation?

I look for red flags as identified in my spreadsheet. I look in to the circumstances and see if there was a valid reason for the red flag. Usually there is.​

6- Components in your audit logs and access reports?

Again, this will vary depending on what your EHR product can do. In terms of my checklist, my report always included these minimum fields:
  • Audit Date(s)
  • Method of Random Selection
  • Accounts #'s of Charts Audited (along with any visit dates, assigned Provider, etc.)
  • Names of the Employees whose access was reviewed
  • Any red flags?
  • Red Flag Investigation Notes (determined to be authorized, not authorized, or undetermined)
  • Any corrective action
  • Follow-Up Plan
  • Signature/Date

I think you have a great start on the items you have come up with, but I would definitely work with your vendor on what reports you can utilize to automate some of this process. I would also recommend adding any "High Profile" patients to the list of charts to be reviewed by the Compliance Officer (e.g. Pro-Athletes, Government Officials, Celebrities etc.). I hope this helps!
 
Top