2. Audit Trails
Part 1
As the adoption of technology in the health field spreads rapidly technologists are
making information more accessible for doctors giving them the ability to access records from
mobile devices. Critics and health professionals question this decision wondering how mobile
devices will measure up to computers as far as compatibility with EMR software and the
security needed to protect the information the software manages. Even with these doubts
progress has allowed some EMR systems to be integrated with mobile technology and is
currently being used by medical professionals.
With the implementation of EMR software on mobile devices it has given medical
providers an simple tool to use while having the freedom of motion. This new freedom comes
with added responsibility requiring extra monitoring due to the lack of security that mobile
devices provide. If I was to use a mobile device to connect to a medical facility I doubt it would
be a blackberry, but first the device would have to be encrypted to reduce the chances of
hacking. If a network isn’t secured properly packets sent over these internet connections can be
intercepted and used for other purposes resulting in a security breach. Mobile devices are not
as secure as computers are due to the lack of software applications and hardware available.
I would then have to log into the EMR system using a username and password. I would
place an audit check here at this location checking to see who logged in and what device they
used. After I logged into the system I would then search for the patient that I was looking for
through the patient lookup. An audit check would be placed here to see what links I clicked on
before finding the patient and how long it took to select a patient. A check would also be run to
see whether that patient actually had an appointment that day or not. The amount of times I
had accessed the patient’s information and why would also be recorded to see if there were
any abnormal correlations between each occasion the data was accessed.
When I found the patient I would then go under the treatment section and prescribe the
prescription that they needed.An audit check would be placed at this location and possible red
flag might be raised because a prescription was prescribed at random. If the patient had seen
the doctor for a regular visit before the prescription was prescribed then a flag wouldn’t be
raised but it would still be checked. If the patient had not visited the doctor but the prescription
was prescribed a check would be placed to see if the prescription was a refill or just some
random medicine. If it was some random medicine a check would ran to see what type of
medicine it was and how often the doctor prescribes the medicine. The audit check would also
measure how often the patient receives that type of prescription and if relates to any problems
3. that they have had in the past. After prescribing the medicine to the patient I would then log
out of the EMR system and continue doing whatever I was doing before logging into the
system. An audit check would be placed here to see what time I logged out of the system.
Role Based Access Control (RBAC)
When a medical facility makes the transition to a computer based system to operate
their organization certain precautions have to be taken to ensure that patient information
remains secure in any situation. This requires the facilities to abide by HIPAA policies while
creating ways to keep the information safe. The information must be protected from outside
threats such as hackers as well as interior threats which usually directs the attention towards
the employees of the organization. This is why Role Based Access Control was introduced to
organizations. RBAC is a feature usually controlled by the administrators which limits the
amount of permissions each member of the organization has.
Before RBAC permissions were granted to each member of the organization individually.
The administrator would have to select permissions they were allowed to have separately
which would be very tedious if it was a large company. With RBAC you can create a role with
the permissions you want that role to have and then add different members to that role.
Whatever permissions that were granted to that role would then be given to the members.
Creating roles prevents members from accessing the root level of a system and seeing
information they shouldn’t have access to. In a medical facility you wouldn’t want a Registered
Nurse to have the same permission as a Medical Doctor. If a RN had the same role as a MD they
would have ability to prescribe medicine to patients even though they’re not a real doctor. In
most facilities the CIO has unlimited access and the IT technicians are directly under them. After
the technicians the permissions trickle down from the directors all the way down to the
maintenance employees with each group having less permissions than the previous role.
Providing Privacy
In today’s modern health system a patient’s medical information is viewed as some of
the most important data floating in a cloud. Though this cloud this cloud is surrounded by steel
bars it can still be accessed if the proper actions are taken. When it comes to privacy electronic
medical records the government has gone to great lengths to protect patient data. With this
effort the Health Insurance Portability and Accountability Act was passed in 1996 to ensure the
safety of this data. Medical facilities have designed different systems as well to protect data
including the administering of HIPAA exams to all personnel who come in contact with this
information to creating secure facilities to house the information. With the security precautions
4. set in place health information managers have made it possible for these records to be
accessed while following HIPAA regulations.
The current design of our health system has it set up where most medical providers
have control over patient records and in some instances the health information managers or
chief information officers control the records. I feel that having CIOs manage the information is
the best method to keep information safe from inside and outside threats. Before technology
was embraced by the health field paper records were kept in places that were in plain sight.
This information was available for the taking if the person desired it enough. Records could also
be seen by any personnel that worked in the medical facility leaving patient information
extremely vulnerable. With these assessments came the introduction of digitalizing and
encrypting patient information to keep it safe from unqualified eyes.
