Monday, November 1, 2010

Trails and Trials in HIPAA

The implementation of HIPAA's security and privacy requirements has resulted in nearly every U.S. PACS having an audit trail capability that records who, where, and when the system was accessed. These audit trails have not only helped ensure patient privacy and security, they also provide a practice with an independent record of its radiologists' patient access.

Although organizations such as the IHE have sought to standardize the protocol and format of HIPAA audit trails, vendors are free to implement the requirement as they see fit. The result has been mostly incompatible application among different systems; however, administrators have learned to live with the issue. Manufacturers have begun to make improvements in making audit trail information available in a more user-friendly format, and grass-root efforts at data mining by IT-savvy PACS administrators have helped to improve the situation. 

On average, PACS administrators check their audit trails about once or twice a month--mostly to conduct a random check for unauthorized system access. These audit trail checks have uncovered the unauthorized access of patient records in several high-profile cases (typically celebrity patients), which resulted in disciplinary action against the transgressors. 

In addition to recording unauthorized access, audit trails can also be used resolve questions of authorized access. For example, I have been contacted by legal representatives of parties that needed to prove a physician saw a medical file. In one case, a patient died because a serious condition was missed by a radiologist who disputed he had accessed the image; however, the log files in the audit trail were clear about his access. 

Cases such as these are good arguments to use when trying to convince physicians never to share user names and passwords. When there is legal action, the implications of password sharing can become dramatic. 

The logging of audit trails required by HIPAA not only maintains patient privacy and security, it also makes a radiologist's patient access clearly visible—which can help a practice determine who did what and when they did it.