Nosy employees? Follow the audit trail

Allina Health Abbott Northwestern HospitalAllina Health Abbott Northwestern Hospital (photo: Allina Health)

Audit logs may tell the story

When in the realm of healthcare privacy and security, electronic health records may facilitate easier data exchange and data viewing, but the systems' audit trails make catching unauthorized viewers all the more simple, too.

And, in the digital age, these unauthorized viewers have proved far too common.

Just last month, Allina Health system in Minnesota notified some 3,800 patients that one of its medical assistants had been improperly accessing their protected health information for more than three years.

The former employee -- her employment recently terminated -- accessed patients names, dates of birth, clinical data, health insurance information and partial Social Security numbers.

[See also: Ready or not: HIPAA gets tougher today.]

"We deeply regret that this occurred and want you to know we are committed to protecting the privacy of our patients’ personal information," read a notice on the Allina website. "To help prevent similar incidents from happening in the future, we are evaluating our policies related to protecting patient information, examining our computer security programs and continuing to educate employees on their obligation to maintain the privacy of patient information."

Affected patients were notified Oct. 25.

The Office of the National Coordinator's 2014 Health Information Technology Certification programs mandate that EHR technology meet certain audit log requirements. Changes and actions to the patient record must be captured, in addition to dates and time of the action, user identification and ID of the patient record being accessed.

In addition to the meaningful use audit log requirements, the HIPAA Security Rule, HITECH Act and the Joint Commission all put forth their own specific requirements pertaining to audit logs and patient privacy.

[See also: Six fired for keeping up with Kardashian.]

Just this July, six employees at Cedars-Sinai Medical Center were fired for reportedly viewing the medical records of 12 patients without authorization. The records included those of Kim Kardashian who recently gave birth at the hospital.

Impermissible uses and disclosures of protected health information remains the top compliance issue pertaining to HIPAA privacy and security breaches, according to data from HHS.

Since 2009, some 27 million individuals have had their protected health information compromised, according to HHS reports.