Introduction to FairWarning
Last summer, at the request of Local 34, Yale School of Medicine Clerical and Technical Staff received live training on the FairWarning HIPAA privacy compliance monitoring. What follows is a brief summary of the program, along with frequently asked questions that came up during the training sessions.
FairWarning is a computer application that is designed to monitor compliance with the HIPAA privacy regulations. The application takes user activity reports from Electronic Health Record (“EHR”) systems, including Epic; links it with Human Resources data about the users, then creates audit reports that are designed to root out unauthorized access.
FairWarning uses audit data from Epic, other clinical systems and HR to show when users access records belonging to their co-workers, family members or neighbors.
For example, suppose that Epic user activity data showed that Jane Hu accessed Kevin Patient’s record at 3:34 PM on Tuesday, January 22, 2014, and that nine year-old Kevin Patient, who lives at 123 Main Street, was seen in Pediatric Dentistry. FairWarning would take the Epic audit data one step further, gathering and analyzing demographic and employment data about Jane. So if Jane also lives at 123 Main Street, and works in Labor and Delivery, FairWarning can create an audit “hit” to flag what appears to be Jane’s unauthorized access to the record of a family or household member, or of someone who is probably not a patient in her department.
These audit “hits” will be followed by an investigation by the HIPAA privacy officer, the employee’s supervisor, and in some cases, Human Resources. If the employee is a union member, the union representative will be notified of the investigation. If the user is a student, M&P or faculty member, they will be notified directly.
If the investigation reveals that the access was required or permitted for the performance of the employee’s job, no further action will be taken.
Access to a patient record or information within the record is required for the performance of your job if:
- It is part of your daily job requirements, and
- It is necessary for treatment, payment or Health Care Operations
Access is permitted if:
- It is not part of your daily job requirements and
- It is not strictly necessary for treatment, payment or Health Care Operations, but
- It will help a patient in some way by:
- Promoting patient safety
- Preventing a missed appointment
- Improving the patient experience,
- Providing good customer service, or
- Promoting efficiency in our workflow; and if
- Accessing the patient record, or a field, tab or function within the record is the only way that you can obtain the information that you need for these purposes
Disciplinary sanctions will not be applied if the access was required or permitted.
If you have questions that are not addressed in the FAQ, please contact the HIPAA Privacy Office at:firstname.lastname@example.org or call 203-432-5919.