Audit Responsibility and Workflow

The system has an optional audit report check feature. To ensure your group/practice is safeguarding protected health information (PHI) and using the system in compliance with your organization's legal, privacy, and security policies your designated group/practice administrator may be authorized and required to run audit reports and participate in the periodic user access review (PUAR) workflow. See the Help topics below for more information about audit responsibility, PUAR workflow, and the audit report check feature. 

Note: Audit report check is an optional feature that can be enabled and enforced in your system.

Help Topics on This Page

- Periodic User Access Review Workflow
Authorization
Audit Requirement
Audit Report Check
Audit Report Review Responsibility Message
Reports to Monitor Audit Report Review Responsibility Status
Audit Report Review
Audit Report Review Message for Group/Practice Administrators
Audit Report Review Message for Group/Practice Users
Audit Report Review Message for Group/Practice Administrators When Zero Days Remain in Grace Period
System Notification - Group/Practice Administrator Limited Functionality
System Notification - User Locked Out
- Run Audit Reports Before Grace Period
Run Audit Reports During Grace Period
- Run Audit Reports When Zero Days Remain in Grace Period
Export Reports to Microsoft Excel 
Tips for Reviewing Commonly Used Audit Reports
System Available Email
- A - Audit Report History Report
- Audit Report Review Frequently Asked Questions

Periodic User Access Review Workflow

The periodic user access review (PUAR) workflow is part of the audit report check system feature. The purpose of the workflow is to help facilitate regular review of designated audit reports by authorized group/practice administrators to ensure patient health information is safeguarded and the system is being used in compliance with your organization's policies.

"Enhanced PUAR workflow" refers to functionality available in the latest version of the audit report check feature. 

Authorization

To participate in the PUAR workflow, you must be authorized to run audit reports and have additional authorization for the PUAR workflow. If you are designated as a group/practice administrator, you can be authorized and required to participate in the PUAR workflow for your group/practice. Other administrators, such as health information exchange (HIE) administrators, can be authorized to monitor the overall status of the PUAR workflow.  

Audit Requirement 

To ensure your group/practice is safeguarding PHI and using the system in compliance with your organization's legal, privacy, and security policies, your designated group/practice administrator can be authorized to participate in the PUAR workflow and required to run and review audit reports on a regular basis. If your group/practice has multiple administrators authorized for the PUAR workflow, each designated report must be run and reviewed by at least one of them to satisfy the audit requirement for the review period; there is no longer a requirement for the same administrator to run all of the reports.

Audit Report Check

In accordance with your legal, privacy, and security policies, designated group/practice administrators can be required to periodically run and review audit reports to monitor system use. Audit report check is a system feature that helps organizations comply with audit requirements. System settings provide audit report check implementation flexibility. Options range from audit report check not being enabled, to enabled but not enforced, to enabled and enforced. PUAR is the workflow associated with the audit report check feature.

Audit Report Review Responsibility Message

The enhanced PUAR workflow includes an optional configurable responsibility acknowledgement message. A system setting is used to determine if the message is used in your portal. If enabled, the system displays the Audit Report Review Responsibility dialog box to you only if you are authorized to run audit reports and participate in the PUAR workflow. The message is intended to remind you of your responsibility to audit system use and to capture your agreement to accept this responsibility. The A - Audit Report Responsibility Practice Status and A - Audit Report Responsibility User Status reports are available for HIE administrators to track user responses to the Audit Report Review Responsibility message.     

Audit Report Review Responsibility message details:

If enabled, the Audit Report Review Responsibility dialog box is displayed when you take one of the following actions:

  • Log in to the portal and are authorized in your default group/role to run audit reports and participate in the PUAR workflow
    • If you select Agree, your response is logged and you will not receive the message again for your default group/role
    • If you select Cancel, your response is logged and you are redirected to the logon page
  • Are in the portal, change your group/role, and are authorized to run audit reports and participate in the PUAR workflow in the group/role you select
    • If you select Agree, your response is logged, you change to the selected group/role, and you will not receive the message again for the selected group/role
    • If you select Cancel, your response is logged, you are prevented from changing to the selected group/role, and you are redirected to your current group/role  

Audit Report Review Responsibility Message Example (Enhanced PUAR Workflow): 

     

Reports to Monitor Audit Report Review Responsibility Status

If you are an HIE administrator, use the following reports to monitor responses to the Audit Report Review Responsibility message (applies only if your system is configured to display the Audit Report Review Responsibility dialog box): 

A - Audit Report Responsibility Practice Status

The A - Audit Report Responsibility Practice Status report is associated with the enhanced PUAR workflow and the Audit Report Review Responsibility message. The report lists all groups/practices within the group hierarchy of the person running the report. For each group/practice the report identifies the group/practice administrators authorized to participate in the PUAR workflow. It indicates the acknowledgement status and date of each group/practice administrator's response to the Audit Report Review Responsibility message.  

