Access Audits as a Breach DeterrentWhy Kaiser Permanente Stresses Accountability
To protect patient privacy without adversely affecting the quality of healthcare delivered, hospitals and clinics need to aggressively monitor records access in addition to appropriately using access controls, says Eric Liederman, M.D. He's director of medical informatics for The Permanente Medical Group, a Northern California physician practice that's part of the national Kaiser Permanente organization.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
He portrays the approach as striking a balance between access control and accountability, but advocates placing stronger emphasis on the latter. That's because if role-based access controls are too strict, they can hurt the quality of care.
"Access restriction has its place," Liederman says. "Role-based access generally works. ... But you never know what a clinician might need to do in their role now and then. So it's pretty hard to effectively restrict access without cutting out the ability of people to do their jobs."
Access control "tends to get over-used" as a way to prevent internal breaches involving inappropriate access to patient records, Liederman argues. "It's very commonly used as the only approach to protect privacy ... It needs to be used in combination with accountability."
Liederman made his comments in a presentation Feb. 21 at the Healthcare Information and Management Systems Society Conference in Las Vegas.
EHR Log Function
Kaiser Permanente in Northern California uses the access log function within its inpatient and outpatient electronic health records systems, both from Epic Systems Corp., to selectively track records access and detect snooping. Other units of the organization across the nation use a similar approach, Liederman explains.
Although the Northern California region has 21 hospitals and 7,000 physicians, only two dedicated report writers handle the EHR access audit process, Liederman says. The key, he says, is to conduct targeted audits focusing on situations with the highest risks. That includes, for example, employees looking up records of neighbors and clinicians accessing inappropriate records, such as labor and delivery staff members looking up records of patients who are not pregnant.
By publicizing the audit effort, healthcare organizations can dramatically cut back on inappropriate access to records, Liederman contends. In Northern California, Kaiser Permanente saw a 90 percent reduction in privacy violations within weeks of ramping up records access audits, and the reductions have since been maintained, he says.
"If I know I'm going to get caught and fired" for inappropriately accessing a record, that's a powerful deterrent, he adds.
In launching an accountability program through access audits, Liederman advises organizations to take several steps, including:
When implementing access controls, it's important to offer a "break the glass" function for use in emergencies. Liederman's organization enables clinicians to access a record they normally couldn't by choosing a reason from a pick list and re-entering their password. And those steps show up in an audit report.
"So far, no one who has broken the glass, that we're aware of, has been found to be a privacy violator," he notes.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.