Owners of Information Systems containing Electronic Proctected Health Information (ePHI) must be able to meet the following general data audit trail requirements:
- Which users accessed which patient’s data
- Which patients a user accessed using his/her approved access
- What data/documents were updated/viewed
- What access pathway was used
- When the access occurred
Audit data reflecting this activity must be retained for minimum rentention period as noted in Medical Center Policy 0266 Records Management: Records/Document Retention and Disposition.
Applications unable to comply will petition the Chief Information and Technology Officer and the HIT Director of Information Security for a written exemption, and seek approval of a remediation plan to bring the feature to an acceptable compliance level. See Risk Management.