A.What is an “audit trail”?
An audit trail can be defined in basic terms as a “record that shows who has accessed a computer system, when it was accessed, and what operations were performed.” Brodnik, Melanie, et al., Fundamentals of Law for Health Informatics and Information Management. Chicago, IL: AHIMA, 2009, 215. Pursuant to the Health Insurance Portability and Accountability Act (HIPAA), medical providers who use EHRs must have systems in place to review and audit access to records, as well as prevent unauthorized access. 45 C.F.R. §§ 164.308(a)(1)(ii)(D), (a)(3)(i), 164.312(1)(b). Compliance with HIPAAs requirements is routinely obtained through the use of audit trails, which track the information required by HIPAA and provide a mechanism for determining if there has been a security breach.
One of the problems is that there are a variety of different vendors of EHRs and thus, a variety of different formats for audit trails. If you are using audit trails in litigation, you cannot count on the audit trail from Hospital X to look anything like, or contain the information contained within, the audit trail from Hospital Y. EHR certification requirements mandate that the following data be recorded in an audit trail: type of action (additions, deletions, changes, queries, print, copy); date and time of event; patient identification; user identification; and identification of the patient data that is accessed. Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology, Final Rule (September 4, 2012). Beyond these basic requirements, there is a wide variety of information recorded among different EHR vendors.
I figured the last line would be the case a while back.
It sort of looks like each org has the audit logs locally (at least to the org) Also i havent found mns policy yet. i havent looked. i found mane first. but mane gives all the providers a choice if a audit log request is valid.
idk how wide spread this is but sure looks like we put a pay wall around HIPPAA