Fair Warning is a giant step toward HIPAA compliance

New tool can tell the instant someone accesses a patient record

Angela Oren

With the successful rollout of the Epic electronic medical record (EMR), Yale Medical Group (YMG) is entering a phase in which technology can enable a kind of automated HIPAA compliance monitoring that is brand new to the practice. “With the deployment of the electronic record, we have the ability to know the instant someone accesses any electronic medical record,” said Angela Oren, senior deputy privacy officer and risk management administrator for Yale Medical Group.

YMG has a longstanding policy that prohibits staff from accessing their own medical records, or any other records for which there is no job-related need for access, but monitoring for unauthorized activity can be difficult.

Brave new world

Yale-New Haven Hospital (YNHH) recently implemented the Fair Warning™ system, an application that collates data from multiple sources and analyzes the results to identify conduct that is prohibited by state and federal privacy laws. YNHH has been using the application to monitor and flag unauthorized access by its own employees, contractors and medical staff, and began monitoring YMG employees, fellows and students in November.

"This really is a brave new world,” Oren said. “It would take a hundreds of man hours every day to analyze every glance at a clinical record to determine whether it was authorized. With Fair Warning™, audits are continuous, and the "sample size" is 100 percent. It will now be possible to detect activity that we otherwise never would.”

Using data from the Oracle Human Resources database, hospital information technology staff receives an alert every time a Yale School of Medicine employee looks at his or her own clinical record. The employee will then receive an e-mail notification with a reminder that such access is a violation of YMG policy. In the coming weeks, other reports will be enabled to flag, for example, a user who accesses a colleague’s record, or that of a neighbor, in the Epic, Sunrise Clinical Manager, Meditech or Synapse clinical documentation systems.

While the system is an important step toward improving patient privacy, “the expectation is that no Yale employee will ever be flagged,” Oren said. If an employee is flagged, he or she will be required to show justification for any access that appears to be unwarranted. If, upon investigation, the access proves to be unauthorized, the employee will be subject to disciplinary sanctions up to and including termination.