In healthcare, the audit trail or metadata is highly relevant evidence as to who accessed what in the record, what entries were made and/or changed by whom and when. The audit trail is an integral part of the medical record. It is the metadata about the medical record that cannot be separated from the record itself. Audit logs are also critical in providing forensic evidence during cyber security incidents and responses as well as detecting potential threats and intrusions. Native audit logs can be tampered with and altered; this is why a redundant and immutable audit trail is imperative on many levels.
Data Integrity for Electronic Medical & Electronic Health Records
Although used interchangeably, there are distinct differences between an Electronic Medical Record (EMR) and an Electronic Health Record (EHR).
EMRs refers to everything that’s found in a paper chart, such as medical history, diagnoses, medications, immunization dates, allergies. While EMRs work well within the confines of a practice, there are limitations as they are not easily transported outside of the health provider. In fact, a patient’s medical record might even have to be printed out, faxed or mailed for another provider to review.
EHRs are digital records of health information. They contain all the information found in a paper chart as well as additional data. EHRs include medical history, vital signs, progress notes, diagnoses, medications, immunization dates, allergies, lab data and imaging reports. They can also contain other relevant information, such as insurance and payment information, demographic data, and even data imported from personal wellness apps. The power of an EHR lies not only in the data it contains, but how it’s accessed and shared. EHRs makes health information instantly accessible to authorized providers across practices and health organizations, helping to inform clinical decisions and the coordination of patient care. An EHR can be shared with all clinicians and organizations involved in a patient’s care such as labs, specialists, imaging facilities, pharmacies, emergency facilities, and school and workplace clinics. EHRs are also necessary to meet Meaningful Use Requirements which are Medicare and Medicaid program that supports the use of an EHR to improve patient care. To achieve Meaningful Use and avoid penalties on Medicare and Medicaid reimbursements, eligible providers must follow a set of criteria that serve as a roadmap for effectively using and managing an EHR. EHRs are the future of the healthcare system as they benefit from the coordination of care between all providers within the healthcare ecosystem.
Personal Health Records
To further complicate, the arrival of Personal Health Records (PHR) whereby a patient elects to self-report on a wide range of items (i.e. family history, illnesses and hospitalizations, procedures, vaccinations and daily living observations) which can present additional challenges when the PHR is connected to an EHR.
PHRs can bring tremendous benefits to the patient/health provider relationship by providing continuous and timely data, reducing communication barriers, making care less episodic and providing critical information for diagnosis and treatment during an emergency.
Health Insurance Portability & Accountability Act of 1996
HIPPA was enacted in 1996 and broadly has two main components. Title I protects health insurance coverage for workers and their families when they change or lose their jobs. Title II requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Under the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule and Enforcement Rule.
The Privacy Rule – The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities” (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)
The Security Rule – While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security standards required for compliance:
- Administrative: Policies & procedures designed to demonstrate compliance with the Act
- Physical: Physical access control to prevent inappropriate access to protected data
- Technical: Controlling access to computer systems to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
In healthcare, the audit trail or metadata is highly relevant evidence as to who accessed what in the record, what entries were made and/or changed by whom and when. The audit trail is an integral part of the medical record. It is the metadata about the medical record that cannot be separated from the record itself. Audit logs are also critical in providing forensic evidence during cyber security incidents and responses as well as detecting potential threats and intrusions. Native audit logs can be tampered with and altered, this is why a redundant and immutable audit trail is imperative on many levels.
Recent HIPPA Violation and Fine – Audit Logs
“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
Since adoption, HIPAA violations have been cited in a number of areas and includes: lost and stolen devices, hacking, improper disposal, unsecured records and improper disclosure. As the health ecosystem naturally gravitates towards EPHI, the associated HIPAA compliance and cyber security risks will naturally track, at a minimum, on the same trajectory.