Report Columns:

A - Audit Report Responsibility Practice Status 

Column Name Column Description
User Group Group name associated with the group/practice.
User Role Role associated with the user authorized to participate in the PUAR workflow. If no user is authorized for the group, None Assigned is displayed.
User Name First and last name of the user authorized to participate in the PUAR workflow. If no user is authorized for the group, None Assigned is displayed.
User Email Email address associated with the authorized user. If no user is authorized for the group, Not Available is displayed.
User Phone Phone number associated with the authorized user. If their phone number is not in the system or no user is authorized for the group, Not Available is displayed.
Status Authorized user’s response to the message on the Audit Report Review Responsibility dialog box. Column contains one of the following values:
Agreed – user selected Agree on the dialog box
Canceled – user selected Cancel on the dialog box
Not Acknowledged – user did not log in to the application, or while logged in did not change to a group/role in which they are authorized to participate in the PUAR workflow, and therefore did not encounter the dialog box
NA – group does not have a user authorized to audit system use
Date Date the authorized user selected either Agree or Cancel on the Audit Report Review Responsibility dialog box.

A - Audit Report Responsibility User Status

The A - Audit Report Responsibility User Status report is associated with the enhanced PUAR workflow and the Audit Report Review Responsibility message. It identifies group/practice administrators, within their assigned group/practice, who encountered the Audit Report Review Responsibility dialog box. Their acknowledgement status, either Agreed or Canceled, is displayed in the report Status column. Report can be filtered by Begin Date and End Date.

Report Columns:

A - Audit Report Responsibility User Status

Column Name Column Description
User Group Group in context when the user acknowledged the message on the Audit Report Review Responsibility dialog box. 
User Role Role in context when the user acknowledged the message on the Audit Report Review Responsibility dialog box.  
User Name First and last name of the user authorized to participate in the PUAR workflow. 
User Email Email address associated with the authorized user.
User Phone Phone number associated with the authorized user. If their phone number is not in the system, Not Available is displayed.
Status Authorized user’s response to the message on the Audit Report Review Responsibility dialog box. Column contains one of the following values:
Agreed – the user selected Agree on the dialog box
Canceled – the user selected Cancel on the dialog box
Date Date the user selected either Agree or Cancel on the Audit Report Review Responsibility dialog box. 

Audit Report Review 

To help ensure compliance with your organization's legal, privacy, and security policies, your group/practice administrator can be required to periodically run and review designated audit reports to monitor system use. For example, your system can be configured for the A - Active Users, A - Global Search Report, and A - Practice Physicians reports to be run and reviewed every 90 days to ensure the HIE is being accessed and used according to policy. 

A grace period for running the reports can be configured in the system. For example, you can have a 90-day review period followed by a 15-day grace period. Grace period applies only when audit report check is enforced.  

The following are consequences if audit report check is enforced and reports are not run before the grace period ends:

Group/Practice Administrator Limited Functionality

If your system is configured to enforce audit report check and reports are not run before the grace period ends, the system enforces that all authorized group/practice administrators have access to limited portal functionality until the reports are run. Full functionality is restored to the administrators immediately after the reports are run.

Note:

  • In the enhanced PUAR workflow, in addition to the impact on authorized group/practice administrators, group/practice users are impacted
    • Users are locked out of portal functionality
    • Full functionality is restored to everyone in the organization immediately after the reports are run
  • You can change group/role while in a limited functionality state 

Also see System Notification - Group/Practice Administrator Limited FunctionalityUser Locked Out, and System Available Email

User Locked Out

In the enhanced PUAR workflow, if your system is configured to enforce audit report check and reports are not run before the grace period ends, all users are impacted. The system enforces that an authorized group/practice administrator run the reports before users can access full portal functionality. Prior to the enhanced PUAR workflow, only authorized group/practice administrators lost access to full portal functionality. In the enhanced PUAR workflow, full functionality is restored to everyone in the organization immediately after the reports are run.

