Informationmanagers.ca Logo
Improve Your Healthcare Practice Security With Audit Logs

Improve Your Healthcare Practice Security With Audit Logs

How to Improve Your Healthcare Practice Security With Audit Logs

When was the last time that you reviewed your access logs in your healthcare practice?

In our policies, procedures, risk assessments, and privacy impact assessment submissions, we indicate the reasonable safeguards that we expect to implement in our practices to protect the privacy and security of health information.

But policies and good intentions alone isn’t enough.

We also need to take action on our policies.

We have tools, like audit logs, available to us. Audit logs of our computer and software systems are available to monitor users who have accessed the system and the information contained in the systems.

Audit Log Image

Audit logs monitor and records the transactions of users’ activities in your computer network and your electronic medical record (EMR). It is an automated, real-time recording of who did what, and when, in your system.

For example, when a user logs in to your computer network at the beginning of the work day, the user name, date, time, and perhaps the workstation identifier is recorded in the audit log.

When the user logs into the EMR and creates, views, modifies, or prints from a specific patient record, each activity is recorded in the audit log. In this way, the audit log records both the activity of each user and, in each patient’s electronic medical record, who has accessed that patient’s health information.

You MUST implement, use, and monitor your audit logs

The regular review of the audit logs can demonstrate that the administrative, technical, and physical safeguards that we implement to protect the health information, our people, and our assets are working. Review of audit logs can also identify weaknesses so that corrective action can be taken to improve our privacy and security strategy.

For example, when you review your audit log, you may see that an employee (authorized user) is accessing the EMR after clinic hours. When you investigate, you find out that the billing clerk is doing the billing submission from home.

This might be OK in your healthcare practice (or not). But, now you know what is happening iin your clinic EMR after hours and you can take appropriate action.

Audit Logs Are Valuable Metadata

Taken from a different point of view, the audit log provides important additional information, or metadata, about the care and treatment of the patient. Knowing who created a clinic note, wrote a prescription, or reviewed a test result provides a story about the care that the patient received. For this reason, the audit log of the EMR is usually required by legislation to be maintained for the entire retention period of the patient’s record. This is generally 10 or more years for adult patients and longer if the patient was a child at the time that they were a patient or client in your practice.

How You Can Use Audit Logs to Improve the Security of Health Information In Your Practice

Snooping, or viewing someone’s health information for an unauthorized use, is not uncommon in healthcare. Snooping is always a breach of confidentiality and trust that our patients give to us.

Sometimes, snooping is because someone is concerned or curious about a family member or friend and don’t intend to do anything ‘bad’ with that information.

We also know that people will sometimes access information for malicious means – that is,  using a ‘criminal intent’ or to be mean or disparaging to the individuals involved.

Say No to Snooping

When you regularly review your audit logs, you

  • Create a deterrent to all users to check something out ‘just this once, no one will know’.
  • Find potential threats or weaknesses in your current systems that you can improve to better mitigate your risks.

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This means having appropriate policies and procedures in place and demonstrate and document that you have implemented your plans.

Action Steps That You Should Do Now

Use these points as a checklist to help you start using your audit logs to improve security in your healthcare practice.

  • Computer Network System Audit Log
    • Ensure that your computer network system has audit logging enabled.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for six months or longer.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this?
  • Electronic Medical Records (EMR) / Electronic Health Records (EHR) System Audit Log
    • Most health information legislation and regulations now require EMR / EHR to include an integrated audit log / access log. Confirm that you have enabled your EMR / EHR audit log.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for as long as you retain the entire patient record – generally, 10 or more years years.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this? Check out the Practice Management Nuggets Podcast

      How AI Improves EMR Auditing | Episode #094 with Rob Pruter from SPHER.

    • User activity recorded in an audit log is often visible to subsequent EMR users when they access a patient record. In the course of routine workflow, users may observe and question inappropriate access to an individual patient record. Instruct your users to notify the clinic manager or privacy officer if the audit log indicates a suspicious activity.
    • Include the review of audit logs as part of your routine privacy and security monthly audit.

