Bulletin: Reviewing Vault Access by Users
Syndromic Surveillance collects a limited data set from participating healthcare facilities. Under HIPAA, limited datasets do not require the same high security standards for data at rest and data in motion. With the collection of data beyond Syndromic Surveillance data, which is not part of an evaluated limited data set, there is greater concern regarding handling of PHI and Other Sensitive Information (POSI).
To address this concern regarding proper handling of POSI, Health Monitoring has implemented a new component within EpiCenter (the Vault) and introduced audited access to data which may contain POSI. EpiCenter users are prompted to enter a POSI Access Reason as well as provide a password verification in order to access reports that include POSI.
Vault Report Access Tracking
Health Monitoring has created a set of three reports that allows the appropriate personnel to see which EpiCenter users, within their region, have accessed the Vault along with their POSI Access Reason.
Each of the three reports serves a different purpose. The “Find Vault Report Usage” report shows each execution of a report per line. The “Find Vault Audit Entries” report shows each retrieval of a piece of sensitive information per line. The “Find Vault Value Entries” report is not listed directly under the Reports menu, as is it a pivot form the “Find Vault Audit Entries” report. This report shows the access history for a particular piece of sensitive information; one access per line (access types can be Create, Read, Write, etc.).
These three reports have been implemented into the Production environment and the appropriate users will be granted access to them.