guidance and instructions on and - children's national

1

Guidance and Instructions on Configuring Access and Auditing

Purpose: To provide guidance regarding restricting access to the Electronic Health Record (EHR).

HIPAA requires practices to adopt “minimum necessary” requirements for disclosure of patient

health information. This means that staff members who do not need access to patient health

information to perform their duties, should not be able to access that information. This ensures

patient privacy as well as increases the security of the system. Required under both Federal law, 45

CFR 164.502 and New York State law, including Public Health Law §18.

Your EHR can be customized for user-based or role-based access. User-based access allows

specified persons access to specified security settings. If you are a small practice, user-based access

may fit the needs of your practice. Role-based access grants specified roles access to specified

security settings. Some examples of role-based access include:

Clinical Staff: Physicians, nurses, medical assistants should have complete access to

patient information, billing, scheduling and all other functions

Billing Staff: Billing staff should have access to diagnosis and procedure codes

Front Desk Staff: Staff should have access to scheduling and perhaps some billing

depending on the practice, but not clinical information

You should work with your eCW project manager to ensure the user-based access or role-based

access, depending on your needs, is implemented correctly in your practice.

2

ENABLING USER-BASED SECURITY:

The eCW EHR allows practices to assign security access based on unique users in the practice. To set security settings by user, you must take the following steps:

1. From the File menu in eCW, hover over the Settings option to open a drop‐down list.

2. From the drop‐down list, click the Practice Defaults option.

3. The Practice Defaults window will open. Click the General tab for the general options to display.

4. In the Security Setting group box, click the User Based radio button:

3

5. Click the OK button.

USER BASED SECURITY IS NOW ENABLED

6. Return to the File menu and select Security Settings.

7. Select a Provider or Staff member from the User tab, and select the Security Attributes from the right‐ hand window pane to which you want this user to have access.

8. Click the Save button, and repeat steps 6 ‐7 for all other users.

4

ENABLING ROLE-BASED SECURITY:

The eCW EHR allows practices to assign security access based on a user’s role in the practice. To set security settings by role, you must follow four steps:

1. Enable role‐based security 2. Configure roles 3. Assign role membership 4. Assign security settings for each role

1. Enabling Role‐Based Security

a. From the File menu, hover over the Settings option to open a drop‐down list.

b. From the drop‐down list, click the Practice Defaults option. The Practice Defaults window will open.

c. Click the General tab. The General options will display.

d. In the Security Setting group box, click the Role Based radio button:

e. Click the OK button.

ROLE BASED SECURITY IS NOW ENABLED

5

2. Configure Roles

a. From the File menu, click the Security Settings option. The Security Settings window opens.

b. Click the By Role tab. (NB: The tab below lists the roles that have been already been configured. Before security permissions can be determined, the various roles of the staff members at your office must be created.)

c. Click Configure Roles. The Configure Roles window opens. If you want to:

• Add a Role, take the following steps:

a. In the Configure Roles window, click the Add Role button.

b. Enter the name of the new role and enter a description of that role in the description field.

c. Click the Save button to return to the Configure Roles Window.

• Update a role name or description, take the following steps:

a. In the Configure Roles window, click in the box next to the role you want to update.

b. Click the Update Role button, and make your changes.

c. Click the Save button and return to the Configure Roles Window.

• Delete a Role, take the following steps:

a. In the Configure Roles window, click in the box next to the role you want to delete.

b. Click the Delete Role button.

c. Click the OK button, and then the Save button to return to the Configure Roles window.

Once the various roles for security have been created, all staff members must be assigned a role.

3. Assign Role Membership

a. From the File menu, click the Security Settings option. The Security Settings window opens.

b. Click the By Role tab, and select a role from the left‐hand window pane that you want to configure.

c. Click on the Role Membership button. The Role Membership button enables you to see, and assign, which providers and staff are members of which roles.

6

d. Assign users in the practice to the appropriate role.

e. Click the Save button and repeat steps 3b‐3e for all assignments.

f. Click the Close button to return to the Role Security Settings window.

