Training help on EHR system put patient data at risk

Auditor stresses need for careful control of access
Tools

In its rush to get staff up to speed on its new Epic electronic health record system, the Louisiana State University Health Sciences Center in Shreveport granted "unnecessary and inappropriate" access to IT staff and contractors, a legislative auditor has determined.

As a result, patient and other confidential records were put at risk of fraud, and the action possibly violated HIPAA regulations. The auditor's report found about 350 active user IDs with access to change data in multiple functions, a level of access that should be tightly controlled and monitored.

Analysts and trainers worked side-by-side with staff to enter and edit patient records during the implementation phases, according to The Advocate newspaper in Baton Rouge.

The auditor said the center should properly segregate IT staff and contractor duties, establish strict access controls, closely monitor administrative system access and establish or revise policies specific to Epic, according to The Advocate.

LSUHSC-Shreveport Vice Chancellor Hugh Mighty wrote that health center officials are working on corrective action based on the auditor's recommendations, and that written policies and procedures will be in place by June 30. He said the broad level of access "was justified during the implementation to achieve training, funding and installation milestones."

Speeding through technology implementations to claim federal incentive money was among the factors cited by RAND Corp. policy analysts in a Health Affairs article about why health IT so far has failed to live up to its promise.

It would seem that patient data security should be top of mind at LSU after a former billing department employee was charged with 377 counts of identity theft. In November, the LSU Health Care Services Division began notifying 416 patients that their checking account numbers and other personal information had been stolen.

Meanwhile, LSU's safety-net hospitals and clinics in New Orleans, Houma and Lafayette are to be turned over to private operators in an effort to avoid severe budget cuts. Ochsner Health System, Louisiana Children's Medical Center and the Lafayette General Health System signed agreements with the state to continue serving the uninsured and to provide training for new doctors and other healthcare professionals.

To learn more:
- read The Advocate article

Related Articles:
Improved interoperability needed to fulfill health IT's promise
New year, same old health data breaches
LSU hospitals join public-private partnerships to balance budget