Audit Controls

Episode 57: Know The Rules! Audit Controls

Understanding the Importance of Audit Controls

The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities (CEs) and Business Associates (BAs) to apply hardware, software, and/or procedural mechanisms that record and examine activity within information systems that contain or use electronic protected health information (ePHI).

Audit controls produce audit reports which work in conjunction with audit logs and audit trails. Audit logs and audit trails assist CEs and BAs in reducing associated risks by:

  • → Tracking inappropriate access
  • → Tracking unauthorized disclosures of ePHI
  • → Detecting performance problems and flaws in applications
  • → Detecting potential intrusions and other malicious activity
  • → Providing forensic evidence during security incidents and breach investigations

It is imperative that CEs and BAs regularly review their audit logs and trails, particularly after security incidents or breaches and during real-time operations. Regular review of information systems activity should promote awareness of any information systems activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted, and should only be accessible by authorized personnel.

According to the National Institute of Standards and Technology (NIST):

  • → Audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems.
  • → Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.

Some of the different types of audit trails your practice should consider, including:

Application audit trails – Normally monitors and logs user’s activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.

System-level audit trails – Usually captures successful or unsuccessful logon attempts, logon ID/username, date and time of each logon/off attempt, devices used to logon, and the application the user successfully or unsuccessfully accessed.

User audit trails – Normally monitors and logs user activities in an ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, logon attempts with identification and authentication, along with access to ePHI files and resources.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why would you leave yourself wide open to such risks?

Audit Controls

For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.