Audit Controls & Audit Logs
Let’s not forget the fact that the HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities (CEs) and Business Associates (BAs) to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (PHI). It is a sound business practice!
Why Do We Need Them?
There are several reasons to implement and monitor audit controls. Over the last few weeks I’ve shared several of them, here are two:
- Doctor accessed medical records without authorization AND gave some of that PHI to an ATTORNEY!!
- Nurse viewed 13,000 patients’ medical records without authorization for 15 Months!!
How do you know if, or who, is snooping in your medical records? . . Audit Logs! . .
But it doesn’t end there!
It is imperative for CEs and BAs to review their audit trails and logs regularly, particularly after security incidents or breaches, and during real-time operations.
CEs and BAs should review and secure audit logs/trails, and use proper tools to collect, monitor, and review audit logs/trails. But, the HIPAA Security Rule does not identify what information should be collected in an audit log/trail or how often the audit reports should be reviewed.
Each CE & BA must consider their complete and thorough risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities. The majority of information systems provide some level of audit controls with a reporting method, such as audit reports.
These controls are useful for recording and examining information system activity which also includes users and applications activity. It is important to protect your audit logs and trails to prevent intruders from tampering with the audit records and protecting their integrity.
Not safeguarding audit logs and audit trails can allow hackers or insider threats to cover their tracks electronically, making it difficult for CEs and BAs to not only recover from incidents or breaches, but to prevent them before they happen.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.