DEPARTMENT: Information Technology & Services - Appropriate Access / POLICY DESCRIPTION: CPCS Conformance and Monitoring
PAGE: 1 of 2 / REPLACES POLICY DATED: Feb. 25, 1998
EFFECTIVE DATE: August 1, 1999 / REFERENCE NUMBER: IS.AA.014
SCOPE:
Users of Clinical Patient Care System (CPCS). The Policy specifically addresses access monitoring responsibilities of the individual(s) designated by the members of the Facility and Multi-Facility Security Committees and the committee members themselves.
PURPOSE:
To provide a process for monitoring the appropriateness of access to demographic and clinical information on the CPCS.
POLICY:
Access to CPCS must be continually monitored through the use of audit trail reports to ensure compliance with Appropriate Access policies and procedures. The facility security officer or his/her designee must, at a minimum, run the reports specified in this policy, and ensure analysis of findings. The Facility Security Committee must determine the responsibility for reviews, the indicators for review, sample size and frequency of review (unless dictated by this policy) for all reports listed in the procedure below. Findings from the review of shared database users must be addressed by the Multi-Facility Security Committee. Post implementation review for conformance to the policy will be completed by Internal Audit & Consulting Services.
PROCEDURE:
1.The Facility Security Committee or designee is responsible for reviewing a sample of users to ensure there is a signed Information Security Agreement on file for that user.
2.The conformance monitoring reports must be summarized by the reviewer and results forwarded to the Facility Security Coordinator.
3.The Facility Security Coordinator must present issues and trends identified in the summarization to the Facility Security Committee.
4.All conformance monitoring reports must be maintained in compliance with state requirements and the facility’s retention policy.
5.Unless mandated by state requirements, conformance monitoring reports must not be combined with a patient’s clinical record and must not be disclosed beyond authorized committee use.
6.The following reports must be included in those addressed by the Facility Security Committee, and each must have sampling and frequency indicators determined.
a.PCI Maintenance Utilization Reports: These reports identify users accessing patients clinical information in PCI.
  1. By Patient: Identifies which users have viewed a specific patient.
  2. By User: Identifies which patients and what types of data a user has accessed.
  3. By Confidential Patients: Identifies which users have accessed patients listed as confidential within the system during a specified time period.
  4. By Sealed Patients: Identifies which designated users have accessed patients listed as sealed during a specified time period.
b.Corporate Developed Reports
  1. List Users by PCI Menu Report: Identifies which users have access to VIP menu and other menus within PCI. (Z.link.to.other(Q(“EXT.PROD,” ”MIS.USER.zz.user.menu.link”)))
  2. MIS User Security Flag: Identifies specific security flags and those users who have access to those flags. (Z.link.to.other(Q(“EXT.PROD,” ”MIS.USER.zz.user.flags.link”)))
  3. HCA Developed Self Assign Report: Identifies users who have performed the self assign function, the reason for self-assigning, and whether the user “added” the patient to their list. Includes patients that have ever had a visit to the facility(s) included in the facility selection. This report must be run and audited for trends on a monthly basis with each physician using the self assign feature being reviewed on a minimum of a quarterly basis. A sample of self-assigns must be researched to ensure a patient authorization is on file (or a documented order is in place for inpatient consultations) and a system link has been established.
a)Reason for Self-Assign: On a weekly basis, 100% of the “Other” reason category must be investigated to determine what the actual reason was and to identify specific patterns/trends. The remaining categories must also be sampled on a monthly basis.
b)Self-Assign to Confidential Patients: On a weekly basis, 100% of these self-assigns must be researched to ensure a patient authorization is on file (or a documented order is in place for inpatient consultations).
c.Meditech Standard Reports
  1. Emulated Users: Identifies users who have been emulated.
  2. Emulating Users: Identifies users who have performed emulation.
  3. MIS Dictionary Audit Trail: Identifies changes made to dictionaries.

REFERENCES:
Multi-Facility Security Committee Policy, IS.AA.002
Facility Security Committee Policy, IS.AA.003
Enforcement & Discipline Policy, IS.AA.015
CPCS Appropriate Access Guidelines, Section 7