Tuesday, January 22, 2013

Auditor: Inappropriate Access to EHR System

During an EHR implementation, a healthcare facility provided IT staff and contractors with broad access to the system so they could provide assistance to new users. As a result, the auditor said there was an increased risk of accidental changes and fraud, as well as possible noncompliance with the [HIPAA] Security Rule.
"did not limit access to those persons that had a strict business need, resulting in approximately 350 active user IDs with access to change data in multiple functions. " Louisiana State Legislative Auditor
The auditor recommended that the center:
  1. separate EHR duties and access for IT staff and contractors;
  2. closely control and monitor administrative access to the EHR system;
  3. create or modify EHR policies; and
  4. strengthen restrictions on access to patient and confidential information.

The facility agreed with the findings and recommendations and is developing the necessary policies and procedures.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Facility Granted Inappropriate Access to EHR System During Training - iHealthBeat, 01/10/13
(b) Auditor: Inappropriate access to electronic health records at LSU-S - The Advocate, 01/09/13

No comments:

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.