I just started a position as a compliance manager for a clinic system. They are in the middle of an upgrade to a new version of their EHR, which they plan to extend access to for external organizations to access for informational purposes. The new version does not contain a READ ONLY version of access - the read only user can still make changes to the record. Furthermore, there is limited auditing functions available for these users.I do not feel comfortable giving access to outside entities given we can't audit their use of our record. I'm looking for people to give me their opinion as well as point me toward any direction that may be helpful in making my case to COO/CFO.Thank you,
I would never allow any external access to our EHR if they had the ability to edit. Our IS department is very good in backing up our security concerns, particularly in this day and age of ongoing cyber-attacks, breaches, and ongoing EHR issues. It would put the hospital at risk to allow such open-ended access. In addition, audit trails have to be able to demonstrate many important transactions in details. They are discoverable during litigation and I can only assume if there is an issue with the content, it would be worse when trying to fight a lawsuit. My suggestion would be that if they still decide to go with allowing access, that you make sure you have in writing, what the dangers are and that you disagree with such access from the Compliance/Risk side. Hope that is helpful.