EHR Audits Notify Practices about Improper Access; Avoiding EHR Implementation Pitfalls

The recent federal arrest of a hospital employee who allegedly sold patient information garnered from his role as an emergency department (ED) registrar highlights the importance of conducting regular access audits of the electronic health record (EHR) system to respond promptly if inappropriate access or use of records has occurred, states a September 17, 2012, American Medical News article. Audit reports generated by the hospital’s EHR system were used as part of the federal investigation. According to the federal bureau of investigation (FBI), the now-terminated employee accessed the records of patients who came to the ED after car crashes and sold their information to lawyers and chiropractors who would solicit their services to the patients. Data security experts say that every medical office, regardless of its size, should regularly audit the EHR system to detect potential illegal activity. Prevention and prompt response is essential to reduce the risk of lost revenue, lost patients, and the potential for a damaged reputation or federal disciplinary actions. Staff should be aware that routine access audits are occurring in the organization and that they will be held liable for their actions. The frequency of auditing varies depending on the practice’s needs, but auditing may be necessary any time there is suspicion of illegal activity or if the practice is treating a high-profile patient who may spark curiosity in staff members. One attorney says that the same EHR functions that limit access based on a staff member’s role can be modified to issue a warning if it appears that an employee is doing something questionable.