Electronic audits can prevent, catch data breaches
■ A practical look at information technology issues and usage
The recent FBI arrest of an employee of Florida Hospital Celebration Health helped to underscore two important points about electronic health record systems: They make valuable data easy for rogue employee to access, and they also make it easier for those employees to be caught.
EHR systems, under the security standard of the Health Insurance Portability and Accountability Act, are required to have role-based or context-based access controls, meaning the system will allow users to access only the data they need to perform their job duties. But when employees exploit that access to perform illegal activities, another function of the EHR system — the audit function — is designed to detect the bad behavior.
Audit reports of who looked at what information, when it was seen and for how long is one of the most important tools to help practices catch a data snoop in the act. While HIPAA security rules require covered entities to have an audit function in place, it offers no specifics on how the audit system should work or how often it should be used. But experts say every practice, no matter the size, should make auditing a regularly scheduled activity that is articulated clearly to employees and executed.
It’s not clear what routine auditing policies and procedures are in place at Florida Hospital Celebration Health. The hospital did not return calls seeking comment. But when it came to the hospital’s attention that an emergency department employee might be involved in illegal activity, it was the hospital EHR system’s auditing function that helped the FBI build its case.
In an affidavit, the FBI stated that hospital employee Dale Munroe, who registered emergency department patients, had been using his role-based access to the EHR system to obtain information on patients who came to the ED after car crashes. According to the FBI, Munroe was selling the patient information to lawyers and chiropractors, who would contact the patients to solicit their services.
As part of the investigation, the FBI learned through an audit of the hospital EHR system that during the same time frame Munroe was allegedly engaging in the illegal activity, a typical employee accessed approximately 12,100 patient records. Munroe is accused of accessing more than 763,000 patient records. They also found that while Munroe viewed some records for less than a second, others were viewed longer, and in many cases, those that were viewed longer belonged to patients involved in car crashes.
The hospital fired Munroe in July 2011. Munroe was arrested in August and faces federal fraud charges. He pleaded not guilty.
When to audit
These kinds of abnormalities are what practices should look for when they perform audits, said Angela Dinh Rose, director of health information management solutions for the American Health Information Management Assn., a trade organization.
The audits should be done on a regular basis, which may vary from once a week to once a quarter, depending on the practice, she said. But if there is suspicion of illegal activity, or if there are high-profile patients that may pique the interest of employees, the audits should be done more often.
Attorney Leslie Spasser, member of the health care industry team for the Norfolk, Va.-based law firm LeClaireRyan, said preventing unauthorized access may be better than uncovering the access after it has occurred. The same functions that limit access based on role or context can be tweaked to issue warnings if it appears that an employee is doing something untoward, she said.
Prevention also can come from making it well known in the practice that audits are a regular occurrence.
As part of training about HIPAA and the Health Information Technology for Economic and Clinical Health Act for employees accessing patient information, “I think it’s really important that every employee knows that there is this process in place and it’s designed to not finger-point, but to identify if there are system problems, or confusion about what information should be used under what circumstances,” said Elizabeth Litten, a health law attorney with the New Jersey office of Fox Rothschild. “It’s a way to protect the confidentiality of the patients and keep the entire practice in compliance.”
“I don’t think it’s helpful to do it surreptitiously, because I think everybody in the office should understand the importance of keeping the information protected and to be aware the practice will do everything it can to ensure that there’s ongoing compliance,” Litten said.
Conducting regular audits in a small practice, however, might be a challenge, Spasser said. Staff and resources are limited. But, she added, vendors — particularly vendors of cloud-based systems — may do auditing on behalf of clients. If so, that will be written into a practice’s contract. Vendors may generate auditing reports that are passed on to the practice, or give practices the option of querying specific information. The practice needs to do due diligence to find out what the vendor is offering, what types of reports they are willing and able to run, and how often the reports will be done.
Rose said that if a practice has the resources to install an EHR, it should have the resources to perform an audit. The auditing function likely will be part of the EHR package. In many cases, the job of auditing will fall to the office manager. But to have an extra set of eyes on the audit trail, the physician also should learn how to perform audits as well, or hire a consultant to do routine reviews of the audits, she said.