KI Audit uses artificial intelligence to support Privacy Officers managing EMR access audits. The tool can predict, deter, detect, explain, and report privacy incidents.
The Challenge: EMR Access Auditing
Healthcare organizations necessarily manage vast volumes of sensitive personal information in the form of patient records. It is critical that clinicians have easy access these records when treating patients, and also that safeguards be in place to prevent inappropriate access to records (e.g., snooping). Privacy laws, including Ontario’s Personal Health Information Protection Act, require healthcare organizations to record and audit accesses to electronic medical records (EMR).
Identifying healthcare employees who may be accessing patient records for inappropriate reasons requires an in-depth understanding of healthcare workflows. Commonly used rule-based audit solutions detect specific scenarios, such as employees accessing co-workers’ or family members’ records. These systems are imprecise, and can quickly flag far more accesses for review than can be reviewed manually. KI Audit employs machine learning to create a more sensitive solution.
The Solution: A Custom Explanation-Based Auditing System
KI Audit is a predictive analytics solution based on a peer-reviewed, patented and published methodology for proactive automated privacy auditing. Our explanation-based auditing system uses machine learning to analyze clinical and operational workflows in order to identify connections between patients and employees. By mapping these networks, the systems is able to identify plausible purposes for employees to access patient records. The system flags the 1-5% of accesses without apparent explanation for review, enabling health organizations to monitor records access effectively with limited staff resources.
KI Audit’s predictive analytics use data and graph mining algorithms to identify, interpret, infer, and learn frequent explanations for employee accesses to records (e.g., appointments, prescriptions, labs). These explanations are suggested to compliance officers, and once approved, these customized ‘rules’ can be used both to filter and flag accesses. Together, flags and filters drastically reduce the number of accesses compliance officers must review by:
- Filtering out accesses that reflect appropriate clinical and operational reasons to access records, and,
- Flagging accesses that may reflect inappropriate reasons for accessing records (e.g., snooping on co-workers or family members).
KI Audit also ranks accesses according to risk, prioritizing a) access to records of patients who have no recent or upcoming clinical events, b) accesses by employees from departments uninvolved in a patient’s care, and c) employees with a high volume of unexplained accesses, as well as factors specified by each client.
Results: Efficient Automated Access Auditing
KI Audit provides a variety of user-friendly dashboards and reports that help healthcare privacy officers to review and investigate suspicious accesses to health records. The solution provides privacy officers with tools to conduct audits tailored to organizational priorities and resources. For example, a privacy officer can choose to review the 5-10 highest-risk accesses each day, focusing on a specific priority area such as high-profile patients, or a particular department. The tool learns from privacy officers’ decisions to dismiss specific flagged accesses or follow up with further investigation.
KI Audit also provides a user-friendly dashboard and documentation forms for investigations. The Investigate dashboard supports the efficient resolution of breach investigations by clearly tracking tasks to be completed by each member of an investigation team. The investigation process within the tool provides compliance officers with clear guidance on documentation and reporting requirements. Ontario clients have used KI Audit to audit and investigate privacy breaches and to collect documentation for successful court actions.
KI Audit Benefits
Increase public trust
Provide the public with assurance that all records access is monitored
Incident reports and annual/ executive reports are a click away
Protect against litigation
Provide your legal team with non-repudiable evidence of privacy compliance
KI Audit Differentiators
Gather data from a wide variety of electronic systems
Identify, interpret, infer, and learn complex clinical patterns and workflows or behaviours
Distinguish legitimate from unauthorized accesses
Assess transactions with a high level of accuracy
Deliver clear reports tailored for a specific audience
Provide analytical reports of current and past transactions to identify future trends