Electronic audits can prevent, catch data breaches

A practical look at information technology issues and usage

By — Posted Sept. 17, 2012.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The recent FBI arrest of an employee of Florida Hospital Celebration Health helped to underscore two important points about electronic health record systems: They make valuable data easy for rogue employee to access, and they also make it easier for those employees to be caught.

EHR systems, under the security standard of the Health Insurance Portability and Accountability Act, are required to have role-based or context-based access controls, meaning the system will allow users to access only the data they need to perform their job duties. But when employees exploit that access to perform illegal activities, another function of the EHR system — the audit function — is designed to detect the bad behavior.

Audit reports of who looked at what information, when it was seen and for how long is one of the most important tools to help practices catch a data snoop in the act. While HIPAA security rules require covered entities to have an audit function in place, it offers no specifics on how the audit system should work or how often it should be used. But experts say every practice, no matter the size, should make auditing a regularly scheduled activity that is articulated clearly to employees and executed.

It’s not clear what routine auditing policies and procedures are in place at Florida Hospital Celebration Health. The hospital did not return calls seeking comment. But when it came to the hospital’s attention that an emergency department employee might be involved in illegal activity, it was the hospital EHR system’s auditing function that helped the FBI build its case.

In an affidavit, the FBI stated that hospital employee Dale Munroe, who registered emergency department patients, had been using his role-based access to the EHR system to obtain information on patients who came to the ED after car crashes. According to the FBI, Munroe was selling the patient information to lawyers and chiropractors, who would contact the patients to solicit their services.

As part of the investigation, the FBI learned through an audit of the hospital EHR system that during the same time frame Munroe was allegedly engaging in the illegal activity, a typical employee accessed approximately 12,100 patient records. Munroe is accused of accessing more than 763,000 patient records. They also found that while Munroe viewed some records for less than a second, others were viewed longer, and in many cases, those that were viewed longer belonged to patients involved in car crashes.

The hospital fired Munroe in July 2011. Munroe was arrested in August and faces federal fraud charges. He pleaded not guilty.

When to audit

These kinds of abnormalities are what practices should look for when they perform audits, said Angela Dinh Rose, director of health information management solutions for the American Health Information Management Assn., a trade organization.

The audits should be done on a regular basis, which may vary from once a week to once a quarter, depending on the practice, she said. But if there is suspicion of illegal activity, or if there are high-profile patients that may pique the interest of employees, the audits should be done more often.

Attorney Leslie Spasser, member of the health care industry team for the Norfolk, Va.-based law firm LeClaireRyan, said preventing unauthorized access may be better than uncovering the access after it has occurred. The same functions that limit access based on role or context can be tweaked to issue warnings if it appears that an employee is doing something untoward, she said.

Prevention also can come from making it well known in the practice that audits are a regular occurrence.

As part of training about HIPAA and the Health Information Technology for Economic and Clinical Health Act for employees accessing patient information, “I think it’s really important that every employee knows that there is this process in place and it’s designed to not finger-point, but to identify if there are system problems, or confusion about what information should be used under what circumstances,” said Elizabeth Litten, a health law attorney with the New Jersey office of Fox Rothschild. “It’s a way to protect the confidentiality of the patients and keep the entire practice in compliance.”

“I don’t think it’s helpful to do it surreptitiously, because I think everybody in the office should understand the importance of keeping the information protected and to be aware the practice will do everything it can to ensure that there’s ongoing compliance,” Litten said.

Conducting regular audits in a small practice, however, might be a challenge, Spasser said. Staff and resources are limited. But, she added, vendors — particularly vendors of cloud-based systems — may do auditing on behalf of clients. If so, that will be written into a practice’s contract. Vendors may generate auditing reports that are passed on to the practice, or give practices the option of querying specific information. The practice needs to do due diligence to find out what the vendor is offering, what types of reports they are willing and able to run, and how often the reports will be done.

Rose said that if a practice has the resources to install an EHR, it should have the resources to perform an audit. The auditing function likely will be part of the EHR package. In many cases, the job of auditing will fall to the office manager. But to have an extra set of eyes on the audit trail, the physician also should learn how to perform audits as well, or hire a consultant to do routine reviews of the audits, she said.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story