Note: You can change group/role while in a locked out state.

Also see System Notification - User Locked Out, Group/Practice Administrator Limited Functionality, and System Available Email  

Audit Report Review Message for Group/Practice Administrators

If you are an authorized group/practice administrator, the system displays the Audit Report Review message to you if reports are not run before the review period ends. The message is configurable. When audit report check is enforced, the message is intended to notify you that you are in the grace period and remind you to run the reports. Grace period does not apply when audit report check is not enforced.

When audit report check is enforced and the reports are not run before the grace period ends, all authorized group/practice administrators have limited access to portal functionality until the reports are run.

In the enhanced PUAR workflow, when audit report check is enforced:

  • Now an Audit Report Review message is displayed to group/practice users when the review period ends and you are in the grace period; for specific details see Audit Report Review Message for Group/Practice Users
  • Now all users in your group/practice are impacted and unable to access full system functionality if reports are not run before the grace period ends

Selecting OK or Cancel on Audit Report Review Dialog Box

When the configured review period ends and reports have not been run, the system displays the Audit Report Review dialog box to authorized group/practice administrators as a reminder to run reports. OK or Cancel are the two options on the dialog box. See below for more information.  

When audit report check is enforced
When audit report check is enabled but not enforced

When audit report check is enforced

During the grace period, if audit report check is enforced, the system displays the Audit Report Review dialog box under the following conditions: 

  • When you log in to the portal, if you are authorized in your default group/role to run audit reports and participate in the PUAR workflow 
    • If you select OK, you have access to full portal functionality; it is recommended that you run reports now before the grace period ends    
    • If you select Cancel, you are redirected to the logon page
  • When you are logged in to the portal and select to change your group/role and are authorized to run audit reports and participate in the PUAR workflow in the group/role you select
    • If you select OK, you have access to full portal functionality; it is recommended that you run reports now before the grace period ends
    • If you select Cancel, you are prevented from changing to the selected group/role, and you are redirected to your current group/role 

When audit report check is enabled but not enforced

When audit report check is enabled but not enforced, the system displays the Audit Report Review dialog box under the following conditions:

  • When you log in to the portal if you are authorized in your default group/role to run audit reports and participate in the PUAR workflow
    • If you select OK, you have access to full portal functionality but if the reports are not run, the Audit Report Review message is displayed to you every time you log in    
    • If you select Cancel, you are redirected to the logon page
  • When you are logged in to the portal and select to change your group/role and are authorized to run audit reports and participate in the PUAR workflow in the group/role you select
    • If you select OK, you have access to full portal functionality but if the reports are not run, the Audit Report Review message is displayed to you every time you change to that group/role
    • If you select Cancel, you are prevented from changing to the selected group/role, and you are redirected to your current group/role  

Group/Practice Administrator Audit Report Review Message When Audit Report Check is Enforced Example (Enhanced PUAR Workflow):

Audit Report Review Message for Group/Practice Users

In the enhanced PUAR workflow, if you are a group/practice user not authorized to participate in the PUAR workflow, the Audit Report Review message is displayed to you when all of the following conditions are met:

  1. Audit report check is enforced in the system.
  2. There is at least one authorized administrator in your group/practice.
  3. The review period ended and your authorized group/practice administrators are in the grace period for running audit reports and the reports have not been run. 

Select OK on the Audit Report Review dialog box to access full system functionality. When you log in or change your default group/role the Audit Report Review message will continue to be displayed to you until an authorized group/practice administrator runs the reports or zero days remain in the grace period. 

Note: When zero days remain in the grace period and the reports have not been run, you are locked out of system functionality for your group/role in context. Full system functionality is restored immediately after an authorized group/practice administrator runs the reports. You can change group/role while in a locked out state. 

Also see System Notification - User Locked Out  

Group/Practice User Audit Report Review Message Example (Enhanced PUAR Workflow):

Audit Report Review Message for Group/Practice Administrators When Zero Days Remain in Grace Period

In the enhanced PUAR workflow, when audit report check is enforced, all users in your group/practice are impacted and unable to access full system functionality when zero days remain in the grace period and reports have not been run. Previously, only authorized group/practice administrators were impacted.

