KI Audit Solution

KI Audit uses artificial intelligence to support Privacy Officers managing EMR access audits.  The tool can predict, deter, detect, explain, and report privacy incidents.
KI Audit explanation-based auditing mines healthcare data to identify the clinical and operational reasons for staff to access records

The Challenge: EMR Access Auditing

Healthcare organizations necessarily manage vast volumes of sensitive personal information in the form of patient records. It is critical that clinicians have easy access these records when treating patients, and also that safeguards be in place to prevent inappropriate access to records (e.g., snooping). Privacy laws, including Ontario’s Personal Health Information Protection Act, require healthcare organizations to record and audit accesses to electronic medical records (EMR).

“In a complex and dynamic hospital environment, thousands of employees have access to PHI for hundreds of thousands of patient charts spanning across dozens of discrete information systems.

-Mackenzie Health Privacy Auditing Innovation Procurement Project

Identifying healthcare employees who may be accessing patient records for inappropriate reasons requires an in-depth understanding of healthcare workflows. Commonly used rule-based audit solutions detect specific scenarios, such as employees accessing co-workers’ or family members’ records. These systems are imprecise, and can quickly flag far more accesses for review than can be reviewed manually. KI Audit employs machine learning to create a more sensitive solution.

The Solution: A Custom Explanation-Based Auditing System

KI Audit is a predictive analytics solution based on a peer-reviewed, patented and published methodology for proactive automated privacy auditing. Our explanation-based auditing system uses machine learning to analyze clinical and operational workflows in order to identify connections between patients and employees. By mapping these networks, the systems is able to identify plausible purposes for employees to access patient records. The system flags the 1-5% of accesses without apparent explanation for review, enabling health organizations to monitor records access effectively with limited staff resources.

KI Audit was developed via the Mackenzie Innovation Institute’s Privacy Auditing Innovation Procurement Project. Through a competitive dialogue process, KI Design collaborated with Mackenzie Health, Michael Garron Hospital and Markham Stouffville Hospital to co-develop a custom audit solution. Through iterative cycles of enhancement, we refined our solution based on feedback from hospitals to create a specialized audit solution for the Ontario health sector.

KI Audit’s predictive analytics use data and graph mining algorithms to identify, interpret, infer, and learn frequent explanations for employee accesses to records (e.g., appointments, prescriptions, labs). These explanations are suggested to compliance officers, and once approved, these customized ‘rules’ can be used both to filter and flag accesses. Together, flags and filters drastically reduce the number of accesses compliance officers must review by:

  • Filtering out accesses that reflect appropriate clinical and operational reasons to access records, and,
  • Flagging accesses that may reflect inappropriate reasons for accessing records (e.g., snooping on co-workers or family members).

KI Audit also ranks accesses according to risk, prioritizing a) access to records of patients who have no recent or upcoming clinical events, b) accesses by employees from departments uninvolved in a patient’s care, and c) employees with a high volume of unexplained accesses, as well as factors specified by each client.

Results: Efficient Automated Access Auditing

KI Audit is generally able to identify appropriate clinical or operational explanations for 95-99% of records accesses, and prioritizes the remaining 1-5% for review based on risk rankings.

KI Audit provides a variety of user-friendly dashboards and reports that help healthcare privacy officers to review and investigate suspicious accesses to health records. The solution provides privacy officers with tools to conduct audits tailored to organizational priorities and resources. For example, a privacy officer can choose to review the 5-10 highest-risk accesses each day, focusing on a specific priority area such as high-profile patients, or a particular department. The tool learns from privacy officers’ decisions to dismiss specific flagged accesses or follow up with further investigation.

KI Audit also provides a user-friendly dashboard and documentation forms for investigations. The Investigate dashboard supports the efficient resolution of breach investigations by clearly tracking tasks to be completed by each member of an investigation team. The investigation process within the tool provides compliance officers with clear guidance on documentation and reporting requirements. Ontario clients have used KI Audit to audit and investigate privacy breaches and to collect documentation for successful court actions.

KI Audit Benefits

Increase public trust

Provide the public with assurance that all records access is monitored

Facilitate reporting

Incident reports and annual/ executive reports are a click away

Protect against litigation

Provide your legal team with non-repudiable evidence of privacy compliance

KI Audit Differentiators

Gather data from a wide variety of electronic systems

Identify, interpret, infer, and learn complex clinical patterns and workflows or behaviours

Distinguish legitimate from unauthorized accesses

Assess transactions with a high level of accuracy

Deliver clear reports tailored for a specific audience

Provide analytical reports of current and past transactions to identify future trends