Simplify review of EHR logs for HIPAA compliance

Published on: December 02nd, 2015

A clear, required item in the HIPAA Security Rule is 164.308(a)(1)(ii)(D), Information System Activity Review. A medical organization and its subcontractors (otherwise known as Covered Entities and Business Associates) must regularly review the logs for systems that access electronic Protected Health Information (ePHI). Where is most of a medical practice’s ePHI stored? In their EHR software.

So a medical practice can just add a periodic review of these logs to their policies and procedures and be good right? It turns out, these logs are cumbersome. The logs are of almost every action someone does to a patient’s record. A good rough estimate is three thousand entries a day, per provider. So if you have three providers, take nine thousand and times it by twenty working days a month, you get 180,000 entries.

You can easily see that this is neither reasonable nor appropriate to have a process and procedure to sort through these entries. One good answer is that there is now software that monitors and sorts through these plethora of entries. Similar to what credit card companies use to monitor a customer’s purchase activities, the software uses behavior analytics to raise a flag for activity outside a medical staff’s normal behavior. So the thousands of entries are now cut down to just a few alerts that you can determine if further investigation is warranted!

For more information on this and to ensure further HIPAA compliance for your medical practice please call CT Business Solutions at 610-409-9800.


You might also like

With an evolving business comes expanding technological needs. If your business is sending you any of these signs that it’s time to update your technology.