Also see System Notification - User Locked Out

Selecting OK or Cancel on Audit Report Review Dialog Box When Zero Days Remain in Grace Period

When audit report check is enforced and zero days remain in the grace period, the system displays the Audit Report Review dialog box to authorized users under the following conditions: 

  • When you log in to the portal and are authorized in your default group/role to run audit reports and participate in the PUAR workflow
    • If you select OK, you have access to limited portal functionality and are redirected to the Audit Reports page to run reports
    • If you select Cancel, you are redirected to the logon page
  • When you are logged in to the portal and select to change your group/role and are authorized to run audit reports and participate in the PUAR workflow in the group/role you select
    • If you select OK, you have access to limited portal functionality and are redirected to the Audit Reports page to run reports
    • If you select Cancel, you are prevented from changing to the selected group/role, and are redirected to your current group/role 

Group/Practice Administrator Audit Report Review Message When Zero Days Remain in Grace Period Example (Enhanced PUAR Workflow):

System Notification - Group/Practice Administrator Limited Functionality

Authorized group/practice administrators are redirected to the Audit Reports page to run designated reports when the following conditions are met:

  1. Audit report check is enforced in the system.
  2. Zero days remain in the configured grace period and the reports have not been run.
  3. The authorized group/practice administrator selects OK on the Audit Report Review dialog box. 

Note:

  • In the enhanced PUAR workflow, under the above conditions, all group/practice users are impacted and unable to access full system functionality until reports are run
    • Previously, only authorized group/practice administrator access to portal functionality was impacted
  • You can change group/role while in a limited functionality state

Also see System Notification - User Locked Out and Run Audit Reports When Zero Days Remain in Grace Period

Group/Practice Administrator Audit Reports Page Example:

System Notification - User Locked Out

In the enhanced PUAR workflow, if you are a group/practice user not authorized to participate in the PUAR workflow, the System Notification - User Locked Out page is displayed to you when all of the following conditions are met:

  1. Audit report check is enforced in the system.
  2. There is at least one authorized administrator in your group/practice.
  3. Zero days remain in the configured grace period and an authorized group/practice administrator has not run the reports.

You are locked out of system functionality for your group/role in context. You can change group/role while in a locked out state. Full system functionality is restored to all group/practice users immediately after an authorized group/practice administrator runs the last required report. 

Group/Practice User System Notification - User Locked Out Example (Enhanced PUAR Workflow):

Run Audit Reports Before Grace Period

Grace period applies only when audit report check is enforced. Knowing which audit reports you are required to run is a prerequisite for running the reports before the grace period starts.

Also see Run Audit Reports During Grace Period.

Running reports before the grace period starts includes the following benefits:

Complete the following steps to run audit reports before the grace period starts:

  1. Select  Reports from the menu bar.
  2. If listed, select Audit Reports.
  3. Select one of your designated audit reports from the Reports List on the Audit Reports page. 
    • Report Description is displayed below the Reports List    
  4. If Filters are available, value them as required to produce the intended report. An asterisk indicates the filter is required. If Filters, such as Begin Date and End Date, are available they are displayed when the report is selected. 
  5. Select Search to run the report. The system displays the report on the page. 
    • If you want to sort the report, select a column header 
      •  next to the column header indicates an ascending sort order, for example a to z, or 1 to 10, or oldest date to most recent date
      •  indicates a descending sort order, for example z to a, or 10 to 1, or most recent date to oldest date
    • If you want to view a different page of report results, scroll down and select a page number, or use the arrows to go to a page
    • If you want to change the number of report rows displayed per page, make a selection from the Page Size list 
    • If you want to see a full screen view of the report, select Expanded View  
    • If you want to close Expanded View, select Previous View
    • If you want to export the report to Microsoft Excel, select Export to Excel
    • If you want to clear the search Filters and revert to the default values, select Clear  
  6. Review the report to ensure your group/practice is using the HIE in compliance with your organization's policies. See Tips for Reviewing Commonly Used Audit Reports and Audit Report Review Frequently Asked Questions for more information. 
  7. If a discrepancy is found, follow your organization's procedures to report it. 
  8. Repeat steps 3-7 for each audit report you are required to run.

Run Audit Reports During Grace Period

Grace period applies only when audit report check is enforced.

