The Evolution of Privacy Access Log Monitoring

0
110

By Teresa Burns, Protenus Chief Privacy Officer


The ruler.  The one with the 12” long magnifying lens – used for hours upon hours of perusing EHR system access and audit logs in search of that one “special” entry.  The ruler that slid over row after row of system generated codes and trigger words.  A tool that I used endlessly when conducting privacy investigations to determine who was in which record for what length of time looking at what health information.  I still have that ruler, but thankfully stopped using it ten years ago when the era of automated access and audit log monitoring was ushered into compliance and privacy offices.

Monitoring of accesses to health records is a basic element of regulatory requirements, as well as good industry practice to help protect confidential and sensitive health information.  Most institutions conduct some sort of routine review of accesses to patient and health plan records.  Previously, healthcare privacy monitoring included manual review of system logs after receipt of a complaint.  It was a very reactive process and yielded limited benefits from a risk control and risk reduction standpoint, as well as from a workforce education standpoint.  The process was time consuming and inefficient, often requiring hours of frustrating review and analysis.  Yes, one could “catch” a snooping perpetrator, but how many others went unnoticed or unaddressed?  How many staff hours were diverted to that manual process while other compliance work and workforce engagement went unrealized?  Previously, the pervasive belief throughout many institutions was that no one was watching activity in patient health records other than for completion of required care documentation or billing efforts for that care, and thus there was no way to get caught breaking company policy or the law.  Snooping into patient records was rampant in some institutions and there was no way to effectively stop the behavior.

Approximately ten years ago, AI driven automated healthcare privacy monitoring changed operational outcomes and workflows for privacy and compliance professionals.  Software programs and tools that utilize targeted AI to peruse system audit logs to review and analyze accesses into patient records have transformed the healthcare privacy compliance world to one of proactive monitoring that permits privacy and compliance teams to meet institutional and regulatory requirements with efficiency and confidence.  Identifying suspicious behaviors before they proceed into actionable breach events improves outcomes for privacy teams and ensures that patient records remain secure.  Employee education efforts and improved risk management outcomes are not only achievable, but tangible.  Privacy teams can effectively monitor patient records while also addressing other competing tasks of their roles, allowing time for workforce education efforts, process improvement efforts, and monitoring of other regulatory and policy requirements.

Management awareness and buy-in is a vital component for building and maintaining effective privacy programs.  Providing management with meaningful reports that encourage and support change is possible now that automated privacy monitoring is available.  Data driven decision making is not only achievable but expected and can assist institutions with reducing the risk of breaches, loss of patient trust, and excessive fines.  The enhanced data that is available from an AI driven program can help formulate effective and efficient privacy programs, build trust through an organization, and shift priorities and resources as needed.  Manual review of audit and access logs is outdated and cannot keep pace with today’s complex world of healthcare compliance requirements.  Report based monitoring is truly just a manual effort “dressed up” to give the appearance of effective monitoring but offers little in the way of risk reduction and compliance with enhanced regulatory oversight.  Automated monitoring with the use of targeted AI is simply leaps and bounds ahead of other outdated methods, and if used properly can transform privacy monitoring efforts and the efficiency of compliance efforts.

The ruler is retired, but I cannot part with it as there are too many grueling hours of memories.  Glasses have replaced the ruler and are now required to review cases and assessments on a computer screen.  Those logs — hundreds and hundreds of pages – took their toll on these eyes, but privacy and compliance officials today will not suffer the same fate while using AI generated programs that do the grueling and endless work of perusing and analyzing access and audit logs.  The enhanced monitoring efforts that I achieved while using an AI driven automated tool not only improved my personal work life, but also the entire privacy compliance team’s efforts, and thus helped improve patient trust, workforce education efforts, and general healthcare compliance efforts.  AI driven automated access log monitoring is the Gold Star of privacy compliance!