4. Assign Security Settings for each Role

Once all practice users have been added to their appropriate roles, the permissions for each of these roles must be configured.

a. From the file menu, click the Security Settings option. The Role Security Settings window opens.

b. Select a role from the By Role tab to configure. The list of possible security attributes displays in the right‐hand side of the window pane, and the role you have selected appears in (parentheses) in the banner at the top of the window.

7

c. Check the box next to each attribute that you want to enable for each role.

d. Click the Save button.

e. Repeat steps 4b‐4e for all roles.

f. Click the Close button when finished.

8

Auditing Access Logs and Guidance on Generating and Viewing Logs

Auditing Logs: Unique user IDs and passwords serve several purposes: they restrict access to the

Electronic Health Record (EHR) to authorized staff, they provide unique users access to certain

aspects of the system to comply with minimum necessary requirements under HIPAA, and they

enable proper auditing of the system to verify that it is being accessed appropriately.

Audit Policies and Procedures: These should address who will perform audits, how often audits

will be completed, what aspects of the system will be audited, and what will be done with the

results of the audit? Audits show who is using the system, for what purpose, and what time of day

the system is being accessed. The results of such audits allow the practice to decide which areas of

the EHR should be restricted, whether the appropriate users are viewing and/or modifying the data

according to law and internal procedures.

Performing regular audits of access to the EHR helps to ensure the security and privacy of the EHR

by both discouraging unauthorized use by staff and identifying inappropriate use of the EHR.

Many health organizations perform quarterly audits of their EHR systems.

There are several different logs available in eCW.

9

Viewing the User Log Logs of all the log‐in and log‐out activity can be viewed by date by system administrators.

To view User Logs: 1. From the Admin band in the left Navigation Pane, click the User Logs icon. The User Logs window opens, displaying the User Logs for today’s date.

2. To view the User Logs for a different date:

a. Click the arrow next to the All Logs field. A popup calendar opens.

b. Click the desired date. The popup calendar closes and the selected date is placed in the All Logs field.

c. Click the Go button. The User Logs for the selected date displays.

Viewing the Server Log (technical log) If you encounter a server bug, the server error files can be viewed from the Help menu.

To view the Server Log: 1. From the Help menu, hover over the Logs option to open a drop‐down list. 2. From the drop‐down list, click the Server Log option. The Error Log window opens.

Viewing the Appointment Log

A log of all the changes made to an appointment can be viewed from the Appointment window.

10

To view the Appointment log: 1. Open the appointment for which you want to view the log (place your mouse over the appointment, right click Æ“edit”). 2. Click the Logs button at the top of the window. The Logs window opens.

Viewing the Encounter Log

The Encounter Log displays information related to the creation, modification, and deletion of encounters. Deleted encounters can be restored from this window.

To view the Encounter log: 1. Select the “Practice” band on the left hand side, select the “Lookup Encounters” icon.

11

2. Enter the appropriate criteria and search by selecting “Lookup.”

Note: A lock icon is displayed to the left of encounters that have been locked.

3. Alternatively, you may view the Encounter Log from the patient hub. Here, you may also print the Encounter Log.

4. You may open the Encounter Log from the patient hub by either: a) selecting a patient from the Patient Lookup function, then pressing OK; or b) place your mouse over and right click over an appointment, select the Hub icon at the top.

5. Select the Encounters Icon.

I

6. To print information related to a specific encounter:

a. Check the box next to the encounter you want to print.

b. Click the Print button.

The selected encounter is now printed.

7. To restore a deleted encounter:

a. Select the Deleted Encounters option from the Encounters drop‐down list.

The encounters that have been deleted will be displayed.

b. Highlight the deleted encounter you want to restore.

12

c. Click the Undo Delete button.

A confirmation window opens.

d. Click the Yes button.

The selected encounter is now restored.

Viewing the Telephone/Web Encounter History Log

A history of the changes made to any Telephone or Web Encounter can be viewed from this log.

To view the Telephone/Web Encounter History log:

1. Select the top‐right “T” jellybean icon.

Open the Telephone or Web Encounter for which you want to view the history log by clicking on the encounter line.

