Our HIPAA attorney is encouraging us to perform routine audits looking for suspicious behavior in the EMR. Such audits might include users who accessed multiple charts on a weekend, users who accessed the charts of patients with the same last name as the user, users who accessed more than X number of charts in a day, MAs for one MD who accessed charts on which a different MD is the responsible provider.
Even if we developed some of these reports, it would still be quite difficult to determine what was legitimate use of a particular chart. The current "access a sensitive chart" audit report is quick and easy to run, but yields 10 pages of results that take quite some time for someone to analyze and in the end always ends up showing that all the charts were accessed appropriately.
Do any of you have a successful audit process that you could describe to us?