4 Who Should Audit User Activity? It is important for a trustee to appoint one or more individuals to be responsible for monitoring the activity of its employees. It is recommended that the appointed individual(s) are familiar with the following: Provincial and federal privacy legislation, such as; The Freedom of Information and Protection of Privacy Act (FOIP), the Personal Information Protection and Electronic Documents Act (PIPEDA), The Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) and HIPA; The trustee’s privacy and security policies; The type of information the system contains and purpose for which it was collected; and The type of access associated with each user role. As well, processes should be established to ensure regular audits are conducted on the individual(s) responsible for monitoring the activity of employees. Audit Triggers During a random audit, there may be events that can trigger a formal, in-depth investigation. Events which could trigger an investigation include, but are not limited to, the following: A user has viewed their own record; The type of access is not related to the role of the user who made the access (e.g., a pharmacist views information outside their scope of practice); A user views a record of an individual who has the same last name as the user; The viewed record belongs to an employee of the organization; The number of accesses to one particular record is quite high; A record has been viewed outside of scheduled working hours; A record has been viewed that does not have an appropriate service event to match (e.g., a record from 5 years ago was viewed recently, yet there are no recent visits made by the patient); A record has been viewed that is associated with a media event (e.g., records relating to a suspected bioterrorism attack); A record has been accessed that is associated with a VIP (e.g., celebrities, board members, politicians); and Break-the-glass events (e.g., a user overrides a mask put on an individual’s record).
RkJQdWJsaXNoZXIy MTgwMjYzOA==