Audit and Assurance

Expand all | Collapse all

Electronic Medical Records

  • 1.  Electronic Medical Records

    Posted 03 Apr, 2020 07:28
    I recently started a new audit gig at a healthcare organization.  My first assignment is to audit access management of the Electronic Medical/Health Records system called NextGen.  We would want to consider not only general access, but also specific role access such as nurses not having same access as physicians, lab technicians not having similar to nurses, etc.  Does anyone have an audit program, key audit program steps, or other insights they could share?

    Thank you in advance.

    ------------------------------
    Dave M
    ------------------------------


  • 2.  RE: Electronic Medical Records

    Posted 13 Apr, 2020 13:58
    Hi Dave,

    I don't have that specific program.  ISACA has HIPPA audit program that you can purchase.  You might want meet with your Record Retention contact and review the policies and procedures as a start.

    Thanks.
    Sal

    ------------------------------
    Sal Rodriguez
    Director of Internal Audit
    CISA, CIA, CRMA, CCSA, CGAP, CICA, MBA, MS
    ------------------------------



  • 3.  RE: Electronic Medical Records

    Posted 14 Apr, 2020 06:18
    Dave,

    I have been in healthcare for over 25 years, both in the IT department and as part of our audit team.  We had used NextGen for our physician practices until about 3 years ago.

    A few ideas would include some of the general audit steps like verifying that all terminated staff have had their access turned off.  Look at recent transfers to verify their access was updated. Look for support staff logging onto the patient room computers and leaving them in their user ID all day.(this allows the rooming of the patient quickly)

    A few healthcare specific ideas would include do they lock down support staff (RNs, LPNs, MAs) to a specific provider or specialty (Pediatrics, Family Practice, Geriatric, etc)? Do the RNs and LPNs have the same level of access (their scope of practices are different). Does your nextgen allow verbal orders?  If so, confirm that if a provider is no longer with the organization there aren't orders in their queue.  (this is a way to divert drugs).

    ------------------------------
    Lisa Cavitt
    IT Auditor
    Southern Illinois Healthcare
    ------------------------------



  • 4.  RE: Electronic Medical Records

    Posted 14 Apr, 2020 07:57
    Good morning House. What makes any organization dynamic and progressive is the Addition of Value and Ideas. I will advise that questions and solutions provided on this platform should be looked into and incorporated into Standards and Programs.
    Any request which has no Standard or Program should be looked into and programs drawn for them. For instance the one Dave and the earlier ones.
    Thank to Salvador and co.
    God bless you

    Tettehfio Joe Mordey, Veromikes Consulting,3 Oludegun Avenue, Abule Egba, Lagos. 08034105065; 08158190162





  • 5.  RE: Electronic Medical Records

    Posted 14 Apr, 2020 17:34
    Welcome and thank you Lisa for sharing

    ------------------------------
    Sal Rodriguez
    Director of Internal Audit
    CISA, CIA, CRMA, CCSA, CGAP, CICA, MBA, MS
    ------------------------------