Confidentiality, Privacy and Security

EMR Audit Trails

  • 1.  EMR Audit Trails

    Posted 14 days ago
    Does anyone consider the EMR audit trail part of their legal health record?  And, does anyone disclose audit trails to patients/attorneys?  If you maintain audit trails, what is the retention period.
    Thank you

    ------------------------------
    Elisa R. Gorton, MAHSM, RHIA, CHPS, CHC
    Sys. Director, Compliance
    Hartford Healthcare
    egorton@stvincents.org
    ------------------------------


  • 2.  RE: EMR Audit Trails

    Posted 14 days ago
    No and No.   If we have a positive EMR audit it is retained with our HIPAA documentation for six years.  Non-positive are not retained.  Hope this helps.

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 3.  RE: EMR Audit Trails

    Posted 12 days ago
    I agree with Nancy.  No and No. Our IT maintains the audit trail for 6 years.





  • 4.  RE: EMR Audit Trails

    Posted 13 days ago
    No to both.  They were internal at my former facility and performed on an as needed basis.  I believe the same is true for my new facility, but I'm not completely sure.
    We only have out the Accounting of Disclosures when asked by a patient.

    ------------------------------
    Jesse Floyd, MHI,RHIA
    ------------------------------



  • 5.  RE: EMR Audit Trails

    Posted 13 days ago
    Adding  few more votes.

    Part of the legal health record...no.

    Audit trail retention...6 years.  Now when I say audit trail...I'm not referring to the data that comprises the audit trail, but rather the report or review results from the audit trail audit, whether it was positive or not if the audit trail review or often it is called some type of "report" is part of your HIPAA activities and would then be part of your HIPAA work product.

    Many years ago folks thought they had to hold on to the audit trail data and OCR representatives at a conferences indicated that the audit trail data itself did not need to be retained but rather the report or other document that provided the results of the audit trail review.  However, many organizations make the decision to also keep a copy of the data as well (totally fine...they can do so).  This may be redundant because you can always go back and rerun an audit trail if you need to recreate the data.

    Hope this helps!





    Posted: 3:56 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 6.  RE: EMR Audit Trails

    Posted 13 days ago
    The answer to the first question is no.

    The answer to the second question is maybe.  We do not release audit trail reports or our internal investigation report to the patient/legal representative.  We have also not released directly to an attorney.  However, we have sent audit trail reports and our findings to our Risk Management department in response to their requests and/or our attorneys' request when they are preparing for litigation.  On occasion, we have been asked about why a certain individual accessed the record.  I need to round back with our RM folks, but I believe that they may have provided the audit trail to a complainant's attorney.

    While the audit trail and our report of findings may not be part of the legal health record, I believe that this documentation may be "discoverable".  The work product is not covered by "Peer Review" at our organization.

    ------------------------------
    Catherine Stackhouse
    Director, Health Information Protection
    Wellspan Health
    ------------------------------



  • 7.  RE: EMR Audit Trails

    Posted 13 days ago
    I absolutely 100% agree with Frank above. I will add that if we are requested through court order to produce the audit trail we will work through our Risk Management team and along side our attorneys on what must be produced.

    ------------------------------
    Lori Richter
    Ehr Compliance, System Director
    ------------------------------



  • 8.  RE: EMR Audit Trails

    Posted 12 days ago
    We do not consider the audit trail a part of the legal record either. However, we had a case where it was specifically subpoenaed and we did release it to the prosecutor on the order of the judge.

    ------------------------------
    Kathryn Wood, RHIA
    Assist Dir of Information Systems/Privacy Officer
    War Memorial Hospital
    ------------------------------