In the January, 2017 edition of the OCR Cyber Newsletter (PDF), OCR gives guidance to what is required from Covered Entities and Business Associate regarding auditing / monitoring of access to PHI.
Covered Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails. Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associate to not only recover from breaches, but to prevent them before they happen.
OCR makes it clear that auditing of access to PHI is required under the HIPAA Security Rule
The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity.
Some examples of audit trails include:
Application audit trails – Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.
System-level audit trails – Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed.
User audit trails – Normally monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, logon attempts with identification and authentication, and access to ePHI files and resources.
OCR confirms what many people know about HIPAA, there is no black or white guidance to the implementation of many HIPAA requirements
The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed. When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities.
And finally, OCR provides questions that organizations need to consider. Unfortunately there is no guidance to what the answers should be.
- What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
- What are the audit control capabilities of information systems with ePHI?
- Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
- Are changes or upgrades of an information system’s audit capabilities necessary?