Health Information Technologies and Processes

External access to EHR- no audit capabilities

Lori L. Richter, Healthcare Management,Leadership,RHIA,CHPS,MA,CPHI07-23-2019 09:48

Melany A. Merryman, Master in Strategic Leadership (MSL),Health Inform07-24-2019 15:31

  • 1.  External access to EHR- no audit capabilities

    Posted 07-18-2019 13:31

    All -

    I just started a position as a compliance manager for a clinic system.  They are in the middle of an upgrade to a new version of their EHR, which they plan to extend access to for external organizations to access for informational purposes.  The new version does not contain a READ ONLY version of access - the read only user can still make changes to the record.  Furthermore, there is limited auditing functions available for these users.

    I do not feel comfortable giving access to outside entities given we can't audit their use of our record.  I'm looking for people to give me their opinion as well as point me toward any direction that may be helpful in making my case to COO/CFO.

    Thank you, 


    Sarah Jackson
    Compliance Manager

  • 2.  RE: External access to EHR- no audit capabilities

    Posted 07-19-2019 09:48



    I would never allow any external access to our EHR if they had the ability to edit. Our IS department is very good in backing up our security concerns, particularly in this day and age of ongoing cyber-attacks, breaches, and ongoing EHR issues. It would put the hospital at risk to allow such open-ended access. In addition, audit trails have to be able to demonstrate many important transactions in details. They are discoverable during litigation and I can only assume if there is an issue with the content, it would be worse when trying to fight a lawsuit. My suggestion would be that if they still decide to go with allowing access, that you make sure you have in writing, what the dangers are and that you disagree with such access from the Compliance/Risk side. Hope that is helpful.





  • 3.  RE: External access to EHR- no audit capabilities

    Posted 07-23-2019 09:48
    I would recommend putting a very streamlined policy around who can and cannot have access. If the access is open access I would ensure there is a valid user agreement and contract with the entity that you were allowing access for. I would also recommend updating the systems audit capabilities and require the entity to do auditing that you provide them to ensure the access is appropriate.

    Lori Richter
    Onecare Ehr Compliance Director
    Catholic Health Initiatives

  • 4.  RE: External access to EHR- no audit capabilities

    Posted 07-24-2019 15:31
    I would check to see if there is a health information exchange (HIE) in your area that your clinic system could possibly join.  We have been encouraging more organizations join our local HIE and another one we participate in (ConnectLA) that requires user agreements from all entities who join and allows you to limit what you push out to the HIE and receive in return.  The good news is this info IS read only!  Hope this helps and good luck in your new position!​

    [Melany] [Merryman]
    [Director, HIM & CDI]
    [Torrance Memorial Medical Center]