How to conduct a thorough EHR audit

An EHR audit should be conducted for a number of reasons.

Even though the federal EHR incentive program is now administered under CMS’s Promoting Interoperability programs, practices should treat Meaningful Use requirements as the historical baseline while updating controls to match current Promoting Interoperability and interoperability expectations.

Although attestation to a federal program does not eliminate the risk of audit, federal and HHS audit activity continues: the HHS Office for Civil Rights maintains a HIPAA Audit Program and publishes an audit protocol that covered entities and business associates should review and use to align internal audits

Maintaining a strong internal audit protocol is vital for practices to meet Meaningful Use criteria and avoid financial penalties. The financial and reputational cost of a breach is also substantial.

Recent analyses show the average total cost of a data breach is in the millions, a figure organizations should factor into their risk calculations.

Internal audits also help guard against data security threats, from accidental disclosures to malicious attacks.

Below, we outline four important steps to conducting an effective EHR system audit.

1. Treat Meaningful Use as the baseline

Firstly, a practice should always treat the Meaningful Use audit checklist provided by the government as the baseline steps for an EHR audit. The government checklist can be found online.

Using the steps prescribed by the government will allow for a methodical approach to internal audits. However, as will be discussed below, these steps should be treated as only the beginning.

Recommended reading: EHR implementation: 6 steps to success - Get step-by-step information on how to implement EHR effectively

Treat the old Meaningful Use requirements as the baseline, but prioritize current Promoting Interoperability (PI) measures and interoperability expectations promoted by CMS. Map any MU-era controls to current PI and ONC interoperability guidance, and document the mapping so auditors can see how historical attestations connect to the current program requirements.

2. Understand that Meaningful Use/Promoting Interoperability and HIPAA/HITECH compliance are not enough

The requirements for Meaningful Use compliance and HIPAA certainly overlap and have been viewed as redundant to the preexisting duties found under HIPAA and HITECH. Don’t be lulled into the assumption that compliance with all three of these standards will eliminate all forms of security risks.

A strong internal program goes beyond checklist compliance. Build a formal privacy-and-security operating model that includes: a written privacy policy; role-based access controls; regular EHR audit-trail review; workstation and mobile-device controls; documented breach-notification procedures; and a remediation/mitigation workflow tied to evidence.

That operating model should be reviewed and updated at least annually or after any significant change (EHR upgrade, new third-party integration, major staffing changes).

The foundation of a strong security risk mitigation program rests on a solid internal privacy policy. The privacy policy should serve as a clear model which all stakeholders in a practice should model their data handling practices. A strong privacy policy should guide on topics as workstation security, passwords, establishing an audit trail for record handling, access controls, and the use of mobile and off-site devices, among other topics.

Routinely test and document the privacy policy through tabletop exercises and simulated incidents so the organization can show evidence of testing and lessons learned during an audit.

3. Be ready for HHS OCR audits and use the Audit Protocol as a template

Beginning in 2016, OCR launched Phase 2 of its HIPAA Audit Program; OCR continues to maintain an audit program and a public audit protocol.

Use the OCR Audit Protocol to build the internal audit scope, gather the policy and evidence buckets OCR describes (policies/procedures, training records, risk analyses, mitigation plans), and prepare for both desk and possible site-based reviews.

Assign a single point of contact to compile evidence (policies, logs, training certificates, risk assessment documents) and run an internal mock-audit at least annually. Document findings and remedial steps with timestamps and assigned owners.

4. Do not forget about state-specific data handling rules.

HIPAA and HITECH take all the attention from a data privacy perspective; however, the importance of these regulations often overshadows the fact that many states maintain their own data privacy standards. Therefore, it is important to understand the compliance and audit procedures at the state level and incorporate them into the overall risk strategy.

Create a two-column matrix that lists federal obligations (HIPAA/HITECH/PI) on one side and each applicable state requirement on the other, and document how the practice meets (or will meet) each state requirement. Keep that matrix with your audit packet.

Make EHR audit trails the center of your technical evidence

Audit trails are the single most important technical artifact for most EHR audits. Audit trails capture who did what, when, from where, and (when supported) why.

They are useful for forensic investigations, regular compliance checks, and research into workflow; studies also show that EHR log data is a rich source of operational insight.

• Confirm that audit logging is enabled for all critical EHR modules (clinical notes, medication administration, orders, results access, export/download, and user management).
• Verify each log entry contains user ID, timestamp (UTC), workstation or IP address, action type (view, edit, delete, export), record identifier, and, where possible, an explicit reason or clinical justification field.
• Review anomalous patterns: repeated views of unrelated patient charts, off-hours access, large-volume exports, or failed privileged-access attempts.
• Retain audit logs according to policy. It is a HIPAA requirement for covered entities and business associates to retain audit log records for a minimum of six years; when state law is stricter, follow the stricter requirement and document the legal basis for retention.
• Automate alerting for high-risk events (bulk export, privilege elevation, multiple failed logins) and feed audit logs into a SIEM (security information and event management) or log-management tool for correlation and retention.
• Run periodic integrity checks on log storage (hashing, write-once storage, or WORM where possible) so auditors can verify log completeness.

A closing note

In the case of internal EHR audit and the preparation of external audits, never view too much precaution as a waste of resources. Given the financial and operational risk of noncompliance or a data breach (and the continuing federal audit activity), over-preparation (well-documented, repeatable controls and a strong, auditable EHR audit trail) will usually cost less than recovering from a successful breach or a failed audit.