Auditing ePCR Access Logs: What Reasonable Review Looks Like

Most EMS agencies have audit logs. Very few have an audit process.

The difference matters. A log is a record of events. An audit is a review of those events with the intent to find something wrong. If nobody is looking at the logs, you do not have an audit program. You have a paper trail that will document exactly how a breach happened and how long it went unnoticed.

I have sat through enough OCR investigation prep sessions to know how this goes. The agency gets a complaint. A patient's record was accessed by someone who had no clinical reason to see it. The compliance officer pulls the logs. The logs show the access. And then the question comes: "When was the last time these logs were reviewed?"

If the answer is "We have a quarterly sign-off," and the sign-off shows no anomalies were ever found, the conversation gets uncomfortable. Because either the review was not thorough enough to catch the access, or it was not actually done.

This article covers the cadence, the alerts, and the role assignment that turns a log file into a real audit.

How to Audit ePCR Access Logs for HIPAA Compliance

HIPAA's Security Rule requires "reasonable and appropriate" safeguards for electronic protected health information. The Technical Safeguards section (164.312(b)) specifically calls for audit controls that record and examine access activity.

> (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine access and other activity in information systems that contain or use electronic protected health information.

> (c) Implementation specification. Covered entities must review records of information system activity regularly, such as audit logs, access reports, and security incident tracking reports.

The rule does not prescribe a specific frequency. It says the measures must be reasonable and appropriate based on your agency's risk.

That flexibility is useful. It is also a trap.

A quarterly review of a raw log export is not reasonable for an agency running 20,000 calls a year. A monthly spot-check of high-risk records without any automated alerting is not appropriate for an agency that transports high-profile patients. The standard is not what your neighbor agency does. The standard is what a reasonable person in your position would do given the volume, the risk profile, and the available tools.

The baseline I recommend to agencies is a three-tier model:

• Real-time alerts for specific trigger events (VIP records, bulk exports, out-of-bout access).
• Weekly or bi-weekly sampled review of high-risk access patterns.
• Monthly general audit of system-wide access trends.

This is not a regulatory requirement. It is a practical starting point. Adjust up based on your call volume, your patient population, and any recent incidents.

HIPAA Reasonable and Appropriate Audit Log Review Frequency

The word "reasonable" does a lot of work in HIPAA. It is also the word that gets agencies in trouble, because what feels reasonable in a budget meeting does not always match what feels reasonable in a deposition.

Here is a framework for determining your cadence.

Start with your call volume to determine the baseline frequency you need. An agency running 500 calls a year has a different risk surface than one running 50,000. The higher the volume, the more access events to review, and the more frequently you need to sample.

Add your patient risk factors. Do you transport elected officials, public figures, or people involved in high-profile incidents? Do you operate in a jurisdiction where medical record snooping has been a problem before? Each of these factors should push your cadence shorter.

Add your workforce size to the calculation as well when setting cadence. More users means more access events and a higher probability that someone will act on curiosity. Agencies with more than 50 field providers should be on a weekly or bi-weekly review cycle for sampled access.

The key is documentation. Whatever cadence you choose, write down why you chose it. If OCR asks, you need to show that you assessed your risk and set the frequency based on that assessment. A documented risk assessment that lands on monthly reviews is defensible. An undocumented quarterly sign-off with no rationale is not.

Detecting PHI Snooping in EMS Electronic Patient Records

The most common ePCR access violation is not a data breach in the traditional sense. It is a provider looking up a patient they have no business looking up. A neighbor, a coworker, a former partner, a high-profile arrest. These are curiosity accesses, and they are the hardest to catch with raw log review because they look like legitimate access from a legitimate user.

The way to catch them is cross-referencing.

Your ePCR system records who accessed a record. Your CAD system records who was assigned to a call. If a provider accessed a record for a call they were not assigned to, that is a flag. Some ePCR platforms can generate reports for this directly. Others require you to export and compare. Either way, this is the single highest-value review you can do.

A second high-value check is after-hours access. If a provider is not on shift but is pulling records from home, that warrants a look. Some of these accesses are legitimate (a supervisor reviewing a call for QA). Some are not. The pattern matters more than the individual event.

