Chart update security is primarily based on permission to sign various document types.
Clinical folks can sign clinical document types of course, but what's to prevent a non-clinical user (bad actor) with signing privileges for a non-clinical document type from making changes to clinical information, then signing the update? It seems to me this has potential for abuse.
For example, what if a user starts a phone note, edits a patient's problems, meds, orders, etc, then signs it? What if a user changes a patient's name and DOB to their own (a test patient would probably be a good target for this), writes a prescription (perhaps controlled substance), prints it, then changes the demographics back to the original?
Sure it's in the audit logs, but it could be a long time before the activity is caught.
This is just one that comes to mind. A bad actor could make any number of changes. The update shows who actually signed the phone note in this example. However, who would notice? The bad actor could actually make it look like a legit phone note pretty easily. It could be a phone note or some other type of update that is unlikely to be scrutinized. It would be normal behavior for my non-clinical user to sign a phone note.
Hoping users notice unusual activity and report it doesn't seem like good practice. Hoping that spot audits of user and chart activity will catch it also doesn't seem like a good idea.
I'd be curious to know what others are doing to detect/prevent such behavior.
Thanks
no users should have access to write prescription.
but physicians.
in any case, any users that is not state certified as a Primary care, Nurse practitioner and/or registered nurse. should have the ability to update medication in any patient chart.
beside users, should not have access to provide final signature for any documentation, if they are require to write some of the documentation for example secretaries: Physician or an authorize personnel should always provide the final signature of any document written into a patient chart.
@David B, only your clinical staff can final sign any document type, including non-clinical?
It would be nice to deny unauthorized users access to generate and sign prescriptions, but I'm not finding it. It all seems to be based on the document type signing permission.
We always have the problem with the "print" access. It's all or nothing and there's a HUGE difference in printing a full super bill, letter, work/school excuse and printing office notes. It would be nice if that could be more broken down as well.