- Network services
- Review various server logs
- EMR server shows administrator logins and log-in attempts.
- Vulnerability testing done annually and as needed periodically
- Practice Management
- Electronic Medical Record
- Document Imaging System
- Any screen where a user can change data in Practice Management, EHR or Document Imaging may be audited by the HIPAA Compliance Office or IT or other designee. This audit displays what the previous data was, what it was changed to, when it was changed, and the user id of who changed the data. The data may also show who has accessed, viewed, searched, added, updated, and deleted any records.
- Random Audits will be conducted on no less than a monthly basis, or as the need requires, whichever is of greatest frequency.
- Part of the audit will include verifying terminated employees access has been correctly removed from the various systems; and
- Current users are not accessing records outside of the scope of their respective job duties; and
- Checking to see if users have a high frequency of invalid login attempts
- If an audit trail outside of the scope listed above is needed, this may be requested of the Vendor.
- Equipment (computers)
- The IT department can perform periodic spot check audit/scans on local drives to verify that storage of data files containing ePHI does not exist on the local drives of workstations.
- Sanctions – Any use other than the intended that is found while auditing may leave the user responsible subject to OSU Sanctions and/or reporting to Law Enforcement or other governing bodies dependent on the findings of the audit(s).