Select Page

For large healthcare organizations employing hundreds, if not thousands of staff, it is clear that there must be in place the ability to audit what staff see in regard to patient medical records.  In small private practices HIPAA requirements are the same, so shouldn’t the ability to audit the eyes of curious staff be the same?  Certainly.

Borrowing from the hype caused by the recent snooping of Britney Spears’ medical record by UCLA staff and physicians, this article from provides commentary on the audit trail capacity of EHR systems, and how it can deter and detect unauthorized entry into the medical record – regardless of practice size.

An EHR must be able to create an audit trail to comply with the security requirements of HIPAA. Accordingly, the Certification Commission for Healthcare Information Technology, or CCHIT, won’t certify an EHR unless it has this capability.

Audit trails play less of a security role in solo offices, where a handful of trusted employees eyeball virtually every record, notes Marlene Jones, vice president for group operations at the consulting firm PivotHealth in Brentwood, TN. However, as practices grow in size, says Jones, the need to police recreational record-reading increases.

Your patients may not include a headline-making entertainer, but it’s likely that you have some lower-level VIPs whose records might tempt a nosey employee—the mayor, a partner’s wife, or a high school football star. If you use an EHR, you can detect snooping by checking the audit trails of select records on a monthly or quarterly basis. Some EHRs even allow you to study the audit trail of a particular employee across multiple records, as opposed to zeroing in on a particular record.