Simple Self Assessment explained. Heading toward Meaningful Use.

video coming soon

The System Access Review is where many offices really start to panic.

In order to properly conduct a system access review, your EHR and computer network must be correctly setup.

Quite simply, the point of a system access review is to ensure people are not snooping through medical records.
As noted recently in this post, a periodic system access review can reveal very damaging information.

Here are the primary points of a System Activity Review & policy:

  • Ensure all users have appropriate access to information
  • Ensure those with access to patient files only view those files that are necessary (in the military this is referred to as on a Need-to-Know basis)
  • How often is system access reviewed?
  • How do you review system access?

Who Should have Access?

The first thing that needs to be addressed is who should have access to what.

Docs & Nurses – all patient files
Billing – just billing details(?)
Front desk – just the scheduling screen(?)

Once you have this figured out, ensure you EHR is set with the proper restrictions.  Yes, this may involve talking to your EHR support folks & yes, this should have been done from day 1.

Now What?

It is time to do an actually system access review.

How this is accomplished will again depend on your EHR.
The first thing to note is IF you setup everyone properly, you will not have any issues of non-caregivers looking at information they should not see.

The more challenging part of this is ensuring the caregivers only look at PHI for patients that pertain to them.

In a small practice, this really shouldn’t be an issue as a practice with 1 or 2 nurses will be in a situation where both nurses will have a need at some point to see any patients information.

The issue comes into play in larger practices & hospitals where a nurse who may have never dealt with a patient accesses this patient’s record.

The Process

At least quarterly the office manager should run a report from your EHR which shows who has made access to patient records.

It is this review process that will turn up any unnecessary patient record access.