2. Click the Log History tab.

The log history displays in the bottom pane.

3. To view this history in a separate window, click the Log History button.

The Log History window opens.

Viewing the Fax Log The Fax Log displays the faxes that have been sent about the selected patient and allows you to view the contents of a fax. To view the Fax Log:

1. From the Patient Hub of the patient whose fax logs you want to view, click the Fax Logs button.

The Patient Faxes window opens:

13

Field Information

Sent by The name of the person who sent the fax

Provider The patient’s provider

To Name The person or company to whom the fax was sent

Fax No. The number assigned to the fax by the fax server

Fax Status The status of the fax:

Logged – waiting to be transmitted by the fax server

Completed – successfully transmitted

Failed – transmission was not successful

Sent Date The date and time the fax was sent

2. To view a fax:

a. Check the box next to the fax you want to view.

b. Click the View (Default viewer) button to view the fax using your computer’s default picture viewer.

OR

Click the View (Picture & Fax Viewer) button to view the fax using Windows’ Picture and Fax Viewer.

Viewing the Letter Log The Letter Log displays the types of letters that have been sent to the patient. To view the Letter Log:

1. From the Patient Hub of the patient whose letter logs you want to view, click the Letter Logs button.

The Letter Log window opens and displays the following information:

Letter Name ‐ The name of the letter that was sent.

Printed By ‐ The user name of the person who printed the letter.

Date ‐ The date that the letter was printed.

Time ‐ The time that the letter was printed.

14

Generating and Viewing Patient Information Logs

There are Generate Log and View Log options under the Options drop‐down list on the Patient Information window. These options allow you to generate and view a log of changes made to a patient's demographic information.

Note: Users must have permission for the Access Log Report security attribute to view these logs.

To generate a Patient Information log:

1. From the Patient Information window, click Options at the bottom.

The Options drop‐down list opens.

2. Click Generate Log.

A confirmation window opens.

3. Click the OK button.

A log is generated for this patient.

To view a Patient Information log:

1. From the Patient Demographics window, click Options and select View Log.

The Patient Demographics Log window opens:

The log displays all the fields in a section of the Patient Demographics window, so there is no way to distinguish between fields that have been updated and fields that have not.

Note: To print a hard copy of this log, click the Print button.

Viewing Referral Appointment Logs

A log of all appointments for a referral can be viewed from any outgoing referral.

To view the Referral Appointment log:

1. Open the outgoing referral for which you want to view Referral Appointment logs.

2. Click the Appointment Logs button.

The Logs window opens.

15

Viewing the Prescription Logs

Logs of all the faxed, printed, and reviewed prescriptions can be viewed from the Prescriptions window.

To view the Faxed Prescriptions log:

1. From the Documents band, click the Prescriptions icon.

The Prescriptions window opens.

2. Select the “Faxed” option from the Category drop‐down list.

3. Click the Faxed Prescriptions button.

The Fax Prescriptions Sent Log Preview window opens.

To view the Printed Prescriptions log:



2. Select “Faxed” from the Category drop‐down list.

3. Click the Printed Prescriptions button.

The Print Prescriptions Sent Log Preview window opens.

To view the Reviewed Prescription log:



2. Click the View Reviewed Log button.

The Reviewed Prescriptions Batches window opens.

3. Highlight the prescription batch for which you want to view the log.

4. Click the View Log button.

The log for the selected prescription batch displays.

Generating and Viewing Access Logs

A log of all the times a Progress Note has been accessed or modified can be viewed from the Progress Note window. Before this log can be viewed, it must first be generated.

To generate an Access Log:

1. From the Progress Note for which you want to view the Access Log, click the green arrow next to the Details button to open a drop‐down list.

2. From the drop‐down list, click the Generate Access Logs option.

The Access Log for this Progress Note is now generated.

To view an Access Log:

1. From the Progress Note for which you want to view the Access Log, click the green arrow next to the Details button to open a drop‐down list.

16

2. From the drop‐down list, click the View Access Logs option.

The eClinicalWorks Viewer opens with the access information for this Progress Note.

