Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Importancia y uso:

4.1 Data that document health services in health care organizations are business records and shall be archived to a secondary but retrievable medium, and readily accessible, such as data that would be archived in a server or cloud storage. Audit data shall be retained for as long as the medical record is maintained, and may not be destroyed before the medical record may legally be destroyed, and in any event, for at least 10 years or for two years after the legal age of majority, unless a longer period of record retention is prescribed by state, federal or other law or regulation.

4.2 The purpose of audit data and disclosure logs is to document and maintain a permanent, trustworthy, and immutable record of all authorized and unauthorized activities of any nature whatsoever and disclosure of confidential health information {except exclusions per federal and state law [21 CFR 11 Subpart B(e)]}. This further facilitates the purpose that patients, healthcare providers, organizations, and others can obtain a verifiable, self-authenticating record documenting all activities with respect to that record. The process of information disclosure and auditing shall also conform, where relevant, with the Privacy Act of 1974 (3).

4.3 Audit reports designed for system access provide a precise capability for healthcare providers, organizations, patients, patient representatives, and advocates to see who has accessed and/or manipulated patient information. Because of the significant risk of medical information manipulation in computing environments by authorized and unauthorized users, the audit report is an important management tool to monitor access and any such manipulation retrospectively. In addition, the access and disclosure logs become powerful support documents for disciplinary and legal actions. Moreover, audit reports are essential components to comprehensive security programs in healthcare and vital for the privacy rights of the individual. A patient has a right to know who has accessed their patient information and what occurred during such access. Access by any means (viewing or any other action) regarding the patient record and/or audit log or the data contained therein by attorneys, risk management, or similar individuals or entities are not privileged actions and must also be fully transparent and disclosed.

4.4 Healthcare providers and organizations are accountable for managing the disclosure of health information in a way that meets legal, regulatory, accreditation, and licensing requirements and growing patient expectations for accountable privacy practices. Basic audit data procedures shall be applied, manually if necessary, to paper patient record systems to the extent necessary to protect patient privacy and to allow authentication of the paper record.

4.5 Medical records with integrity and trustworthiness are essential to promote safe and appropriate healthcare, billing, research, and quality control initiatives and are protective of all individuals involved in healthcare delivery and receipt. Consumer fears about confidentiality of health information and legal initiatives underscore disclosure practices. Technology exists to incorporate audit functions in health information systems. Institutions are accountable for implementing comprehensive confidentiality, security, and patient information audit programs that combine social elements, management, and technology.

4.6 This specification also responds to the need for a standard addressing privacy and confidentiality as noted in Public Law 104–191 (2), or the Health Insurance Portability and Accountability Act of 1996, and the need for a self-authenticating record that will verify accuracy and integrity.

Subcomité:

E31.25

Volúmen:

14.01

Número ICS:

35.240.80 (IT applications in health care technology)

Palabras clave:

audit log; disclosure; electronic health record; health information systems;