Access Monitoring FAQs


Introduction to Access Monitoring

 

View Access Monitoring FAQs

The HIPAA Privacy Office uses a computer application that is designed to monitor compliance with the HIPAA privacy regulations. The application takes user activity reports from Electronic Health Record (“EHR”) systems, including Epic; links it with Human Resources data about the users, then creates audit reports that are designed to root out unauthorized access.

The process uses audit data from Epic, other clinical systems and HR to show when users access records belonging to their co-workers, VIPs, family members or neighbors or other suspicious activity.

For example, suppose that Epic user activity data showed that Jane Employee accessed Kevin Patient’s record at 3:34 PM on Tuesday, January 22, 2014, and that nine year-old Kevin Patient, who lives at 123 Main Street, was seen in Pediatric Dentistry. The monitoring software would take the Epic audit data one step further, gathering and analyzing demographic and employment data about Jane. So if Jane also lives at 123 Main Street, and works in Labor and Delivery, the monitoring software can create an audit alert to flag what appears to be Jane’s unauthorized access to the record of a family or household member, or of someone who is probably not a patient in her department.

These audit alerts will be followed by an investigation by the HIPAA Privacy Officer, the employee’s supervisor, and in some cases, Human Resources. If the employee is a union member, the union representative will be notified of the investigation. If the user is a student, M&P or faculty member, they will be notified directly.

If the investigation reveals that the access was required or permitted for the performance of the employee’s job, no further action will be taken.

Access to a patient record or information within the record is required for the performance of your job if:

  • It is part of your daily job requirements, and
  • It is necessary for treatment, payment or Health Care Operations

Access is permitted if:

It is not part of your daily job requirements and

It is not strictly necessary for treatment, payment or Health Care Operations, but

It will help a patient in some way by:

  • Promoting patient safety
  • Preventing a missed appointment
  • Improving the patient experience,
  • Providing good customer service, or
  • Promoting efficiency in our workflow; and if

Accessing the patient record, or a field, tab or function within the record is the only way that you can obtain the information  that you need for these purposes.    

Disciplinary sanctions will not be applied if the access was required or permitted. 

If you have questions that are not addressed in the FAQ, please contact the HIPAA Privacy Office at:hipaa@yale.edu or call 203-432-5919.