One of the side effects of the events at the Phoenix AZ VA investigation is that the OIG had discovered that the audit controls in VistA the EHR utilized by VA hospitals was not turned on.
The absence of an audit trail for appointment scheduling limited the ability for both VA brass and OIG investigators “to determine whether any malicious manipulation of the VistA data occurred,” the report authors said. OIG recommended that the VA “immediately enable” this audit function at all VA facilities. “The VA completed this action,” the OIG report said.
What does this mean for you and your practice?
Certified software is required to have auditing capability. The question is do you know what is being audited and what data is being captured by the auditing software in your EHR? Can you access those logs? What types of reports can your EHR generate to allow you to view how your EHR is being used?
When you consider the auditing tools built into the EHR it is important to realize that each auditing capability that is built into a system requires computing power and can have a negative impact on the performance of a computer system. Turning off auditing features that you do not need can help to improve the performance of a system, but be careful not to turn off auditing features that you will want or need in order to have your practice / business run smoothly. It is also important to note that the auditing capability for appointment scheduling was not required for EHR certification and you should not expect this to be present in your EHR system.
These are important questions from a number of perspectives including simple business rules and HIPAA compliance.
Under HIPAA you should be monitoring the use of your EHR to ensure that it is being utilized properly and that members of your staff are not viewing information that they should not have access to. You should be reviewing the logs to make sure that unauthorized persons are not attempting to gain access to your records.
From a business perspective we have all heard stories of how individuals who were not acting properly have misappropriated funds and have been able to effectively hide their actions for years until the amounts that were misappropriated became very large. These audits and other reports within your EHR and practice management systems can help you to detect these improper activities early on before they begin to cost you large amounts of money.
The moral of the story is that you as the head of your practice need to know what reports are available to you through your EHR and PM systems. You need to look at these reports on a regular basis and monitor the activity of members of your workforce to ensure that they are acting properly. You may find improper activity that is benign and take the opportunity to remediate that improper activity and you may find improper activity that is malignant and requires more severe action. Either way your monitoring your practice is to your own benefit and should be something that you take responsibility for on a regular basis.