COACH Access Audits Guidelines: A Vital Tool in Your Privacy Toolkit as PHI Breaches Climb

The number of reported privacy breaches in healthcare continues to climb. Anyone who regularly follows the news has read at least one article over the last year about a breach. In some cases, these breaches happened recently; in others they were a few years old and have only recently been found during an audit, prompted by some other event. At least part of the increase in reported breaches is due to the much higher attention and sensitivity that people now have towards privacy issues in healthcare – it is not simply because systems are now so much more insecure. While electronic health records (EHRs) have enabled “snooping” through a large number of records in a short amount of time, similar problems occur with paper charts, although it is more difficult to access so many paper charts. EHR systems typically provide a logging mechanism to track who has viewed/altered a record, when it was done and from where. Most paper systems do not have this type of audit trail, so many transgressions go unnoticed.

It can be argued, however, that even with logging mechanisms, many of the current privacy programs in place are not providing the professional duty of care that should be afforded personal health information (PHI) under a healthcare delivery organizations’ care.

The COACH Access Audits for Electronic Health Records – COACH Guidelines for the Protection of Health Information Special Edition (the Guidelines) helps organizations understand and implement health industry best practices for access audits while avoiding wasted efforts and common pitfalls. The Guidelines cover best practices in a range of topics including:

  • setting up a program,
  • access control,
  • trigger events,
  • reporting,
  • requirements and uses of audit data, and
  • managing an effective program while also highlighting legislative requirements by jurisdiction.

Creating an effective audit program requires a clear vision of what success will look like.

Two preventative elements of a privacy plan that frequently get the most attention by healthcare organizations are education and restricting people’s access to PHI. A best practice that often gets less attention is conducting an access audit. An access audit is simply a review of access to, or changes to data elements or information. An audit also includes all processes from creation to deletion and destruction. An audit can consume significant resources, especially if done poorly. However, it is not only small organizations that lack resources or knowledge to implement these audits. Large healthcare delivery organizations have also come under more recent scrutiny in the news and by privacy authorities for incomplete or missing audit programs altogether.

Circle of Care
Most healthcare staffs are familiar with the concept of “Circle of Care” and the idea that information should only be available for review or update on a “need- to-know” basis to those people involved in a patient’s care. Some jurisdictions use different patient consent models and may also include the concept of consent directives, where patients have the ability to revoke access to their information, but the core concepts remain the same.

In the day-to-day operations of many healthcare institutions, putting these concepts into operation is often a major challenge. Operating a large facility with patients – coming and going, being moved from one section of the facility to another, receiving care over multiple shifts, being covered by staff stretched across many patients and including last-minute replacements for other absent staff – are just some of the challenges involved in keeping the access privileges associated with a patient’s “Circle of Care” up to date. If strictly enforced, a small army of people would be required to keep access privileges in the EHR system current so as to reflect only those presently involved in a patient’s care. To reduce this overhead, institutional policies and roles are often used as a way of finding a practical compromise to balance the risks with the costs. However, this means that people frequently have access to the information of patients who do not directly fall under their care. The same is true for smaller healthcare delivery organizations which lack the resources, knowledge or a mature EHR to implement key privacy controls within their software. Furthermore, in rural areas and small communities, it may not be possible for clinical staff to receive care at a different facility from the one they work at to maintain their privacy as a patient.

PHI may be inappropriately and illegally accessed for many reasons. Cases of inquisitive staffers who are simply curious about a celebrity or well-known figure receiving care at their facility are frequently in the news. In other cases, the information may be accessed to sell for profit for identity theft, hush money or even to sell related products and services. In yet other cases, people may be looking to gain an advantage over someone (an ex-spouse, a fellow staff member or even a family member). Some breaches are unintended and there are also circumstances where a staff member’s account information may have been stolen and used by someone else to access PHI.

In the financial world, what shocked us a few years ago has unfortunately become more common. It is no longer a surprise when another retailer reports that its databases have been broken into and its customers’ credit cards have been compromised. While expensive, it is relatively easy to calculate the damage done and to compensate people for their losses. Greater attention is now being paid to PHI where it is not clear how to compensate someone for the compromise of their information.

Access audits – Secondary safeguards
From the risk management and security domains, we have the idea of controls and compensating controls. There are often a number of different ways of addressing a risk. In some cases, the primary solution to totally resolving a risk is either too expensive or there are other constraints or simple practicalities that prevent a good response. In this circumstance, another secondary safeguard can be used that covers most of the risk, but not all, leaving some residual risk. These secondary safeguards are a form of compensating control. Access audits are a frequently used form of compensating control to address risk from access controls that use a broad definition of “Circle of Care.” While access audits do not initially prevent a problem, they do help to identify problems after they have occurred, allowing for corrective measures to be taken, which may also prevent future problems. As a general rule, a good privacy/security program also implements multiple layers of controls to reduce the chance of overall or outright failure.

Access audits are a key tool in a privacy manager’s toolkit. Unfortunately, many people are not familiar with the best practices involved with setting up an effective audit program. Frequently there is a fear that audits will consume huge amounts of time scanning huge amounts of data. While audits can take some time to complete, many tools exist inside and outside of EHRs to facilitate this practice. A well-managed audit program can help reduce these resourcing fears by setting up a proactive program that starts by looking for the most frequent transgressions and/or rotates through a series of audits over time.

The Guidelines content includes the 10 Key Steps to an effective audit program and answers to important questions like, “How much logging is enough?” It is a much needed resource for audit and logging, which supports the enforcement of accountability for patients who trust their PHI to providers using EHR systems. These activities also help protect record integrity, acting as a strong incentive for system users to conform to organizational policies on data and system use.

To learn more about the Access Audits for Electronic Health Records – COACH Guidelines for the Protection of Health Information, please visit the COACH Store