An audit trail, a document that records the date and time of image and information access by individuals through a healthcare information system, is a federally mandated requirement for any practice treating Medicare beneficiaries. Although not a legal requirement, a medical monitor calibration log file—documentation that a diagnostic image viewing station has been properly calibrated in a timely manner—provides a record that a practice maintains the quality and consistency of its displays.
I have heard of two cases where a PACS administrator was required to provide audit trails and monitor-calibration records. Both cases had to do with the circumstances under which a diagnosis was made, as well as who read the study.
Unfortunately, there are only vague requirements about how long one must keep audit trails of image and information access in PACS and other healthcare information systems.
Audit trails are a clear HIPAA requirement and this is a feature that most medical manufacturers who deal with patient information access have added to their applications. The problem is that many vendors have added proprietary audit trail capabilities to their systems.
There is an Audit Trail and Node Authentication (ATNA) standard that is part of an IHE Infrastructure profile definition, which allows for audit trails to be exchanged in a standard manner. Most manufacturers do not adhere to this standard and store their audit trail a proprietary format, e.g. in an XML file. Some PACS administrators have written their own audit trail application in order to have easy access and search capabilities.
Just having an audit trail is not enough; administrators should verify and validate the data in this file on a consistent basis. Imagine that after a complaint is filed it comes to light that no one ever looks at the audit trail. A practice could have a difficult time defending the integrity of its audit trail data. An administrator I know suggested reviewing the audit trail on a bi-weekly basis by taking a random set of studies and clinicians and validating their access privileges.
Unlike the ATNA standard, there is no standard for the output of calibration data from a diagnostic or clinical display station. Chances are, if you have a mix of BARCO, NDS and WIDE monitors in your environment, you'll have three different calibration packages with three different sets of records.
There have been some proposals to standardize this data, but they have not yet gained traction within the DICOM community. (For those interested in the details, the proposals are in Supplement 124 of the DICOM standard, which can be downloaded from the DICOM Web site).
Lastly, if you are planning a major software upgrade, or switching to a different vendor's system, be sure to have a strategy for migrating the audit trails and calibration log files.
Make sure you monitor and keep these files secure. If possible, ask your vendors to deliver the data in a user friendly report and have them support a standard data encoding schema, such as ATNA.