HIPAA/MIPS Security Risk Analysis Chart Audit Requirements for EHRs


If you have responsibility for managing HIPAA compliance for your practice, several items may come out in your annual HIPAA security risk assessment. As part of your Promoting Interoperability and MACRA/MIPS requirements, you will be conducting this Security Risk Assessment to ensure your hospital or clinic is compliance. Your electronic health record system in particular will need to be able to support auditing and security functions.

Your EMR software will need to be able to provide detailed audits. You have several options in how you approach this requirement, but ultimately, you need to develop and document an approach that allow you to be reasonably certain that inappropriate chart access is not occurring. 

For example, some practices approach this in the following patterns:

  • On a quarterly basis, randomly select five employees, and review their chart access for the past five days. Ensure that all charts accessed were appropriate to the employee’s job role, and part of providing care for each of those patients. EHRs such as Epic and Athenahealth have strong auditing capabilities built in.
  • When a sensitive encounter occurs, review the chart for inappropriate access after four days. For example, this may include an employee who was seen by a physician in your practice or hospital. As another example, if a celebrity or known local figure is seen in your organization, this should warrant a review of chart access as well. 
  • In addition to auditing your chart access in your EHR, you also will pulling other audits on a regular basis. This would include Internet access, to validate that employees are following your social media and Internet use policies. 

The strongest toolkit for HIPAA security risk analysis is Medcurity.com. This platform provides explanation, definitions, and recommendations as you walk through the assessment. You can start assessment now, assign portion of it to IT vendors or staff members, and work on completing it over time. Once complete, you can also track action items all year through the platform. Medcurity honors a discount code of “MIPS” when you sign up for 30% off.

In conclusion, it is important that you set up policies and procedures that identify your approach to EHR auditing. When you conduct chart audits, be sure to retain the log of the audit for at least six years, to comply with the HIPAA requirements around this process.