Complete the following steps to run audit reports during the grace period:

  1. If you are an authorized group/practice administrator, when you log in to the portal or change group/role, the system displays the Audit Report Review dialog box to notify you when you are in the grace period for running reports. Read the message, note the reports listed, and select OK to attest to the audit requirement and proceed. 
  2. Select  Reports from the menu bar.
  3. If listed, select Audit Reports.
  4. Select one of your designated audit reports from the Reports List on the Audit Reports page.  
    • Report Description is displayed below the Reports List    
  5. If Filters are available, value them as required to produce the intended report. An asterisk indicates the filter is required. If Filters, such as Begin Date and End Date, are available they are displayed when the report is selected. 
  6. Select Search to run the report. The system displays the report on the page.  
    • If you want to sort the report, select a column header 
      •  next to the column header indicates an ascending sort order, for example a to z, or 1 to 10, or oldest date to most recent date
      •  indicates a descending sort order, for example z to a, or 10 to 1, or most recent date to oldest date
    • If you want to view a different page of report results, scroll down and either select a page number, or use the arrows to go to a page
    • If you want to change the number of report rows displayed per page, make a selection from the Page Size list 
    • If you want to see a full screen view of the report, select Expanded View  
    • If you want to close Expanded View, select Previous View
    • If you want to export the report to Microsoft Excel, select Export to Excel
    • If you want to clear the search Filters and revert to the default values, select Clear 
  7. Review the report to ensure your group/practice is using the HIE in compliance with your organization's policies. See Tips for Reviewing Commonly Used Audit Reports and Audit Report Review Frequently Asked Questions for more information. 
  8. If a discrepancy is found, follow your organization's procedures to report it. 
  9. Repeat steps 4-8 for each audit report you are required to run.  

Run Audit Reports When Zero Days Remain in Grace Period

Grace period applies only when audit report check is enforced. If you are an authorized group/practice administrator, when you log in to the portal or change group/role, the system displays the Audit Report Review dialog box notifying you that zero days remain in the grace period. See the example below.

Audit Report Review Dialog Box When Zero Days Remain in Grace Period Example:

Complete the following steps to run audit reports when zero days remain in the grace period:

  1. Select OK on the Audit Report Review dialog box. You are redirected to the Audit Reports page and the reports that must be run to restore access to full system functionality are listed. This is an example: 
  2. Select a designated audit report from the Reports List. 
    • Report description is displayed below the Reports List 
  3. If Filters are available, value them as required to produce the intended report. An asterisk indicates the filter is required. If Filters, such as Begin Date and End Date, are available they are displayed when the report is selected. 
  4. Select Search to run the report. The system displays the report on the page.   
    • If you want to sort the report, select a column header 
      •  next to the column header indicates an ascending sort order, for example a to z, or 1 to 10, or oldest date to most recent date
      •  indicates a descending sort order, for example z to a, or 10 to 1, or most recent date to oldest date
    • If you want to view a different page of report results, scroll down and either select a page number, or use the arrows to go to a page
    • If you want to change the number of report rows displayed per page, make a selection from the Page Size list 
    • If you want to see a full screen view of the report, select Expanded View  
    • If you want to close Expanded View, select Previous View
    • If you want to export the report to Microsoft Excel, select Export to Excel
    • If you want to clear the search Filters and revert to the default values, select Clear
  5. Review the report to ensure your group/practice is using the HIE in compliance with your organization's policies. See Tips for Reviewing Commonly Used Audit Reports and Audit Report Review Frequently Asked Questions for more information. 
  6. If a discrepancy is found, follow your organization's procedures to report it. 
  7. Repeat steps 2-6 for each audit report you are required to run.

After you run the designated reports, access to full system functionality is restored to all authorized administrators in your group/practice. In the enhanced PUAR workflow, full system functionality is also restored to all other users in your group/practice and a system available email is sent to all active users regardless of configured role.

Export Reports to Microsoft Excel

Microsoft Excel Viewer, or a .xls /.xlsx compatible application, is required to export reports to Excel. Click here to download Excel Viewer.

Complete the following steps to export a report to Excel:

  1. Run a report
  2. Select Export to Excel, located above the report column header row. 
  3. The report is exported to a worksheet in .xls or .xlsx format. The file is neither encrypted nor password protected.
  4. Depending on your browser and settings, a dialog box may be displayed. If displayed, select what to do with the file, for example open, save, or save as. Complete any additional steps required for the selected action.

Tips for Reviewing Commonly Used Audit Reports

If you are an authorized group/practice administrator, you can be required to run and review designated audit reports on a regular basis. Three such reports are the Active Users, Global Search, and Practice Physicians reports. Select each of the following reports for more information:

A - Active Users

Report providing the activity status of each user account in the group/practice. It includes the following user information:

  • Date of last logon
  • Number of days until account is disabled due to inactivity
  • Number of days until account expires
  • Number of days until password expires

Objective: Review the report to identify users no longer with the group/practice.

Action: Send an email to Cerner Support indicating user accounts to remove from the group/practice.

A - Global Search Report

Report providing a list of users in your assigned group/practice who used the Global Search utility to access patient information during a specified date range. It includes the following information:

  • Patient information entered to perform the search, for example:
    • First name
    • Last name
    • Date of birth
    • SSN
    • MRN
  • Search reason
  • Date and time of search

Objectives:

  1. Review the report to identify inappropriate viewing of patient information. For example, searches for family members or celebrity names, searches at an unusual time of day, or searches by unauthorized users.
  2. Ensure a valid reason is provided for each search.
  3. Ensure all patients listed are associated with physicians in the group/practice.

Action: Report inappropriate viewing of patient information to a designated compliance contact in your organization or follow your organization's procedures to report misuse of the Global Search utility.    

A - Practice Physicians

Report providing a list of all physicians having results routed to the group/practice. Lists physician information including the following details:

  • Name
  • ID
  • Status (active, inactive)

Objective: Review the report to identify physicians who should not have results routed to the group/practice.

Action: Send an email to Cerner Support indicating physicians to remove from results routing for the group/practice.

System Available Email

In the enhanced PUAR workflow a system available email is sent to all active group/practice users, regardless of configured role, when access to full system functionality is restored following a lock out. The email is sent when an authorized administrator for the group/practice runs the last required report.

A - Audit Report History Report 

The A - Audit Report History report returns a list of groups/practices and indicates if they are current or overdue in running required audit reports. 

  • The latest columns added to the A - Audit Report History report are described below:

Column Name Column Description
Grace Period Days Remaining The number of days left in the grace period when the report is in an overdue status. This value is calculated using system setting C-Number of Days for Audit Report Grace Period.
Days Until Due The number of days left until reports are due to be run again when the report is in a current status. This value is calculated using system setting C-Maximum Number of Days Between Audit Report Checks. 
Authorized Users The first and last name of all users responsible for running audit reports as part of the PUAR workflow. An authorized user is any user who is associated with the practice and is assigned the Reports-AuditAttestationAccess system authorization.
User Email The email address associated with each authorized user.
User Phone The phone number associated with each authorized user. If their phone number is not in the system, Not Available is displayed.  

 

  • The latest columns modified on the A - Audit Report History report are described below:  

 

Column Name Modification Description
Status

Now the three values for Overdue status are:
Overdue
The reports are overdue and system setting C-Enforce Audit Report Check (N/Y) is set to N. 
Overdue – Within Grace Period
The reports are overdue, days still remain within the configured grace period, and system setting C-Enforce Audit Report Check (N/Y) is set to Y.
Overdue – Locked Out
The reports are overdue, zero days remain in the configured grace period, and system setting C-Enforce Audit Report Check (N/Y) is set to Y.


Previously the Overdue – Outside Grace Period status indicated the grace period was used when the reports were not enforced, meaning when system setting C-Enforce Audit Report Check (N/Y) was set to N. However, the grace period is not used in this scenario. The Overdue – Outside Grace Period status now is renamed Overdue.

Date Last Attested

Now a value is displayed in this column independent of the value in the Status column. Previously a value was displayed in this column only when the Status column had a value other than Current.  

User Last Attested

Now a value is displayed in this column independent of the value in the Status column. Previously a value was displayed in this column only when the Status column had a value other than Current. 

 

Audit Report Review Frequently Asked Questions

Below are audit report review frequently asked questions (FAQs) that may be applicable to your organization's implementation of this feature. They are particularly relevant if your organization designated the Active Users, Practice Physicians, or Global Search Report as a required audit report. It is possible that these FAQs do not apply to you and how your organization is using the audit report check feature.  

- I was notified by the system that I am required to run audit reports. What do I do with the reports? Do I save them? Send them to someone?
- What does it mean when user accounts are listed as Inactive, Disabled, Locked Out, or Expired in the Active Users report?
- What if reports list users who are no longer with the group/practice?
- What if my group/practice has users or physicians who are not listed on the Active Users report?
- Why is the same physician listed multiple times on the Practice Physicians Report?
- What if some of my practice physicians are missing from the Practice Physicians Report?
- What do I do with the Global Search Report?
- How do I remove the requirement to run the reports from my user account?

