patient-specific record accesses from the huge volume of audit trail entries.

Another site has a system that collects data prospectively on the legitimacy of access to records. For every access to data, the system displays a short checklist of reasons for access (e.g., providing care, quality review, billing, and so on). The checklist varies, depending on the requester's role, and is derived from context information such as patient-provider relationships, ward or bed assignments, and past access patterns. If the appropriate reason is not listed in the checklist, the requester types the reason in a text field. If the requester is a primary caregiver, access is assumed to be legitimate, and no reason is requested; any other provider who claims to be caring for the patient is approved for a six-month period of time. Quality review requesters are asked again after one week, on the assumption that their study should not require them to keep accessing a record for longer than that. Those looking at the record because they are merely trying to identify the right patient would be asked again on the next access. In most instances, the extra cost to the user is just to hit an OK response. In addition to these records being kept for possible future audit, all accesses are also reported to the patient's primary care provider, who can use this information to detect unwarranted snooping. When given the opportunity to turn off this reporting function, about half of the doctors chose to do so and not receive such notifications. This arrangement may provide an important basis for detecting suspicious accesses flagged by automated audit software and forwarded for human review.

More effective software tools are needed to maintain continuous surveillance of audit trail information so that abuses are detected quickly and sanctions meted out, both to maintain the effectiveness of audit trails as prevention tools and to contain, as soon as possible, the extent of any abuse. Such tools must be relatively sophisticated and take into account expected usage patterns and auxiliary information, such as appointment schedules and referral orders, in order to minimize the false-positive and false-negative rates in audit trail analyses. Criteria for access review might include claimed emergency need, any access to a celebrity record, access at a time or from a location out of the ordinary for a given provider, or access to a record by a provider for whom no recent appointment or referral record is available.

Physical Security of Communications, Computer, and Display Systems

Physical security entails appropriate controls to prevent unauthorized people from gaining access to an organization's information systems, in-



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement