Skip to main content

Q&A: Auditing User Activity

Analysis  |  By Revenue Cycle Advisor  
   January 14, 2021

Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon shares the types of activity that must be audited to comply with HIPAA.

A version of this article was first published January 14, 2021, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

Q: What type of activity must be audited to comply with the HIPAA requirement to audit electronic medical record (EMR) activity? Does this include every action a user takes within a record and the length of time a user spends in a record?

A: You need to audit actions taken by users. This includes additions, changes, deletions, and viewing.

Additionally, you need to look for red flags such as an employee looking at the records of family members, or when it appears an employee is looking at a chart because of a headline in the paper about an injury or accident.

It is not necessarily as important to look at how long a user was accessing an individual record.

There are a variety of ways you can conduct your audit.  Large and medium-sized healthcare providers can invest in an automated audit monitoring system such as those available from organizations like Maize AnalyticsFairWarning, or Spher.

These solutions provide active monitoring of your EMR and alert you to anomalies. That way, there is no need to look at all records your employees are accessing.

Smaller healthcare providers may not have sufficient budget to pay for these solutions. In that case, a workable idea is to audit a percentage of your workforce monthly and audit a different percentage of your workforce’s activity as it relates to your EMR.

Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.


Get the latest on healthcare leadership in your inbox.