Requirements for Patient review of their medical record audit trail
Context: This proposal describes a target for a patient-accessible audit trail for implementation in a 2 to 5 year time frame. It is not expected that any organization would be able to implement this proposal immediately or in the near-term. The near-term impact of this proposal is to (1) stimulate discussion of this subject, (2) provide a benchmark for gap analysis of projects, and (3) provide a basis for policy development within and external to, our organizations.
Background: Many security/privacy breaches are a result of individualsin the covered entity with legitimate access rights who view patient information that they should not be viewing as it is not needed to perform their official duties related to treatment, payment or health care operations or other legal authority to view the information does not exist. Typically, they are viewing information on a personal acquaintance who is not under their care. It is extremely difficult to reliably detect all suchsecurity/privacy breaches.
Though the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not mandate that covered entities provide copies of audit trails to patients, the most plausible way to detect the above described security/privacy breaches is to allow patients to review the audit trails of their chart, and they will be able to recognize individuals who they do not believe have a legitimate need to access their chart. Patients will not be able to detect these breaches in an audit trail, unless that audit trail is designed to clearly indicate the who, what, when, where, and why of each individual accessing their chart. If this information is not presented to the patient in a very usable format, it will generate many needless questions and both the patient and the auditor will be frustrated with a very low specificity of the information.
Following are the proposed requirements for the audit trailand processes to support patient viewing of that audit trail:
- Patients should be able to review (in-person or online through web access[shp1]) each of the following elements of the audit trail as it relates to their record: viewing only, editing, or electronically transferring all or part of their record.[shp2] (Audit trails of these patient-initiated access to their personal audit trails will also be required).
- Clear indication of who accessed their record.
a) Name of the user
b) Title of the user at the time of access, e.g. MD, RN, medical student, RN, pharmacist, QA, call center agent, etc.
c) A role description that includes a brief patient friendly summary of the role, e.g. pathologist: studies biopsy results under a microscope - From what location they accessed my record (i.e. which facility)
- Which parts of the record they viewed/printed/transferred (in layman's terms: e.g. "doctors notes", "lab results", etc.)
- When did the access occur including date and time?
- Why the record was viewed/printed/transferred[SMR3] (in layman’s terms: e.g., treatment, payment for services, quality review, training, etc.)
- Ability to provide the patient with a digital or paper copy of this audit information
- Ability to answer patient requests for further clarification of specific audit events
- These audit trails should be retained for a minimum of XX years by all legal record maintenance guardians.
- Provide patient with a well documented process to escalate any perceived inappropriate accesses.[shp4]
- Documented policies within the covered entity on how to investigate and mitigate any security/privacy breaches resulting from the patient review of the audit trail.
[shp1]The security of online access to this information is a great concern. Also, secure individual accounts to access this information will be required to be generated and maintained. The audit trail information is going to be protected under the HIPAA Privacy Rule, so the patient should have to request a copy of this information similar to requesting a copy of their health information.
[shp2]I do not think that many audit trails would be able to tell you if the access including printing what information was viewed. Access is access in terms of having the authority to use the information under the HIPAA Privacy Rule. What you did with the information whiling using it does not come into play for legal authority to use? Either you have the authority to use the health information or not, period. I think that this is information that the patient does not need and will only add confusion to the audit trail report.
[SMR3]SHP Comment: This information is not currently captured in most audit trails and could not be captured unless the User is prompted for this information in the system prior to accessing the record. Also, the number of choices for the user to select (as you would not want to give them a free text field) would have to be fairly extensive. A lot of work would need to be done on this requirement which could delay the overall efforts. The audit log VHA currently provides to patients, where a log is generated, does not include this information. However, this information is normally obtained from the individual employee if the patient believes an access by the employee was inappropriate.
JM response: This “Why” information could be as simple as a “role-based mapping”, with the fallback methodology as described in the preceding comment”. Per our teleconference discussion, an attending physician may have numerous roles, all within a single logon, but their “role” as a “supervising or attending physician” should adequately subsume the granularity necessary for this requirement, and if challenged, by the patient, the f/u query could require that individual to declare whether that audit event was related to their role in direct care, supervision, QA, or research.
[shp4]This process would need to be well documented and it understood that the patient would be submitting a privacy complaint requiring a formal response. Also, the patient has the right to file privacy complaints with HHS-Office for Civil Rights, so facilities would need to take such complaints very seriously and investigate and resolve them timely.