Posted by: RedaChouffani
HIPAA, IT Audit, ITIL, medical Audit, technology EHR audit
There are two approaches to the IT audits for a medical organization. One that is at the initial stages of EHR product assessment, and the other is an on going system review.
The first audit would focus on the current state of organization from a hardware, networking and peripherals stand point. Some of the focus would be on:
Evaluating the compliance requirements that are part of the new electronic medical records
Evaluating the network backbone (wireless/ wired)
Evaluate the current storage capability and forecast future storage needs (taking into consideration added electronic documents as part of chart scanning)
Review current servers and their capabilities
Evaluate Workstations, mobile devices and peripherals to ensure they meet the minimum requirements of selected EHR
Evaluate the current disaster recovery plan (DRP) and business continuity plan (BCP) and review any adjustments that will be required
Review all required data interfacing/integration needs
The second audit would be a quarterly or yearly event for the Information system. Whether it is performed by in-house IT, or a third party vendor, it would most likely cover a spectrum of audits. Some of which are:
A compliance audit ( covering all HIPAA mandatory and optional requirements, red flag rules, etc.)
IT systems best-practice implementation such as ITIL
System overall availability (EHR, HIS, LIS. etc.) that focuses on the system overall uptime, fault tolerance, business continuity plan and restore drills.
System security and confidentiality that would focus on ensuring proper authorization processes. From employee biometric to physician’s prescribing password protection
Data integrity audit which would focus on ensuring that there are no reported system failures that cause data loss or corruption
There has been many laws established that regulate the information technology audit. Some examples: the Sarbanes-Oxley Act and The Health Insurance Portability and Accountability Act. While in some cases an Audit may seem unnecessary, it is important to recognize the value of oversight to IT. This ensures that a governance program is implemented that maintains the infrastructure stability, security, and integrity in check and that IT continues to be in-line with the organizational goals.