Audit trails

From Clinfowiki
(Redirected from Audit Trails)
Jump to: navigation, search

Audit Trails are logs that include the date and time of access, the information or record accessed, and the user ID under which access occurred.

Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. [1]

Organizations that provide health care to their own employees should enable employees to conduct audits of accesses to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate accesses. We should provide procedures for and a record of “random” sampling of the audit logs.

HIPAA compliance

HIPAA audit refers to maintaining audit trails that log all accesses to clinical information.

  • Questions to be considered when designing an audit trail:
  • Audit trails accessible by authorized users only?
  • Patients have the right and ability to request and review audits of all accesses to their electronic medical records?
  • Healthcare organizations should allow employees to conduct audits of accesses to their own health records?
  • Procedures for and a record of “random” sampling of the audit log should be available?

Audit Trail Uses

Audit Trails may be used to monitor various changes within an electronic health record (EHR). They may “be built to monitor the modification, viewing, and deletion of information”[2]. Access to protected health information (PHI) must also be audited within an EHR to ensure in protection of the patients’ privacy and security. Audit trails also aide in the monitor of imported PHI form outside third party entities into the facility’s’ EHR. Implementing the use of Audit Trails in a facility’s policy and procedure for security management will strengthen the EHRs security. As “audit trails can assist in detecting security violations, performance problems, and flaws in applications” [3]. Benefits of using audit trails will lead to the following:

  • Individual Accountability
  • Reconstruction of events (actions that happen on a computer system)
  • Intrusion detection
  • Problem analysis[3]

Audit Trails provide an avenue of bolstering the security of clinical information systems however, (Sun, Fang and Zhu, 2010) propose “To enable accountability and discourage misbehavior, audit trails and digital signatures should be used in combination” (p.71). [4] Audit Trails not only play a vital role in protecting consumers’ health information but can also be employed to enhance patient safety. (Avery, Savelyich, Sheikh, Morris, Bowler & Teasdale, 2007) stated that “to bring about improvements, providers need to supply clinicians with safe, accurate and accessible information for decision support; be aware of the importance of human ergonomics in the design of hazard alerts; consider the value of audit trails and develop mechanisms to allow for the accurate transfer of information between clinical computer systems” (p.28). [5] Also Avery et al., (2007) observed that “Participants noted that correct coding of clinical information provides an important resource that can be accessed for clinical care, computerized prompts and audit” (p.31).

References

  1. Protecting Electronic Health Information (1997) http://www.nap.edu/catalog.php?record_id=5595
  2. Nunn, S. (2009). Managing audit trails. Journal of AHIMA, 80(9), 44-45. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044634.hcsp?dDocName=bok1_044634
  3. 3.0 3.1 National Institute of Standards and technology: Audit trails. (n.d.). Retrieved from http://csrc.nist.gov/publications/nistbul/itl97-03.txt
  4. Sun, J., Fang, Y., & Zhu, X. (2010). Privacy and emergency response in e-healthcare leveraging wireless body sensor networks. Wireless Communications, IEEE, 17(1), 66-73.
  5. Avery, A. J., Savelyich, B. S., Sheikh, A., Morris, C. J., Bowler, I., & Teasdale, S. (2007). Improving general practice computer systems for patient safety: qualitative study of key stakeholders. Quality and Safety in Health Care, 16(1), 28-33.