Anyone try to use the Audit Log to review user access to patients? Anyone have any luck? I called into support and got in touch with several people (Cory Fisher & Matt Ackerman) but haven't seen anything useful. We had an employee who we believe was accessing people's accounts and doing who knows what with that info. No one at WinOMS has been able to provide a log that shows the pt accounts this user accessed. We are told to be HIPAA compliant this is required. I don't expect any users to have had luck getting a useful audit log but if you have please let me know. Honestly, I'm just posting this here to see if I can get the attention of someone who can help me out or explain how it is possible to be HIPAA compliant but not be able to audit user access.
@matt_ackerman Can you provide some assistance on this?
I believe, and we will let Matt correct me if I am wrong, that the audits pertains to scheduling only right now. I think Matt mentioned at the Carestream meeting that future updates will have a full audit on everything.
If you are worried about an employee getting into an account and deleting payments/transactions/charges you can pull a financial report;
Reports - Financial - deleted transactions
you can search date range and user. Our accountant has gotten into the habit of pulling one of these each day. We require (mostly just our billers who handle deleting ledger information) employees to document in contact notes anytime they delete a payment or charge from the ledger. This has eliminated any chance of someone altering accounts and my employees are aware that they are being watched.
Thanks for the reply. Our concern isn't that they were deleting transactions but why they were looking at patients they didn't need to be looking at and what they were doing with the info they saw. That's why I would like to do a full audit of the patients this employee viewed. According to a HIPAA consultant that is required for software to be HIPAA compliant. Is that not correct?
There are two audit logs in the software today, one for scheduled appointments and another for "security log checks."
What that second log does is indicate every time the Security table is checked to see if a User is allowed to access an area of the software. For example, if I click on the Charges button on the Patient screen, it will log the date and time I attempted to "Access - Charge Entry - Add (CHADD)" and whether i was "Access Granted" or "Access Denied." It will also show successful and failed logins into the software.
This is useful to identify whether someone is attempting to access a feature or function that they are not. It does not, however, describe any details about what was added, edited, deleted or viewed after passing that security gate.
NOTE: I am not a lawyer or attorney, and I do not assume to be an expert at anything related to HIPAA. Please continue to consult with your local expert. With that stated, the following is only my opinion and should not be construed as legal advice.
Software is not HIPAA compliant. HIPAA applies only to healthcare professionals, health plans and healthcare clearinghouses who handle PHI. Software is a tool, and is not subject to HIPAA compliance. However, software is one of many tools that can help a healthcare professional be HIPAA compliant.
One of the key parts of HIPAA compliance is the risk assessment and mitigation. Part of the HIPAA regulations requires there to be audit control mechanisms in place that can monitor, record and/or examine key audit events, such as activities that create PHI. If you are unable to do that, you perform a risk assessment to understand possible threats and vulnerabilities. With those threats and vulnerabilities in mind, you then put into place a set of safeguards to reduce the risk or entirely prevent the harm from any of those threats. You may still be HIPAA compliant with a limited audit control if you are properly documenting your risk assessment and actively mitigating the risks you have identified.
I have not once in 9 years found the audit log to be of any use. We need to be able to pull reports of any and all data that is showing in Winoms. I would replace the audit log with these kind of reports and totally agree it's worthless if it can't tell you what users were actually doing.