I was notified by the system that I am required to run audit reports. What do I do with the reports? Do I save them? Send them to someone?

As someone who is set up as a group/practice administrator in the system and authorized to participate in the PUAR workflow, you are required to run and review reports to ensure the system is being used according to policy. Improper user access, patient searches, or results routing must be prevented or reported through your organization's compliance channels.

When the designated reports are run, the system tracks that the compliance requirement was met. The requirement is to review the reports and act on items that are out of policy. There is no requirement to print, save, or send the reports. Some groups/practices have large reports to review. In this case, it may be easier to export the report to Excel to review the data.

Note: The Global Search Report contains protected health information (PHI). If you export it to Excel, do not save it in an unencrypted format or on an unencrypted device. Permanently delete or destroy this report promptly after review. 

What does it mean when user accounts are listed as Inactive, Disabled, Locked Out, or Expired in the Active Users report?

The Active Users report provides details about each portal user and their portal account status. Values of Inactive, Disabled, Locked Out, or Expired in the report can help spotlight the accounts of people who may not be active users. Review the Active Users report to identify users who should have their portal access removed because they are in the report but are not members of the group/practice.

See the following table for descriptions of the key columns that can help you identify users who should have their portal access removed:

Column Name Column Description
Account Status
  • Active - User can log in using current or temporary password; Active User indicator is set to Y on the System Admin Users page and the Inactive, Disabled, and Locked Out statuses are not in effect for the account
  • Inactive - Active User indicator is set to N on the System Admin Users page or user account expired based on Account Expiration date on the System Admin Users page
  • Disabled - User did not log in for a period of time that exceeds a set threshold, for example, 30, 60, or 90 days, and their account is disabled due to inactivity; User Activity Status is set to Disabled on the System Admin Users page
  • Locked Out - User entered an incorrect password more times than the allowable configured value; User Authentication Lockout is set to Yes on the System Admin Users page  
Date of Last System Logon Date user last logged in, or date temporary password was set up.
Number of Days until Account Disabled Due to Inactivity  Number of days until account is disabled due to inactivity.
Number of Days until Account Expiration Number of days until account expires. Accounts expire in accordance with HIE settings, contact Cerner Support to extend group/practice user accounts.
Number of Days until Password Expiration Number of days until password expires. Users with expired passwords are prompted upon next log in to create a new password.

See also: A - Active Users

What if reports list users who are no longer with the group/practice?  

Send an email to Cerner Support and indicate the user accounts to remove.

What if my group/practice has users or physicians who are not listed on the Active Users report?

Follow your health system's established process for requesting new Provider Portal user accounts.

See also: A - Active Users

Why is the same physician listed multiple times on the Practice Physicians report? 

The Practice Physicians report lists all physician IDs assigned to the group/practice for results routing. One physician can have multiple IDs depending on the number of systems sending results to the HIE. Review this report to flag physicians who should not have results routed to your group/practice. Send an email to Cerner Support indicating physicians to remove from results routing for the group/practice.

See also: A - Practice Physicians   

What if some of my practice physicians are missing from the Practice Physicians report?

If the provider has a portal user account but is not in the Practice Physicians report, it is because they are not associated with the practice for results routing. That association occurs only if we receive a request from the health system to assign a provider for results routing. Having user credentials for the Provider Portal does not always mean that a physician will have results routing to a practice location.

If you are unsure why a physician does not have results routing to your practice, contact Cerner Support.

See also: A - Practice Physicians

What do I do with the Global Search Report?

The purpose of the Global Search Report is to check for out of policy viewing of patient records. To run the report, you need to specify a date range covering the last 90 days. Look for and review suspicious activity such as searches for VIP or celebrity names, searches for self or family members, searches at an unusual time of day, or viewing by unauthorized or past users. In addition, ensure a legitimate search reason was entered. If suspicious activity is found, report your findings to the compliance contact designated by your health system. 

See also: A - Global Search Report

How do I remove the requirement to run the reports from my user account?

If you are assigned a group/practice administrator role in the system, you may be authorized and required to run and review audit reports on a regular basis. If you are approved to be relieved of PUAR duties, another group/practice user must be set up in the system to assume the responsibility. Send an email to Cerner Support to request this change.

Copyright Cerner Corporation. All rights reserved.