This is the second article of a five-part series that looks at the area of HIPAA law known as “Technical Safeguards.” Technical safeguards are designed to protect electronic Protected Health Information (ePHI) from internal and external risks. Implementation of these safeguards is required by law, and helps you avoid costly fines. In this brief article, we address “Audit Control” [Standard §164.312(b)].
If you were asked to produce an audit trail of everyone who accessed your patient data, could you generate the report immediately?
What is the “Audit Controls” Standard?
The Audit Controls standard requires a covered entity to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.”
What does that mean?
You must be able to produce a detailed audit trail of all user access and activity surrounding ePHI.
An audit trail is a report that tells you who accessed which data, and when it was accessed.
The report includes digital certificates to verify users. A digital certificate is an electronic password used to authenticate that a user is who he or she claims to be.
How do you implement the Audit Controls safeguard?
- Implement monitoring systems that track user activity on your computers.
By monitoring system activity, you’ll be able to determine if a security violation occurred, and produce electronic logs of all user activity.
- Create an audit and accountability policy for your staff.
In it, address roles, responsibilities, management commitment, implementation, and compliance of the regulation.
- Stay up-to-date on security-relevant events at your office.
Identify—and periodically review and update—key audit events, and events significant to the security of information systems and the environments they operate in.
Examples of key audit events include activities that create, store, and transmit ePHI.
- Keep reports at least 6 years.
Store full logs for a minimum of 6 years. Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons. Regulation §164.316(b)(2)(i)
What it boils down to
Implement a HIPAA-compliant email exchange that automatically logs and audits all required actions, and produces an audit report within minutes of a user session (for HIPAA auditors).