Click the link below to get your copy of the audit templates and the training video!

I Want the Audit Templates to Improve Privacy and Security!

Are you already a member of Practice Management Success?

The instructional video and Privacy and Security Monthly Audit Template is already in your membership!

Click the button now to go to the membership to access your resources.

Go to my Practice Management Success membership

 When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS
How Can Cyber Insurance Help Me In My Clinic?

How Can Cyber Insurance Help Me In My Clinic?

Cyber Insurance Can Help Protect Your Clinic

Cyber insurance is a type of insurance that provides protection against cyber attacks, data breaches, and other cyber-related risks. With the increasing number of cyber attacks, many businesses and individuals are starting to consider purchasing cyber insurance. However, there are many misconceptions about cyber insurance that need to be addressed.

The Risk Of Cyber Attacks To Small Business Is Rising

One of the most common misconceptions about cyber insurance is that it is only necessary for large corporations. However, even small businesses and individuals are at risk of cyber attacks and data breaches. Cyber insurance can provide protection against the financial and reputational damage that can result from these events.

Helps to Mitigate Risk

Another myth is that cyber insurance is too expensive. While it is true that the cost can vary depending on the level of coverage, it is often more affordable than many businesses and individuals realize. In fact, the cost of a cyber attack or data breach can be much higher than the cost of cyber insurance.

You can reduce the cost of insurance when you also have other physical, administrative, and technical safeguards in place to prevent the risk of a cyber attack. Systems to help you readily identify an attack and incident response plan to recover your business quickly may help to lower your overall insurance costs, too.

Some people also believe that cyber insurance is unnecessary if they already have traditional insurance policies in place. However, traditional insurance policies typically do not provide coverage for cyber-related risks. Cyber insurance is specifically designed to address these types of risks and provide protection against the unique challenges of cyber attacks and data breaches.

In today’s digital age, it is more important than ever to be proactive in protecting ourselves against cyber risks.

Discover How Cyber Insurance Can Safeguard Your Practice

To help dispel some of these myths, myla.Training is excited to bring in an expert in cyber insurance, Sylvie Forget-Swim from Palladium Insurance, to share important information and answer your questions. Sylvie specializes in working with dental and medical professionals to ensure they have a proper understanding of both their commercial and personal insurance needs.

Want to Learn More?

Do you want more tips and resources like these – for FREE?

Join Anne Genge and Jean L. Eaton for the “Ask Me Anything” style webinar for healthcare professionals, practice managers, privacy officers, and owners on Friday, April 21, 2023 at 1pm EST.

Anne is the founder of Myla Training Co., and a multi-certified cybersecurity expert with global awards for her work in cyber risk management, ransomware prevention, as well as cybersecurity education for healthcare providers.

This month, we will be sharing what dentists need to know about cyber insurance.

It’s free to attend.

Once you register, you’ll have access to the Zoom link on the day of the event.

Click Here to Register For the Free Webinar!
When Clients Ask for Their Records – Release of Information Tips

When Clients Ask for Their Records – Release of Information Tips

When Clients Ask for Their Records – Release of Information Tips

I recently had the pleasure of being a guest on Kayla Das’ The Designer Practice Podcast, where we talked about an important topic for therapists and coaches: managing the release of information when it comes to record disclosure requests.

During the podcast, we covered a range of topics that are essential for therapists and coaches to understand. Here is a summary.

Listen to the full podcast “Episode 5: When Your Client Asks for a Copy of Their Therapy Record with Jean Eaton” for more insights and details.

Client’s Rights and Therapist’s Obligation

Individuals have the right to privacy and can choose what information they share and with whom they share it. As a therapist or business owner, it is your obligation to keep the information that patients or clients share with you confidential and secure.

Case Note Retention Practices

Therapists have an obligation to keep patient information confidential and secure, and to maintain records for the required retention period. The retention period varies depending on the province and discipline, but it is generally 10 years (plus the age of majority. It’s important to ensure that you keep control of the patient information for the entire retention period whether it’s on paper, electronic, or in the cloud.

