by Dava Stewart
In the last few years, there has been a great amount of discussion about electronic health records (EHR), patient privacy, security, and the rising number of times chiropractic practices are audited. With all of that in mind, the phrase “audit trails” may seem like something that would come from the Office of the Inspector General (OIG). But, in fact, audit trails have more to do with how software, EHR and other types of systems, are constructed.
Audit trails are simply logs that show who accessed an information system, when, and what operations were performed. This means that audit trails are a form of access management. The information within audit trails is not particularly useful alone — context is required. When multiple audit trails are used to trace and examine system activity, audit controls are being employed.1
Audit controls are useful for demonstrating that a practice is HIPAA compliant. Further, regular security audits of those controls are necessary. According to the American Health Information Association (AHIMA):
“The HIPAA security rule includes two provisions that require organizations to perform security audits:
Section 164.308(a)(1)(ii)(c), Information system activity review (required), which states organizations must “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
Section 164.312(1)(b), Audit controls (required), which states organizations must “implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”2
In addition, the 2009 Health Information Technology for Economic and Clinical Health (HITECH) part of the American Reinvestment and Recovery Act included provisions that require organizations that handle patient health information (PHI) to actively monitor for security breaches, making regular examination of audit trails and controls through security audits even more important.2
A compliance audit is likely to examine the existence of audit trails and controls, as well as the records related to monitoring for security breaches. Certified EHR systems have built in audit trails and controls, so a practice using a certified system has both audit trails and audit controls in place already. Third party organizations can be hired to conduct audits to make sure that PHI is secure. A practice that uses a certified EHR system and undergoes regular security audits is well-positioned should they be audited by the OIG.
Beyond compliance, audit trails, audit controls, and security audits can be employed to demonstrate meaningful use (MU) of EHR systems for practices that are working to receive stimulus dollars through the implementation and use of an EHR system. The stage one requirements for MU include that system actions be recorded and that an audit log can be created for a specific time period.2
As the entire healthcare system in the U.S. moves toward digitization, chiropractic offices must keep up. It is impossible to show a log of who opened a paper file. Evaluating, purchasing, and most importantly, fully implementing, a certified EHR system brings a practice much closer to full HIPAA compliance. Taking the extra step of hiring a third party to perform regular security audits provides an additional layer of protection in the case of a compliance audit by state or federal regulatory bodies.
1Nunn, S. “Managing Audit Trails Journal of AHIMA 80, no.9 (September 2009): 44-45.
2AHIMA. “Security Audits of Electronic Health Information (Updated).” Journal of AHIMA 82, no.3 (March 2011): 46-50.