Confidentiality, Privacy and Security

External access to EHR- no audit capabilities

  • 1.  External access to EHR- no audit capabilities

    Posted 07-18-2019 13:31

    All -

    I just started a position as a compliance manager for a clinic system.  They are in the middle of an upgrade to a new version of their EHR, which they plan to extend access to for external organizations to access for informational purposes.  The new version does not contain a READ ONLY version of access - the read only user can still make changes to the record.  Furthermore, there is limited auditing functions available for these users.

    I do not feel comfortable giving access to outside entities given we can't audit their use of our record.  I'm looking for people to give me their opinion as well as point me toward any direction that may be helpful in making my case to COO/CFO.

    Thank you, 


    Sarah Jackson
    Compliance Manager

  • 2.  RE: External access to EHR- no audit capabilities

    Posted 07-19-2019 07:32
    Sarah, You are right to have concerns.  The underlying premise of HIPAA is the confidentiality, INTEGRITY, and availability of patient health information.  I am not sure how you would be able to maintain integrity if 1) any access user has the capability of editing/altering information; and 2) you would not be able to audit access let alone edits.   I am not sure how an EHR vendor could promote a product without these capabilities.  You may want to clarify with the vendor; could it possibly be a misinterpretation by your local EHR implementation team?

    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center