Page 1 of 3
Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals and
Clinics Authority as integrated effective July 1, 2015, including the legacy operations and staff of UWHC
Policy Title: Electronic Medical Record Audit Policy
Policy Number: 4.39
Effective Date: January 1, 2016
Chapter: Legal Affairs
The purpose of this policy is to define the process for auditing use of the UW Health electronic medical
The following policy reflects the importance of protecting the privacy of patients within UW Health to the
highest degree feasible consistent with good patient care, and ensures the protection of patient
information, regardless of form.
A. A computerized audit trail shall exist in any electronic medical record system implemented at
UW Health. For all clinical data accessed, an entry will be automatically recorded on the audit
trail. The audit trail information recorded will include, but not be limited to, patient reviewed,
medical record number, information reviewed, time and date of review, user, and user class.
B. Health Information Management (HIM) shall designate an Audit Trail Reviewer (ATR) to review
the audit trail. At a minimum, periodic monitoring of the audit trail shall be performed for UW
Health employees who are also patients as well as other patients. Additionally, audit trails will be
reviewed upon patient request. In all cases, HIM will review the audit trail and work with UW
Health departments, UW Health affiliates, and UW-Madison schools to determine if any
unauthorized accesses have been made. Accesses in question will normally first be forwarded to
the stated employee, physician, faculty member, or student for clarification.
C. Upon patient request, Patient Relations may ask that the ATR generate an audit trail. After the
ATR has conducted a review determining if unauthorized accesses exist, results will be given to
Patient Relations. Interpretation and identification of unauthorized accesses will be discussed
with the patient by HIM.
D. Outcomes of ATR investigations will be reported in an anonymous format on a periodic basis to
the Medical Record Committee.
In the descriptions below, flagged access describes data access for which it is unclear to the ATR whether
the access is authorized or unauthorized.
A. For UW Health employees (excluding Graduate Medical Education (GME)trainees)
Page 2 of 3
HIM may determine that access is flagged after receiving a written response from the employee.
If an access is deemed flagged, or if no employee response is received, the ATR will meet with
the employee's supervisor to further discuss and clarify the legitimacy of the employee's access.
Subsequently the supervisor will investigate, and with consultation from Human Resources as
needed, determine what corrective disciplinary measure shall be followed if the access is deemed
B. For UW Health GME trainees:
1. If an access is flagged or if a written response is not received, the case will be referred to
the appropriate Residency Program Director. If, after reviewing with the Program
Director, the accesses are still flagged, the case will be referred to the Privacy Officer; the
Medical Record Committee Chair; the Sr. VP of Medical Affairs; the Clinical Chair of
the GME trainee’s department; the Director of House and Medical Staff Administration;
the Director, Employee Relations and the Medical Director of Information Technology
2. In cases of unauthorized access disciplinary action will be taken in accordance with the
procedures for discipline of GME trainees. If no action is taken, the Sr. VP of Medical
Affairs will provide a written statement to the UW Health Privacy Officer as to the
C. For medical staff and other faculty and fellows of the School of Medicine and Public Health
(SMPH), School of Nursing, and School of Pharmacy
1. For medical staff members:
a. If an access is flagged, the case will be referred to the UW-Madison HIPAA
Privacy Officer for investigation.
b. If the UW-Madison HIPAA Privacy Officer determines that there is a HIPAA
breach, and/or a violation of UW-Madison policy, discipline will be handled per
UW-Madison policy. In addition, the UW-Madison HIPAA Privacy Officer will
notify the UW Health’s Privacy Officer so that the UW Health Privacy Officer
can determine whether the incident constitutes a violation of UWHC policy, too.
c. In cases of a violation of UWHC policy, UW Health’s Privacy Officer will notify
UWHC’s Chief Medical Officer and/or Associate Chief Medical Officer.
Disciplinary action may be taken in accordance with the Medical Staff Bylaws,
Article IX Corrective Action, including but not limited to, Section 3 Automatic
Suspension, Item C. If no action is taken, the Sr. VP of Medical Affairs will
provide a written statement to the UW Health Privacy Officer as to the reason.
2. For non-physician faculty and fellows of the SMPH, School of Nursing, and School of
Pharmacy, the cases of unauthorized access will be referred to the UW-Madison HIPAA
Privacy Officer for corrective disciplinary action.
D. For physicians employed by organizations affiliated with UW Health
Cases of unauthorized access will be referred to the organization's medical director and/or the person
to whom the physician reports for corrective disciplinary action.
E. For students
HIM may determine that access is flagged after receiving a written response from the student.
1. Cases involving medical students, nursing students, pharmacy students and other UW
Madison students will be referred to the UW-Madison HIPAA Privacy Officer. He/she
will conduct the investigation and notify HIM of the outcome.
Page 3 of 3
2. If the UW Madison HIPAA Privacy Officer determines that a student is found to have
made an unauthorized access, the case will be referred to the Dean's office of the
student's school for corrective disciplinary action.
F. For employees of the SMPH and persons who are issued access to UW Health electronic
medical records through an SMPH sponsor (such as a UW undergraduate student, a
student from another institution affiliated with a UW school (SMPH, SoN, SoP) or UW
faculty outside of the UW Madison covered entity who is working on research project with
a UW principal investigator) - HIM may determine that access is flagged after receiving a
written response from the employee. If an access is flagged, or if no employee response is
received, the ATR will refer the case to the UW-Madison HIPAA Privacy Officer. He/she will
conduct the investigation and notify HIM of the outcome and contact the individual’s supervisor
or appropriate persons in the individual’s department, school or institution of the violation so that
disciplinary actions may be considered if appropriate.
G. For employees of organizations affiliated with UW Health, including physicians who are not
members of the medical staff- If an access is flagged, the ATR will refer the case to the
organization’s designated contact. He/she will conduct the investigation and notify HIM of the
H. For other persons with access to UW Health electronic medical record systems other than
those listed above (including those persons who are affiliated with outside institutions) - any
unauthorized accesses as determined by the ATR will be referred to that person's supervisor or to
the appropriate persons at their home institution for corrective disciplinary action. Where
appropriate the UW Health Privacy Officer and/or the UW-Madison Privacy Officer will also be
notified by the ATR of the unauthorized access.
Sr. Management Sponsor: SVP, Chief Information Officer
Author: Director, Health Information Management; UW Health Privacy Officer
Approval Committee(s): Medical Records Committee; UW Health Administrative Policy & Procedure
President, University of Wisconsin Hospitals
Chief of Clinical Operations
Previous revision: 112015
Next revision: 012019