HIPAA Audit Control Requirements Highlight to CEs by OCR
In recent weeks, a number of HIPAA-covered entities have revealed that employees have been found to have inappropriately accessed the medical records/protected health information of patients.
Two of these cases were noticed when covered entities carried out routine audits of access logs. In both scenarios, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 1 year. Once case involved the accessing of a celebrity’s medical records by multiple staff members.
Recently, OCR released its January Cyber Awareness Newsletter which outlined the importance of implementing audit controls and periodically monitoring application, user, and system-level audit trails. NIST defines audit logs as details of events based on applications, system or users, while audit trails are audit logs of applications, system or users.
Most information systems incorporate options for recording user activity, including access and failed access attempts, the devices that have been used to sign in, and the duration of login periods, and whether data have been accessed.
Audit trails are very useful when security incidents occur as they can be used to deduce whether ePHI access has happened and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered bodies can also use logs and trails to review the performance of applications and to help identify possible flaws.
OCR revealed that recording data such as these, and reviewing audit logs and audit trails is an obligation of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).
The HIPAA Security Rule requires covered bodies to record audit logs and audit trails for review, although the sort of data that should be collected are not listed by the legislation. The greater the variety of information collected, the more thoroughly security incidents can be reviewed. However, covered groups should carefully assess and decide on which data elements are saved in logs. It will be quicker and more simple to review audit logs and trails if they only contain relevant data.
The HIPAA Security Rule does not list how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered group. Information obtained from audit logs and trails should be reviewed ‘regularly’.
A covered entity should calculate the frequency of reviews based on the outcomes of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when deciding the review period.
OCR also says that a review of audit logs and trails should be completed after any security incident, such as a suspected breach, although reviews should also take place during real-time operations. Due to the potential for audit log tampering, OCR reminds covered bodies that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”