Viewing the Locked Notes Log

A log of all the locking/unlocking, reviewing, and co‐signing can be viewed from any locked Progress Note. Progress Notes can also be co‐signed from this window.

To view the Locked Notes log:

1. Click the arrow button next to the Addendum button on a locked Progress Note and select the View Locked Notes Log.

Note: The Addendum button takes the place of the Lock button after the Progress Note is locked.

The Review Log window opens.

2. Select the desired date on which the Progress Note was locked that you want to co‐sign.

3. Click the Co‐Sign Selected Chart button.

The selected Progress Note is now co‐signed. The name of the logged‐in user and a time stamp are placed in the Co‐Signed By column.

Billing Logs

Viewing the Print Log

To view the print log for UB claims:

1. From the Claims window, open the UB claim for which you want to view the print log.

2. Click the green arrow next to the Print UB button to open a drop‐down list.

3. From the drop‐down list, hover over the View Log option to open another drop‐down list.

4. From this drop‐down list, click the View Print Log option.

The Claim Log window opens a log of the printings for each UB claim form that can be viewed from any UB‐ 92 claim.

17

Viewing the Claim Submission Log

The Claim Log window opens a log of all submissions for a claim that can be viewed from the Claims window.

To view the Claim Submission log:

1. From the Claims window, open the claim for which you want to view the Assigned Claims log.

2. Click on the Options button to open a drop‐down list.

3. From the drop‐down list, hover over the View Logs option to open another drop‐down list.

4. From this drop‐down list, click the View Claim Submission Log option.

Viewing the Charges Log

A log of all charges on a claim can be viewed from the Claims window.

To view the Charges log:




4. From this drop‐down list, click the View Charges Log option.

Viewing the Claim/CPT Adjustments Log

The Adjustment Logs window opens a log of claim adjustments and CPT adjustments on a claim that can be viewed from the Claims window.

To view the Claim/CPT Adjustments log:




4. From this drop‐down list, click the View Claim/CPT Adjustments Log option.

Viewing the Claim Refunds Log

The Claim Refund Logs window opens a log of all claim‐level refunds on a claim that can be viewed from the Claims window.

To view the Claim Refunds log:




4. From this drop‐down list, click the View Claim Refunds Log option.

18

Viewing the Line Refunds Log

The Refund Line Logs window opens a log of all line‐item refunds on a claim that can be viewed from the Claims window.

To view the Line Refunds log:




4. From this drop‐down list, click the View Line Refunds Log option.

Viewing the Claim/CPT Payment Posting Log

A log of claim‐level and CPT‐level payments on a claim can be viewed from the Claims window.

To view the Claim/CPT Payment Posting log:




4. From this drop‐down list, click the View Claim/CPT Payment Posting Log option.

Viewing the Claim Lock Log

A log of the locking history for a claim that can be viewed from the Claims window.

To view the Claim Lock log:




4. From this drop‐down list, click the View Claim Lock Log option.

Viewing the Claim Status Log

The Claim Status Logs window opens a log of all changes to the Claim Status on a claim that can be viewed from the Claims window.

To view the Claim Status log:




4. From this drop‐down list, click the View Claim Status Log option.

19

Viewing the Claim Transfer Log

The Claim Transfer Logs window opens a log of all insurance company transfers on a claim that can be viewed from the Claims window.

To view the Claim Transfers log:




4. From this drop‐down list, click the View Log option.

Viewing the Assigned Claims Log

The Claim Assigned To Logs window opens a log of the users to which a claim has been assigned. This information can also be viewed from the Follow Up Details Log.

To view the Assigned Claims log:




4. From this drop‐down list, click the View Claim Assigned To Log option.

Viewing the Finance Charges Log

The Finance Charges Log window opens a log of all finance charges on a claim that can be viewed from the Claims window.

To view the Finance Charges log:




4. From this drop‐down list, click the View Finance Charges Log option.

Viewing the Claim Follow Up Details Log

To view the Claim Follow Up Details log:


2. If necessary, click the Show > button to open the Claim Follow Up Details pane.

3. Click the View All Logs button.