Wiki Providing Medical Records for an Audit

[Savannah]

This is how a current Audit was handled in our Practice: Auditor requested Medical Records on specific patients. Our medical records person gave the Auditor a Log-in/Password for our EHR and set them up in a room unsupervised to look up the pts. he/she needed. Meaning he/she had access to our entire Data Base not just the records requested.

I, as the Billing Manager, have an issue with this but my Manager says I am overreacting.

Can I please get your opinion as to if this is the correct way to handle an Audit and if it is a HIPAA violaton for him/her to have access to our entire Data Base and Not just the records requested?

Thank you for your time.
Paula

 

[thomas7331]

If the auditor is an employee of a covered entity or company with whom the practice has a compliant business agreement and was properly vetted prior to gaining access, then this would not be a HIPAA violation as that auditor would be subject to the same laws and regulations as any other employee who has access to the records system. However, it does not sound completely appropriate to me that a 'medical records person' would give an auditor access - this is something that should be handled by the practice's information security or compliance officer to ensure that the proper measures have been taken. Normally anyone who is given access to a system should have a unique ID and password so that the individual's access can be managed and their activity tracked through an audit trail and so that security is not compromised. So the short answer to your questions is 'maybe' - depending on the circumstances of how and to whom this access was given, there may or may not have been a HIPAA violation. It's something a compliance officer would need to review to make a determination.

 

[Evelyn Kim]

I would agree that a compliance officer needs to make the determination if it is a breach. That being said if it was an insurance company requesting the audit, such as for HEDIS, they should not have access to records that are not covered members of their company.

In my capacity as manager of an SIU for an insurance company, when we request records we request a password protected CD or thumb drive. When our HEDIS auditors go into an office to review records they request the records be pulled and made available. Often this is done by coping the request files to a folder and giving the auditor access to only that folder, this way they can not accidently go into files they should not.

If it is an outside consultant/auditor then the contract should spell out what records are to be audited and how access is to be supplied. This would require IT personnel to set up the access with read only access. I know that when I do audits as a consultant I have the provider specifically outline what records are to be audited, if general audit then I have them provide me with a list of the top 10 visit codes and the top billing providers. Then in consultation with the provider we agree on the parameters of the audit. I also recommend a staff member be available for any issues that may arise.