Reasons Why a Client Might Request a Copy of Their Therapy Record

It is important to inform clients about the purpose of collecting their identifying information, as well as encouraging them to regularly review their records for accuracy.  The client has the right to access a copy of their own information. Trust is a key factor in building a positive therapist-patient relationship, and open communication about record-keeping practices can help establish that trust.

Conversation with Client About Release of Information

At the time that you collect information from the client is the ideal time to discuss with the individual about what information is being collected and how it will be used. This is also an opportunity to discuss how the information may be shared in the future.

Best Practices for Third-Party Disclosure Requests with Client’s Expressed Consent

To ensure patients’ information is not disclosed without their consent, it’s important to have a conversation with them about what information is being collected and how it will be used. If a patient expressly states how they want their information shared (or not shared), you must record their wishes in their file and follow those instructions.

Privacy Legislation

All businesses must comply with privacy legislation. Therapists and life coaches in Canada will likely follow PIPA or PIPEDA legislation. Regulated health professionals (like registered nurses, physicians, pharmacists, chiropractors, and other custodians) working in private practice in Alberta are guided by the Health Information Act.

Best Practices for Third-Party Disclosure Requests Without Client’s Expressed Consent

Before disclosing any information without a client’s expressed consent, one should first determine if there is an immediate safety concern. If there is no immediate danger, it is essential to have the right paperwork in place, and appropriate legal authorization should be obtained before releasing any information without the client’s consent.

How to Manage a Conversation with a Third-Party Before Client Consent is Obtained

When managing a conversation with a third party before obtaining client consent, it is important to have a prepared script to respond to the request. The person making the request should know their legal authority and provide the request accordingly.

Considerations When Using Online Communication to Connect with Client

The use of technology in healthcare requires a proper risk assessment and due diligence to ensure that patient information is secure. Healthcare providers cannot transfer all the risks to the patient and need to take responsibility for the technology they use.

See the Practice Management Success Tip, “Can You Use Text Messaging With Patients?” for more help.

Release of Information Checklist

Businesses must document their policies and procedures for handling requests for information, and to be transparent with clients about the process.

Use the Practice Management Success Tip, ‘Release of Information Checklist’ as a resource for managing and responding to access and disclosure requests.

This checklist will help you release patient records while keeping the privacy, confidentiality, and security of patient information top of mind!

release of information checklist cover image
Media Story Reveals Employee Snooping

Media Story Reveals Employee Snooping

Media Story Reveals Employee Snooping

Ontario’s Information and Privacy Commissioner (IPC) opened an investigation into a hospital’s management of employee snooping after three similar privacy breach reports were received from the hospital in 2020 and 2021. The IPC elected to review the privacy breach to ensure that the custodian had adequate safeguards to prevent similar instances.

The investigation found that the hospital had managed the breaches well and no recommendations were required, and findings were published in PHIPA Decision 204.

In this Privacy Breach Nugget series, I will take a look at each of these three incidents as guidance to better respond to a privacy breach in your healthcare practice.

What Happened

A news media story was published containing the names of patients at an Ontario hospital. The hospital Privacy Office initiated an audit which found that a Patient Accounts Clerk had accessed 28 health records without authorized purpose. This snooping is in contravention of the Personal Health Information Protection Act (PHIPA).

Managing the Breach

The Ontario Hospital’s management of the privacy breach can be examined using the 4 Step Response Plan.

4-Step Response Plan

 

 

 

 

 

 

 

 

 

Step 1 – Spot and Stop

The privacy breach was detected by the hospital when the media story aired. The hospital ran a preliminary audit on the health records of those patients named in the story that found suspicious access by an accounts clerk. Once identified, the hospital disabled the clerk’s access to the electronic health record (EHR) system and put them on administrative leave.

Step 2 – Investigate

After identifying the clerk, the hospital initiated second and third audits on their EHR accesses and found 28 patients whose records were accessed without authorized purpose. This is also known as employee snooping. The investigation established that those patients had been deliberately searched for in the EHR system, confirmed with the clerk’s manager that no authorized purpose was given to do so, and that the clerk had previously signed a Statement of Confidentiality and completed privacy and security awareness training.

