Auditor: Inappropriate access to electronic health records at LSU-S

The LSU Health Sciences Center in Shreveport granted “unnecessary and inappropriate” access to its new EPIC electronic health records
system to information technology staff and contractors, the legislative auditor said Monday.

The situation potentially exposed patient and other confidential records to unauthorized individuals and therefore fraud, according to an auditor’s report.

“The Center did not limit access to those persons that had a strict business need, resulting in approximately 350 active user IDs with access to change data in multiple functions ... as of August 2012,” the audit report said.

“Although it may be reasonable for a few designated employees to have ‘change’ access to all data in EPIC, this level of access should be limited, tightly controlled, and monitored,” the auditor said.

LSUHSC-Shreveport Vice Chancellor Hugh Mighty said officials concurred with the finding and recommendations made by the auditor for corrective action.

“The broad scope of access for analysts and trainers ... was justified during the implementation to achieve training, funding and installation milestones ... In many cases, analysts and trainers assisted users first hand to enter and edit patient records during the implementation phases,” Mighty wrote. “This access is being refined as the security template strategy is being customized and updated.”

By June 30, Mighty said written policies and procedures specific to EPIC will be developed with the need for modifications “as the system matures.”

The Shreveport health sciences center implemented EPIC quickly during fiscal year 2012 to qualify for federal funding under the Electronic Health Records Incentive Payment Program.

The center did not develop new policies or modify existing policies to access information, the report said.

In addition, the auditor said the Center granted IT staff broader access to assist new users with their job duties.

“As a result, there is an increased risk of accidental changes and fraud, as well as possible noncompliance with the Health Insurance Portability and Accountability Act Security Rule,” the auditor said.

The auditor said the center should properly segregate IT staff and contractor duties and access, control and closely monitor administrative system access, establish or revise policies specific to EPIC, and
properly restrict access to patient and confidential information.