HIPAA Access Reports Could Aid Malpractice Attorneys
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the access reports could detect patterns of inappropriate access.
The proposed provision does not include a requirement to show how long a person viewed a medical record. However, the date and time must be noted, which can be problematic, according to Ruelas. "If [a staff member] works from 8 to 5, and there are access report entries before 8 or after 5, this might be worth more investigation."
Ruelas says this could boost a lawyer's argument because if the CE does not have an adequate monitoring or auditing process, "a lawyer seeing that [the staff member] is repeatedly looking at records before 8 a.m. can invite some very interesting questions."
"If someone is listed on the report as 'viewed' under 'action' over and over again, and this has gone undetected, this can also be a problem," Ruelas adds.
The new requirement not only provides easier access for patients concerning who accessed their record, but also, according to Ruelas:
- What systems were queried to get the data
- Whether the organization is fulfilling its commitment to safeguarding user access to ePHI (e.g., access IDs, unique IDs, etc.)
- Whether the CE reviews reports indicating unusual access patterns
Ruelas calls the process of finding culprits who access records inappropriately a "very laborious task with an element of luck."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- CFO Exchange: Smartphones Poised to Disrupt Healthcare, Says Topol
- Consumerism Drives Healthcare Branding, Rebranding Efforts
- PA Ranks See 'Phenomenal Growth,' Lack of Diversity
- CNO on Hospital Redesign: 'You Can't Over-Communicate'
- 3 Traits Personality Assessments Can't Reveal
- How Digital Strategy Shapes Patient Engagement at Boston Children's Hospital
- Antibiotic Overuse a 'Huge Threat' to Patient Safety, Says CDC
- Half of All Primary Care, Internal Medicine Jobs Unfilled in 2013
- Carondelet to Pay $35M to Settle Fraud Allegations
- CHS Hacked, 4.5M Patient Records Compromised