HIPAA Access Reports Could Aid Malpractice Attorneys

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the access reports could detect patterns of inappropriate access.

The proposed provision does not include a requirement to show how long a person viewed a medical record. However, the date and time must be noted, which can be problematic, according to Ruelas. "If [a staff member] works from 8 to 5, and there are access report entries before 8 or after 5, this might be worth more investigation."

Ruelas says this could boost a lawyer's argument because if the CE does not have an adequate monitoring or auditing process, "a lawyer seeing that [the staff member] is repeatedly looking at records before 8 a.m. can invite some very interesting questions."

"If someone is listed on the report as 'viewed' under 'action' over and over again, and this has gone undetected, this can also be a problem," Ruelas adds.

The new requirement not only provides easier access for patients concerning who accessed their record, but also, according to Ruelas:

• What systems were queried to get the data
• Whether the organization is fulfilling its commitment to safeguarding user access to ePHI (e.g., access IDs, unique IDs, etc.)
• Whether the CE reviews reports indicating unusual access patterns

Ruelas calls the process of finding culprits who access records inappropriately a "very laborious task with an element of luck."