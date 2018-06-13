In his presentation, "Strategies to Effectively Monitor Researchers' Access to the EMR," Dr. Fabbri dove into the risk posed by researchers with access to electronic health records, and what makes monitoring researchers' accesses so difficult. Approaches used to monitor clinician accesses are not directly transferable to detect researcher misuse, he says.

"Over the past several years we've seen the threat of breaches from insiders growing," says Dr. Fabbri. "Researchers are a special class of insider whose work can involve seemingly erratic access patterns, making them difficult to monitor. As a result, standard methods, like rules-based auditing and anomaly detection, are not sufficient for monitoring researchers, creating a significant risk to patient data."

The talk spurred a discussion about procedures, processes and tools covered entities can employ to ensure researchers' EMR accesses comply with HIPAA and institutional policies. According to Dr. Fabbri, this starts with researchers' applications to the Institutional Review Board (IRB).

"Including structured diagnosis and procedure codes in the IRB application provides a guide for compliance officers to understand what constitutes appropriate access for each researcher," he says.

Covered entities can integrate IRB submission data within their access monitoring tools to more effectively detect inappropriate behavior, continues Dr. Fabbri. "These research-aware monitoring tools can identify when a project goes beyond the listed research scope and alert the compliance department."

The presentation—attended by researchers, compliance teams, and HIPAA officers alike—concluded with Dr. Fabbri providing monitoring recommendations and guidance so that healthcare organizations can monitor the various types of access to patient data.