Step 3 – Notify

The hospital notified those patients affected by the breach by telephone or mail. Under PHIPA s. 12(2), it is mandatory for custodians providing services in Ontario to notify patients whose personal health information has been used or disclosed without consent or authorized purpose.

Notification in this case was delayed for compassionate reasons as some of the health information accessed was from a deceased patient. One patient was not able to be contacted, and a note on their file was made for the registration department to notify the hospital’s Privacy Office the next time the patient registered at the hospital. The patient will be informed of the privacy breach on their return visit to the hospital.

The hospital also notified the IPC of the incident. It is mandatory for a custodian providing services in Ontario to report a privacy breach of personal health information to the IPC (PHIPA regulation s. 6.3 pursuant to PHIPA s. 12.3.)

Step 4 –Prevent the Breach from Happening Again

The hospital considered disciplinary action with the clerk; however, the clerk retired before any actions were taken. Policies and procedures at the hospital were reviewed, and changes made to immediately notify deceased patients’ families of a privacy breach going forward. The hospital’s Privacy Officer will now work closely with the Human Resources department to ensure more consistent investigations.

Commissioner’s Investigation

In the IPC report, the investigation also noted some positive measures taken by the hospital in managing privacy risks:

  • All new staff receive privacy awareness training and sign Statements of Confidentiality. Annual refresher training with new Statements of Confidentiality is mandatory.
  • The hospital’s Privacy Office communicates with staff on privacy issues during a yearly email campaign called Privacy Awareness Week.
  • The hospital’s Privacy Officer holds training sessions when requested or new information is available.
  • The hospital’s EHR system displays a privacy advisory reminder that staff must agree to before accessing information.
  • Policies and procedures are reviewed and amended every three years and when needed.
  • Policies and procedures, and investigation findings are properly documented.
  • As a result of this incident, the hospital outlined a plan to respond to the breaches and the investigation, and to future breaches involving patients who are deceased. These include updating privacy awareness training with examples of snooping similar to those investigated and sending quarterly emails to staff about access without authorized purpose and how to prevent privacy breaches.

Take-Aways

The hospital had pre-existing privacy awareness training and privacy breach management procedures. A review in response to the incident led the hospital to amend their notification procedures for privacy breaches involving deceased patients. Notification to the family will be made immediately in future when breaches involve a deceased patient.

You might need to consider modifying your policies and procedures, too, to include a similar scenario.

Watch for the next article where we share example #2 in IPC Decision 204.

Article submitted by: Aaron Myer

Reference

Ontario Regulation 329/04. Government of Ontario, 2006, https://www.ontario.ca/laws/regulation/040329#BK6. Accessed 9 June 2023.

Personal Health Information Protection Act, 2004. Government of Ontario, 2004, https://www.ontario.ca/laws/statute/04p03. Accessed 9 June 2023.

PHIPA Decision 204. Information and Privacy Commissioner of Ontario, 4 Apr. 2023, https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/521298/1/document.do. Accessed 9 June 2023.

You May Also Be Interested In

4 Step Response Plan training for clinic managers and privacy officers.

Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches

 
Employee Snooping Reported by a Clerk’s Relative

Employee Snooping Reported by a Clerk’s Relative

Employee Snooping Reported by a Clerk’s Relative

Privacy awareness training including employee snooping awareness may prevent a privacy breach. Check out the second article in our Privacy Breach Nugget series for valuable insights and tips.

Ontario’s Information and Privacy Commissioner (IPC) opened an investigation into a hospital’s management of employee snooping after three similar privacy breach reports were received from the hospital in 2020 and 2021. The IPC elected to review the privacy breach to ensure that the custodian had adequate safeguards to prevent similar incidents.

The investigation found that the hospital had managed the breaches well and no recommendations were required. The findings were published in PHIPA Decision 204.

This is the second article in this Privacy Breach Nugget series with tips that you can use to better respond to a privacy breach in your healthcare practice.