I agree with the idea of keeping patient records secured for none to see without
authorization, but I don’t necessarily agree with keeping the information from the patient
themselves. There have been many arguments as to whether patients should be given full
control over their information. I believe that the patient should have full access to their records
whenever they request them being that the information is about them and wouldn’t exist
without them. Arguments as to whether the patient is responsible enough to manage their
records and keep them private still persist making the task of retrieving records quite tedious.
The only way for patients to receive their records is by filling out request forms which could
take up to a week to process. It could possibly take longer to actually receive the records
depending on the practice inconveniencing the patient.
As pointed out by McClanahan the health system has a few adjustments to make in
order to provide a better service to consumers with the first change granting patient’s
ownership of their records (2008). I also agree with McClanahan that medical providers should
oversee the patient’s records as they already do. Though patient records belong to the patient
most are health and technology illiterate making the job of managing their own records difficult
and sometimes impossible because of the lack of technology. I believe the way our system is
currently setup is the best possible way to manage the privacy and access to electronic medical
records until patients are more knowledgeable.
Who Can Be Trusted With Health Information
My health informatics knowledge has developed over time from classroom encounters
and hands on experience providing me with a modern insight as to how information should be
archived. I’ve learned that the responsibility of managing health information should not be left
up to one entity but a combination of different professionals all playing their specific roles. I
believe keeping medical information secure should be a joint effort between physicians, the
government, the consumer, CIOs, and RHIO. Whether these entities can be trusted or not is still
5. up for debate but the due to the rush for technology implementation into medical facilities
there are no other alternatives.
Placing medical records in someone’s possession for safe keeping is a decision that
should be carefully thought out before acting. Medical information has the chance of
beingmishandled in many instances which could lead to the downfall of a carefully designed
infrastructure if not managed properly. I believe that the role of the doctor should be to create
the patient records as they already do with no other responsibilities. A doctor has substantial
amount of tasks to perform as far running a medical facility and being a doctor helping patients.
Medical providers shouldn’t have to worry about whether a copy of a patient’s record was
secured.
The government’s role in operation should only be enforcing laws such as HIPAA and
making sure that everyone plays a role. Due to the way the government is ran I don’t believe
they can be trusted with a patient’s information. The government already violates human rights
and privacy by ceasing control of other electronic information to do as they please they
shouldn’t be given control over these records as well. Being that the government likes to
approve laws like CISPA they can’t be trusted with consumer information.
I believe the consumer should be given more responsibility when it comes to managing
their records. There are too many consumers who are illiterate to health informatics. They
should be educated on what EMRs are and how they are used to keep records secure. They
should then be given a copy of their records for easy access. I don’t agree with making them
pay to receive their own records, which is the case in many instances. Government officials and
other healthcare affiliates say that they don’t trust consumers with their own information but
not many trust them with the information either.
Patient information should be handled directly by the CIO of a medical facility. They
have acquired the knowledge needed to secure the information with encryptions and backups
and should be solely responsible for all data. RHIO should be responsible for making sure the
information is able to be transferred between different organizations. As far as I’m concerned
they have been failing at this task for years so that should be their only concern. With the
infrastructure setup this way it will lead to a better system and possibly help RHIO advance a
little faster. Information management cannot be left to one individual because the job requires
assistance from people of many professions.
Through months of studying Health Informatics I have observed a medical system
progress successfully using a CIO as the gatekeeper for patient information. CIO’s possess skills
to secure a network preventing hackers from accessing information. They also possess the
knowledge of how to set up servers to back up files which is important when dealing with
6. electronic data. There’s always a chance of information being lost or deleted accidentally. In
fact I’ve witnessed information get deleted then get recovered by a CIO because they knew
how to use a database and was able to find the information.
When it comes to managing information there’s no other person I would trust with the
information than a Chief Information Officer who was trained to manage information. Though
doctors play an important role in patient records I’ve seen them make mistakes such as
entering information into the wrong patient files or adding documents to the wrong files. These
errors require information technologist to retrieve the information and put it in its proper
place. Most instancesmistakes are corrected by health information technicians not because
they have administration rights to the system but because doctors don’t possess the knowledge
to correct the error themselves. CIOs not only possess IT skills but they also know health
information such as HIPAA policies qualifying them even more for this responsibility. These
reasons are why I trust IT professionals to manage patient records over all other entities that
currently deal with medical data.
Sources
McClanahan, K. (2008). Balancing Good Intentions: Protecting the Privacy of Electronic Health
Information. Bulletin of Science, Technology & Society.