All care providers are to follow up logs systematically, meaning that they are to log activities in the systems where the patient data is processed. The systems are to be designed to be able to check that only staff with the appropriate authorisation can access patient data. Here is a checklist that summarises what a care provider should bear in mind when following up logs. The checklist is a guide to be able to develop the procedures and methods needed to ensure good protection of privacy. The checklist is based on the Patient Data Act (2008:355) and the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40).
Checklist for systematic follow-ups of logs
Inform the staff
Inform the staff that follow-ups of logs are made. Also inform the staff of under what circumstances they may see patient data, that they have a personal responsibility to only read the information that they need in their work, and what the consequences of reading patient data without authorisation can be.
Check the technical prerequisites
Check that the technical prerequisites for access control and what requirements are set for the logs under Chapter 4 Section 9 of HALF-FS 2016:40. The logs are to show:
- What actions have been performed with the patient data, for example if the staff have read, altered, disclosed, copied, drawn up or printed out care documentation
- At what care unit the actions were performed
- At what time the actions were performed
- Who has performed actions
- What patient the actions referred to
Draw up procedures for the logs by deciding the selection and scope of the log items
Establish a written procedure for how the log items are followed up and that states how log items are selected. It is for example appropriate to combine system and a degree of randomness when log items are selected and several parameters should be used in the selection. Investigate if instances of access can be identified where authorisation might be able to be used in an incorrect manner.
One can for example choose to check access:
- To a certain patient's data
- That a certain employee has had
- That has been made a great many times with respect to a certain patient
- At unusual times during the day
- To sensitive personal data
- To data relating to children
- To data relating to publicly known people
- To data from certain clinics or medical specialists
- Where blocks have been forcibly breached or where access has taken place across care unit borders or between care processes
The procedure must describe the scope of the log follow-up, that is to say how many log items you will check and at what intervals. Since it is not only the number of log items that determines the quality, there is no general rule as to how many log items should be reviewed on each occasion. Consideration must be taken to the health unit's scope, the number of patients and the staff who have authorisation and the follow-up's systematics and selection.
There are also technical aids that facilitate log follow-ups, for example log analysis tools.
Document the log follow-up and follow up the procedure
According to the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40), log follow-ups are to be documented. The documentation should be so designed that it can constitute a basis for evaluating the log follow-up procedure.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.