EMR Access is an Often Forgotten Risk to Patient Data Privacy

Academic medical centers and healthcare systems with large research groups present unique challenges for EMR access monitoring programs, according to a recent talk by Dr. Daniel Fabbri, Founder and CEO of Maize Analytics. Dr. Fabbri, also an Assistant Professor of Bioinformatics and Computer Sciences at Vanderbilt University, spoke on balancing the need to provide electronic medical record (EMR) access to researchers, while also ensuring patient privacy. The talk was part of the Health Care Compliance Association’s recent Research Compliance Conference held in Austin, Texas.

In his presentation, “Strategies to Effectively Monitor Researchers’ Access to the EMR,” Dr. Fabbri dove into the risk posed by researchers with access to electronic health records, and what makes monitoring researchers’ accesses so difficult. Approaches used to monitor clinician accesses are not directly transferable to detect researcher misuse, he says.

“Over the past several years we’ve seen the threat of breaches from insiders growing,” says Dr. Fabbri. “Researchers are a special class of insider whose work can involve seemingly erratic access patterns, making them difficult to monitor. As a result, standard methods, like rules-based auditing and anomaly detection, are not sufficient for monitoring researchers, creating a significant risk to patient data,”.

The talk spurred a discussion about procedures, processes and tools covered entities can employ to ensure researchers’ EMR accesses comply with HIPAA and institutional policies. According to Dr. Fabbri, this starts with researchers’ applications to the Institutional Review Board (IRB).

“Including structured diagnosis and procedure codes in the IRB application provides a guide for compliance officers to understand what constitutes appropriate access for each researcher,” he says.

Covered entities can integrate IRB submission data within their access monitoring tools to more effectively detect inappropriate behavior, continues Dr. Fabbri. “These research-aware monitoring tools can identify when a project goes beyond the listed research scope and alert the compliance department.”

The presentation—attended by researchers, compliance teams, and HIPAA officers alike—concluded with Dr. Fabbri providing monitoring recommendations and guidance so that healthcare organizations can monitor the various types of access to patient data.