Steps for Effectively Monitoring Researchers’ EMR Accesses

By Daniel Fabbri, CEO of Maize Analytics,
Assistant Professor of Biomedical Informatics
and Computer Science at Vanderbilt University

Clinical researchers require access to electronic medical records (EMR) for chart review. However, ensuring that researchers do not overstep and access data not associated with a research study is challenging.

Hospital privacy and compliance officers are responsible for monitoring employee access to the EMR to ensure appropriate use. Auditing employee accesses typically involves determining how an employee is involved with a patient’s treatment, payment or operations. If the officer can determine the employee’s association, the access is likely appropriate. But researchers are inherently not part of care teams and their accesses can appear to be random. Thus, it is extremely difficult to differentiate appropriate versus inappropriate research accesses.

This is not to say that researchers’ accesses, in general, are random. Researchers typically analyze charts related to a specific disease or procedure. If organizations can incorporate this study information into the auditing process, they will be able to more effectively audit researchers’ accesses.

Privacy and compliance officers should work with the organization’s institutional review board (IRB) to modify their IRB submission process to collect structured data about the planned study, such as the ICD-10 or CPT codes being investigated. Intuitively, when an IRB application is approved, the IRB is giving researchers permission to access patients in the EMR with one of those codes.

Officers should also incorporate the IRB structured data into their auditing tool.  At Maize, we incorporate this information in the form of an explanation that connects the researcher’s accesses, to the ICD codes associated with the study, to patients with that ICD code. Thus, if an employee accesses a patient with one of the ICD codes they have IRB approval to access, then the access will automatically be marked appropriately. As a result, privacy and compliance officers need only need manually audit the accesses a researcher made to patient’s records that do not have the approved ICD codes.

For some studies, the ICD code may be too broad (e.g. hypertension). In these cases, the IRB can approve a list of medical record numbers to prevent overly broad access rights.

By updating your IRB submission process to collect structured data and incorporating that data into EMR access auditing tools, privacy and compliance can more effectively audit researchers’ accesses.

[clickToTweet tweet=”Steps to Effectively Monitoring Researchers’ EMR Accesses” quote=”Steps to Effectively Monitoring Researchers’ EMR Accesses” theme=”style3″]


  1. If patients privacy are protected by giving codes instead of using names in research studies, my opinion is this can help all cases in following the outcome of treatments.

Comments are closed.