For agencies that want to go further, look at access patterns before and after personnel events. Resignations, terminations, disputes. The period before a provider leaves is a common window for data exfiltration. A bulk export or a spike in record views from a user who has given notice is worth investigating immediately.

I covered the workforce side of this in more detail in HIPAA Workforce Screening and the EMS Hiring Gap. The hiring screen and the audit program are two ends of the same rope.

ePCR Audit Log Alerts for High Profile Patients

If you are not running VIP alerts, you are flying blind on your highest-risk records.

A VIP alert is a straightforward concept to implement in your ePCR system. You maintain a list of patient identifiers (names, record numbers, or other markers) that trigger an immediate notification when accessed. The notification goes to the compliance officer or the clinical lead. It does not need to be investigated every time. A paramedic assigned to a call involving a VIP will access the record as part of normal care. But the alert ensures that every access is seen, and that unauthorized access is caught within hours instead of months.

Setting this up requires coordination with your ePCR vendor and some planning. Most major platforms (ImageTrend, ESO, Zoll) support some form of alerting or reporting for specific records. The question is whether your agency has configured it. I have walked into agencies running enterprise-tier ePCR licenses that had never turned on a single alert. The feature was there, and nobody had asked for it.

A companion alert is the bulk export threshold. Configure your system to flag any user who exports or prints more than a set number of records in a short window. The threshold depends on your workflow. For a QA reviewer, exporting 50 records in a day might be normal. For a field provider, exporting 10 records they were not assigned to is a problem. Set the threshold based on role and review the flags weekly.

For a broader look at how your ePCR vendor handles security features, see ImageTrend, ESO, and Zoll Online: A Security-Posture Evaluation Framework.

Role of Compliance Officer in Reviewing EMS Access Logs

The most common failure I see in audit programs is assigning log review to the wrong person.

IT can tell you that a record was accessed. IT cannot tell you whether that access was clinically justified. That determination requires clinical knowledge. It requires knowing the call, the patient, and the provider's role. IT does not have that context.

The split is straightforward:

• IT / Security owns the integrity and availability of the logs. They ensure logging is enabled, the logs are retained, and the reports can be generated on demand.
• Clinical lead / Compliance officer owns the review. They look at the access events and determine whether each one had a legitimate clinical purpose.

This means the person doing the review needs to be someone who can answer the question "Did this provider have a need to know?" That is usually the chief, the medical director, or a designated compliance officer with clinical experience.

The reviewer also needs to document their work. A review that produces no findings is still a review. Write down what was checked, when, and what the result was. This documentation is what holds up in an investigation. A log of reviews showing consistent, documented checks is the strongest evidence of a reasonable audit program.

Frequently Asked Questions

How often should an EMS agency review its ePCR access logs to be HIPAA compliant?

HIPAA does not specify a number of days. The standard is "reasonable and appropriate" based on your risk. A practical baseline is real-time alerts for high-risk records, weekly or bi-weekly sampled reviews, and a monthly general audit. Document your rationale for whatever cadence you choose.

Who should be responsible for reviewing access logs, the IT manager or the EMS chief?

IT should ensure the logs are captured and available. The review itself should be done by someone with clinical authority who can determine whether a provider had a legitimate need to access a specific record. That is usually the chief, the medical director, or a designated compliance officer.

What is the most effective way to stop employees from snooping on patient records?

The most effective deterrent is the knowledge that the logs are actually reviewed. Communicate that random audits happen and that unauthorized access leads to disciplinary action. A culture of accountability changes behavior more than any technical control.

What alerts should I configure in my ePCR system?

Start with VIP patient alerts for high-profile records, bulk export thresholds to catch potential data exfiltration, and after-hours access flags for users accessing records outside their shift. Cross-reference ePCR access against CAD assignments to catch out-of-bout access.

---

The difference between a log and an audit is the person reading it. Configure your alerts, set your cadence, assign the right reviewer, and document the work. That is what reasonable looks like.

-- Steven