Explanations expand upon core explanations of why an access to a patient’s
electronic medical record (EMR) took place. They go beyond clinical or
operational reasons for an access, and help the system learn interactions between employees,
departments, and diagnoses (e.g. the oncology department typically treats
cancer patients with chemotherapy, or ICD code V58.11). Enhanced explanations
can also help the system learn types of actions
that are acceptable within the EMR for a given user (e.g. an oncologist
modifies, views, or signs off on a note within a cancer patient’s record).
There are many reasons why a user may access a patient’s record.
The Explanation-Based Auditing System (EBAS) automatically discovers encounters
between patients and users documented in the EMR. In production environments, the explanation
rate for documented encounters is typically between 95–99%. (See the Explanation Guide for more
However, there are other accesses for treatment and payment that may not be documented in
the EMR, but are essential for any health care system. Certain health care operations—administrative, financial,
legal, and quality improvement activities—conducted by or for health plans and
providers, may also require a user to access a patient record.
Treatment generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
These terms are defined in the Privacy Rule (Reference 45 CFR 164.506). For more information, visit: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html
Click the gears icon, on the left menu bar, to head to the Explanations page. This page displays a list of all explanations the system found in your organization’s data. Click the Enhanced Explanations tab, at the top of the page, to see a list of tools that can help you find missing connections between patients and users.
This guide will cover Diagnosis Responsibility and Access Action Whitelist.
The system “mines” your
organization’s data to find relationships between departments, and the patients
they frequently treat, based on ICD (International Classification of Diseases) diagnosis
codes. This allows you to assign diagnosis
responsibility by reviewing and approving access events using diagnosis
codes specific to a department specialty or patient type. For example: Oncology treats
cancer patients with ICD code of V58.11 “Encounter
for antineoplastic chemotherapy, as the principal diagnosis if a patient is
admitted solely for chemotherapy administration.”
Under Diagnosis Responsibility, click Mine Entries. Then click the blue Mine Responsibility button to generate a list of ICD codes that each department is commonly treating.
When mining is complete, a list appears of departments and associated ICD codes with descriptions. Select certain associations for approval using the checkboxes and green button. Mining is specific to your organization, with your organization’s department names and the ICD codes currently used for billing purposes:
It is important when selecting that you don’t create overly broad diagnosis responsibilities (e.g. selecting departments and diagnosis codes widely used across your organization like body mass index (BMI), or hypertension). This will create a situation where you will be “over-approving” accesses. The goal is to approve accesses by specialty departments (e.g. Oncology) to specific patients with diagnosis codes that are reflective of the department specialty (cancer, chemotherapy treatment, etc.) and not part of the general patient population.
If you mine a diagnosis responsibility entry today and approve it (Add Selected), it will be used/tested against future uploaded data sets. Selected items will also be displayed in the View Entries tab under Diagnosis Responsibility:
If an access between a user and patient meets an appropriate access classification (explanation), all accesses between the unique user and patient will be marked as appropriate for the day.
What departments should I start with?
Maize recommends starting with one specialty department to gain a better understanding of how the process works, before adding multiple department/diagnosis codes. Many start with a department that has the most unexplained accesses.
To view a list of Most
Unexplained Departments in your organization, click the gears to go to Explanations, then click Reports. Click View on the top table entry. At the bottom of the Explanation
Report is a list of the 10 Most Unexplained Departments.
How can I see Diagnosis Responsibility in search results?
Click the magnifying class to go to Search. Then click any green check mark to see which explanation(s) underlie an access. Note: Maize applies a window of time that governs when data are active (included) for analysis. Only patient diagnosis codes that occur in the given window of time will appear in Search Results.
To view all accesses, covered by the Diagnosis Responsibility explanation exclusively, open Search Options and enter “Diagnosis Responsibility” in the Explanation field:
Most EMRs create audit trails of all access events, including the action a user performed in the system to trigger an access, whether the access was completed, and what type of access the user had (e.g. View, View and Modify, and Export).
Health care organizations can leverage this information to effectively review/manage the large volume of access logs created daily, and approve actions considered appropriate as part of normal health care operations. For example: When a user signs a clinic note, or completes another task, these actions are documented as “View and Modify” action types, and may be considered appropriate for the user and their role (as opposed to a user simply viewing a patient’s record).
Maize created a method to automatically approve specific access actions (Note signed, Diagnosis filed, etc.) as appropriate behavior, per the health care organization’s acceptable use policy. Access actions can be created and applied to specific departments.
To add an access action, go to the Access Action Whitelist tab, then click the Create Whitelisted Actions tab:
If you Create Whitelisted Actions today and click submit, they will be used/tested against future uploaded data sets.
If an access between a user and patient meets an appropriate access action classification (explanation), all accesses between the unique user and patient will be marked as appropriate for the day. If the access action is the first explained event for the day, the explanation “Access Action First Access” appears in the list of explanations, along with the access action description.
Selected items will be displayed in the View Whitelisted Actions tab under Access Action Whitelist
What Access Actions/Departments Should I Start With?
Maize recommends starting with one department to gain a better understanding of how the process works, before adding multiple departments/access actions. Choosing View and Modify access actions vs. View Only events is best practice. Customers often start with a department that has the most unexplained accesses.
To view a list of Most Unexplained Departments in your organization, click the gears to go to Explanations, then click Reports. Click View on the top table entry. At the bottom of the Explanation Report is a list of the 10 Most Unexplained Departments.
How do I view accesses explained by my new Access Action?
Click the magnifying class to go to Search. Then click any green check mark to see which explanation(s) underlie an access.
To view all accesses, covered by the Access Action explanation exclusively, open Search Options and enter “Access Action” in the Explanation field, or type the access action name in the general search field.