HIPAA regulation - audit of activity in patient records?

Published

I'm trying to find out how far back a hospital would have to be able to produce audits of activity in patient records, per HIPAA (ie, the number of years). This isn't the same thing as producing an accounting of disclosures, which is what I originially thought.

Does anybody know where this is referenced in HIPAA?

Up Vote Up Vote ×
Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.

I do not know what you mean? what do you need this information for that would help me know what you are talking about? Activity of the patient records is accounting of disclosures....do you mean patient admissions, labs, tests????

Up Vote Up Vote ×

Indefinitely and forever. More seemingly osbcure digitized information is being kept in ever larger memory banks. Safe to assume your every keystroke, anywhere, ever, will be permanently affixed somewhere. Why- did you take a peek at something that has you sleepless at night... ?

Up Vote Up Vote ×

Have you gone to the OCR website and searched for that information yourself? What did you find? (I am not about to go and do your "homework" for you :) but I'm sure it's there if you look. )

Up Vote Up Vote ×

It's been a few months, since my last HIPAA training, but at that time the government hadn't decided how long you had to keep the audit logs which track when a patient record is accessed. The discussion has been everything from 3 months to several years. To make things more challenging no one is sure what level of information you have to track. Do you have to track every single time a person accesses a patient record and what information they looked at? Do you have to just track who has looked at a patient record, but not each time they looked at it? Do you have to track what information they looked at in the record or just that they accessed the record.

Up Vote Up Vote ×
Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.

Still why do you need to know this? Are you in medical records? Private practice?.......regulations vary according to type of facility.

the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c
Does the HIPAA Privacy Rule require covered entities to keep patients? medical records for any period of time?

The HIPAA simplification of the rules is 115 pages long......http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

Up Vote Up Vote ×
Specializes in CMSRN.

I would imagine indefinitely would be necessary, possibly up to the point they started being able to audit that information. That's an extremely sensitive topic and something facilities have to be very careful of, especially given how easy it is for people in a healthcare system to access records. A few years ago I knew a handful of people who lost their jobs because they worked in billing for a hospital and when the department did an audit it was found they had accessed family members records without a legitimate reason to do so. These are serious matters and while I don't think there is a hard and fast rule/date, as long as possible is what I picture.

Up Vote Up Vote ×
+ Join the Discussion