If you are like me, when you reach into the cabinet for a dinner plate, you grab the one on the top. The plates on the bottom of the stack are just as good, but the convenience of taking the top plate outweighs the process of getting to the bottom one. 

In accounting circles, this is akin to a widely accepted process called LIFO (last in, first out). But in system audit circles, this is considered a big mistake. 

While most system audits share core characteristics, they also share many of the same audit issues. This article focuses on audits of certified electronic health record technology (CEHRT) systems as representative of system audits in general. 

Because CEHRTs hold massive amounts of personal health information (called protected health information by HIPAA, or “PHI”), these systems must meet stringent functional and behavioral requirements. CEHRTs are first audited by a certifying body that is designated by the Office of the National Coordinator (ONC), part of the Department of Health and Human Services (HHS). Once systems are certified, users of the CEHRT system can be entitled to government financial incentives and be officially deemed certified. 

Why pursue a high-quality CEHRT audit?

CEHRT audits provide insight and value – and help guard against risk. Consider:

1. Boards of Directors and current owners may have significant liability exposure for CEHRTs with both intentional and unintentional defects. 
2. CEHRT programming and support staff may need to supplement their quality assurance processes with an independent review prior to certification or the release of an updated software version.
3. Companies may look for external expertise and documentation in preparation for merger and acquisition activity. Investors and potential purchasers may want third-party due diligence as part of the representations and warranties process before completing a transaction with a CEHRT provider.
4. Financial institutions may want to independently validate CEHRT system compliance as a condition of a loan.
5. Insurers may want more granularity to document their risk as part of underwriting activities.

What makes a CEHRT audit credible?

In the CEHRT environment, audits by certifying bodies are most often conducted using the same business rules and test data that were used on the most recent prior audit – all with advance notice of what is going to be tested and how it is going to be tested. Like a pop quiz where the teacher told you about the questions in advance, this is not great auditing practice. The same functionality at the same level is tested and retested without digitally reaching for that bottom dinner plate, which could have shown that both simple and complex software changes might have impacted CEHRT system compliance and stability; sometimes the bottom plate has a crack or chip. This can be potentially devastating in systems that hold all our personal healthcare data and help limit potentially fatal drug prescription interactions. 

• Credible audits of CEHRTs should include these elements:
   
  The auditor is experienced and knowledgeable in these systems.
• Audit data is not made known to the CEHRT system provider in advance.
• The audit protocol used by the examiner is unpublished and not disclosed in advance.
• When a potential system issue is identified, the audit protocol is adjusted to “dig a little deeper.”
• The audit is based on actual system behavior without reviewing the underlying programming code.
• The scope of the audit includes all Criteria and Clinical Quality Measures (CQM) listed at the regulator’s CHPL site, as well as CEHRT-related Cures Act functionality.
• The audit can be expanded to include HIPAA, ISO/IEC Standards, non-federal laws such as California’s CCPA and New York’s SHIELD Act, compliance with contractual, insurance, and other obligations, and international laws such as GDPR (Europe), PDPL (Saudi Arabia), or APPI (Japan) – if indicated.
• The role of AI can be examined with or without ISO/IEC certification.

Potential issues a CEHRT audit might reveal

Our years of experience with these audits have shown how valuable they can be when they are thorough. Consider these 10 examples of actual findings:

1. Intentional or inadvertent “defeat programming” was detected – programming that appears to be compliant but is a cheating workaround, which can endanger health and system certification.
2. System tiers designed to limit access to information on a need-to-know basis could be bypassed, exposing PHI improperly.
3. Emergency access (“break the glass”) functionality remained improperly in effect after logging out, exposing PHI to others.
4. Attestations used in the certification were based on programmer misrepresentation to management, expired ISO standards, or out-of-date references, creating liability risk.
5. A mouse right-click and selection of “Inspect” on an entry exposed the underlying code, exposing it to tampering.
6. The audit log did not capture required details for examination.
7. The system did not include all eligible records in CQM calculations, or the CQM age exclusion was improperly applied.
8. Although certified, data export functionality was not compliant, exposing data integrity risk.
9. A certifying body included items in its certification and government attestation that they had not actually assessed, thereby requiring the reissuance of the certification letter.
10. The CEHRT failed to detect excessive doses of prescription drugs after entry into the CEHRT.

In conclusion

Our private collective health records, medical histories, and drug interactions are stored on the many CEHRTs in use in hospitals and clinics everywhere. Human beings program these systems, and human beings use them at clinical and pharmaceutical points of care. Like the rest of us, these humans can make mistakes. But unlike for most of us, in the clinical context, those oversights can result in bad – even fatal – outcomes. The best antidote is to validate CEHRT system behavior with an independent auditor who will digitally reach down and examine the plate on the bottom of the stack.