You all know the story…young Hansel and Gretel leave a trail of breadcrumbs to find their way home in the woods only to find the birds have hampered their efforts and eaten their path back home. It’s too bad they couldn’t pull out their smart phones and let their fingers do the walking to find their way home, but that’s another story entirely. What this story reminds us is that they were relying on a weak solution to guide their way back to their destination.
Obviously, their “trail” back home started with a poor design that was destined to fail because eventually the breadcrumbs would either be consumed by some furry friend in the forest or would have simply disintegrated. In this case, they were not positioned to circle back and see the path they had traveled. It may be a bit of a stretch, but this story in some ways mirrors what some companies are finding when they attempt to circle back and audit records. Are you leaving a solid trail to shine a light on who has been accessing your system and patient files? Can you see activities on your system from the past?
While companies can invest vast resources in carrying out security protocols and strict access controls, no process is bullet proof. A security audit trail, therefore, should be used as an essential companion to security measures in order to, among other things, ensure that access controls are working. As such, companies need to be mindful of this process and ensure they are gathering the information that gives them an adequate understanding of the information they need. Additionally, it is important to recognize that a security audit is not a tool to gather every value of charted data or contain every detail of the patient’s sensitive PHI. Instead, these security audits should record certain events that will indicate activities such as charting being updated or users logging into a system, etc.
Anyone who has ever taken time to research the topic of security audits can certainly attest to the fact that the information out there is robust and complex. The guidance available on this subject spans from generic content and legal advisories to hyper-technical specifications. Gaining an understanding of this process can be overwhelming for technical and non-technical staff. Ultimately, it is important that companies work in coordination with their IT team to determine their current auditing solution. For a helpful overview, the American Health Information Management Association (AHIMA) published a useful overview* providing details that go to the core of this process.
So are you going to be a trailblazer and guarantee you are capturing this important information or are you going to treat the integrity of your system like a trail of breadcrumbs?
*AHIMA. “Security Audits of Electronic Health Information (Updated).” Journal of AHIMA 82, no.3 (March 2011): 46-50.