Systematic follow-ups of logs
All care providers are to follow up logs systematically, meaning that they are to log activities in the systems where the patient data is processed. The systems are to be designed to be able to check that only staff with the appropriate authorisation can access patient data.
This is a checklist that summarises what a care provider should bear in mind when following up logs. The checklist is a guide to help you develop the procedures and methods needed to ensure good protection of privacy.
The checklist is based on the Patient Data Act (2008:355) and the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40).
Checklist for systematic follow-ups of logs
Inform the staff that follow-ups of logs are made. Also inform the staff of under what circumstances they may see patient data, that they have a personal responsibility to only read the information that they need in their work, and what the consequences of reading patient data without authorisation can be.
Check that the technical prerequisites for access control and what requirements are set for the logs under Chapter 4 Section 9 of HALF-FS 2016:40. The logs are to show:
- What actions have been performed with the patient data, for example if the staff have read, altered, disclosed, copied, drawn up or printed out care documentation
- At what care unit the actions were performed
- At what time the actions were performed
- Who has performed actions
- What patient the actions referred to
Establish a written procedure for how the log items are followed up and that states how log items are selected. It is for example appropriate to combine system and a degree of randomness when log items are selected and several parameters should be used in the selection. Investigate if instances of access can be identified where authorisation might be able to be used in an incorrect manner.
One can for example choose to check access:
- To a certain patient's data
- That a certain employee has had
- That has been made a great many times with respect to a certain patient
- At unusual times during the day
- To sensitive personal data
- To data relating to children
- To data relating to publicly known people
- To data from certain clinics or medical specialists
- Where blocks have been forcibly breached or where access has taken place across care unit borders or between care processes
The procedure must describe the scope of the log follow-up, that is to say how many log items you will check and at what intervals. Since it is not only the number of log items that determines the quality, there is no general rule as to how many log items should be reviewed on each occasion. Consideration must be taken to the health unit's scope, the number of patients and the staff who have authorisation and the follow-up's systematics and selection.
There are also technical aids that facilitate log follow-ups, for example log analysis tools.
According to the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40), log follow-ups are to be documented. The documentation should be so designed that it can constitute a basis for evaluating the log follow-up procedure.
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.