How to build a successful EMR access monitoring process

Monitoring is the 5th element of the 7 elements of an effective compliance program. It is a continuous task that compliance and privacy teams must do to ensure any inappropriate accesses are detected and resolved in a timely manner. When discussing how your team should go about monitoring, it is important to remember to design a process in line with your team and healthcare facility’s priorities. When looking to build a successful EMR access monitoring process, 4 things need to be considered:

1. The subjects

The first thing to determine is the subjects of your monitoring effort. Some questions that your team should consider: – What/Who are your monitoring? — Layout the parameters of what and who your team will be monitoring. Know what information needs to be monitored (patient accesses, VIPs, newborns, employees who have made previous inappropriate accesses, etc.) and what systems to pull data from. – What are you looking for? — Map out what is appropriate and inappropriate for your facility. For example, it should be noted whether self-accesses are appropriate or not at your healthcare facility.

2. Methods

As stated by the HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)), covered entities are required to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).  Therefore, your team must have a method in place to monitor ePHI. Layout the method of your team’s monitoring processes and the tools used to monitor EMR accesses. It’s best for that method to be documented so new team members can be easily on-boarded. Moreover, leverage software systems to help automate the process, so you can focus on suspicious behavior rather than time-consuming false positives.

3. Frequency

The monitoring frequency is an important parameter of your process because it determines how often EMR accesses are reviewed. Put a formal process in place that notes how often your team will monitor subjects. The frequency may change depending on the subjects and the size of the facility. A schedule that lays out the amount of time and which team members are assigned work can help everyone stay on track to meet reporting requirements.

4. Reporting

Discuss what information needs to be reported, how those reports will be presented, and who the reports will need to be sent to. It is important to define the specific metrics you present to compliance managers, department heads and executive committees. Remember that different people in organizations like to consume data in different ways, so they might like raw data or aggregated results. When building this process, ensure all rules and regulations are being adhered to. Over time, this process and schedule may change as your team gets into its flow. If changes need to be made, discuss it with your compliance or privacy team and make the necessary changes over time. Always update your documentation to reflect the updated process (it is helpful to keep versions of the documentation in case your team wants to look back on what changed). A monitoring process is required per HIPAA, but building out a successful program will also help your team better manage day-to-day tasks and ensure the proper data are being monitored. Going through each of these 4 points will help define and build your monitoring program, so your team can implement it and better protect your patients’ privacy. SecureLink Patient Privacy Monitoring solution can help streamline this process by reviewing up to 99% of the EMR access log for your compliance team. OCR Cyber Newsletter January 2017