Missed the first article? Check it out here.

What Happened

A complaint was made to an Ontario hospital by a relative of an admitting clerk that their health information was being accessed by the clerk without authorized purpose. The hospital’s Privacy Officer investigated and found that the clerk had accessed five individuals’ health records without authorized purpose. The investigation concluded with the termination of the clerk’s employment.

The incident was the second of three privacy breaches reported by the hospital to the Ontario Information and Privacy Commissioner in 2020 and 2021. This snooping is in contravention of the Personal Health Information Protection Act (PHIPA).

Managing the Breach

The Ontario Hospital’s management of the privacy breach can be examined using the 4 Step Response Plan.

 

 

 

 

 

 

 

 

Step 1 – Spot and Stop

The privacy breach was detected when the hospital’s Patient Experience Department received a complaint that an admitting clerk may have accessed a relatives health information without authorized purpose. The hospital’s Privacy Officer was notified. The clerk’s access to the EHR system was disabled and they were put on administrative leave once an audit confirmed suspicious accesses were made.

Step 2 – Investigate

The hospital conducted audits of user access of the electronic medical record (EMR) system. This revealed that the clerk accessed five individuals’ health records without a need to do this as part of her job. The investigation also established that the clerk had previously signed a statement of confidentiality and received privacy awareness training. A meeting was held with the clerk, who admitted that she used the EMR to find a mailing address of a friend.

Step 3 – Notify

The hospital notified those patients affected by telephone or mail, and the incident was reported to the Ontario IPC.

Under PHIPA s. 12(2), it is mandatory for custodians providing services in Ontario to notify patients whose personal health information has been used or disclosed without consent or authorized purpose.

Notification to the IPC is a requirement of a custodian (including hospitals and community physicians, pharmacists, dentists, and other healthcare providers.) (PHIPA regulation s. 6.3 pursuant to PHIPA s. 12.3.)

Step 4 –Prevent the Breach from Happening Again

The hospital’s disciplinary actions ended in the termination of the clerk’s employment. The hospital reviewed and committed to maintain its privacy policies and procedures.

Commissioner’s Investigation

The IPC investigation found that the hospital had managed the breaches well and no recommendations were required, and findings were published in PHIPA Decision 204.

The investigation also noted some positive measures taken by the hospital in managing privacy risks:

  • All staff receive privacy awareness training and sign Statements of Confidentiality, and annual refresher training with new Statements of Confidentiality is mandatory.
  • The hospital’s Privacy Office informs staff on privacy issues during a yearly email campaign called Privacy Awareness Week.
  • The hospital’s Privacy Officer holds training sessions when requested or new information is available.
  • The hospital’s EHR system displays a privacy advisory that staff must agree to before accessing information.
  • Policies and procedures are reviewed and amended every three years and when needed.
  • Policies and procedures, and investigation findings are properly documented.
  • The hospital outlined a plan to respond to the breaches and the investigation. These include updating privacy awareness training with examples of snooping similar to those investigated and sending quarterly emails to staff about snooping and how to prevent privacy breaches.

Take-Aways

The hospital had pre-existing privacy awareness training and privacy breach management procedures. A review in response to the incident led the hospital to develop specific employee training to better understand and prevent snooping incidents. This is a good reminder that training is not a ‘one and done’ event. Refreshing training regularly with specific examples that relates to work activities can be more meaningful.

Watch for the next article where we share example #3 in IPC Decision 204.

Article submitted by: Aaron Myer

Reference

Ontario Regulation 329/04. Government of Ontario, 2006, https://www.ontario.ca/laws/regulation/040329#BK6. Accessed 9 June 2023.

Personal Health Information Protection Act, 2004. Government of Ontario, 2004, https://www.ontario.ca/laws/statute/04p03. Accessed 9 June 2023.

PHIPA Decision 204. Information and Privacy Commissioner of Ontario, 4 Apr. 2023, https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/521298/1/document.do. Accessed 9 June 2023.

You May Also Be Interested In

4 Step Response Plan training for clinic managers and privacy officers.

Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches