Improved HIPAA Monitoring Process via FairWarning
Yale is coordinating with Yale New Haven Hospital to improve our monitoring of access to patient records through an automated system known as FairWarning. FairWarning simplifies our ability to detect potentially inappropriate accesses to hospital systems such as the new EPIC electronic medical record and other clinical systems. FairWarning combines access logs from multiple data systems which can then be queried for a variety of access characteristics. For example, reports can be generated on individuals accessing family member or co-workers records. These reports will then be reviewed by HIPAA Privacy staff in collaboration with departmental supervisors to determine work-related vs inappropriate record access. Inappropriate access is subject to disciplinary action in accordance with University policies. The ability to combine data sources will help to augment our current monitoring capacity and facilitate increased oversight of access to data.
HIPAA limits how we can use and disclose health information to a set of activities which mainly encompass activities related to treatment, payment for treatment and our healthcare operations. Details on how we can use and disclose health information is described in HIPAA Policy 5031, Authorization Requirements for Use and Disclosure of Protected Health Information.As a general rule, even though a person’s job duties allows them access to patient information, that information should not be accessed unless it is needed to perform their job-related duties. This is true not only for information related to VIP patients but also for access to your family members’ or friends records. If you do not need the information to do your job, you are violating HIPAA and Yale policy by looking at the information.
Enforcement of the HIPAA Privacy and Security Rules by the US Department of Health and Human Services (DHHS) was strengthened under the HITECH Act including increased fines and penalties for individuals and institutions that fail to comply. Recent enforcement activities such as the $865,500 settlement with UCLA Health System for inappropriate employee access to patient records indicate the seriousness with which DHHS intends to pursue HIPAA violations. FairWarning provides Yale the opportunity to ensure rigorous monitoring of access to patient records.
If you have any questions about HIPAA and the augmented monitoring practices, feel free to contact the HIPAA Privacy Office at firstname.lastname@example.org or 203-432-5919.