Share this article on:
In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients.
Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members.
Late last week, OCR released its January Cyber Awareness Newsletter which explained the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users.
Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on, and the duration of login periods, and whether data have been viewed.
Audit trails are particularly useful when security incidents occur as they can be used to determine whether ePHI access has occurred and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered entities can also use logs and trails to review the performance of applications and to help identify potential flaws.
OCR confirmed that recording data such as these, and reviewing audit logs and audit trails is a requirement of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).
The HIPAA Security Rule requires covered entities to record audit logs and audit trails for review, although the types of data that should be collected are not specified by the legislation. The greater the range of information collected, the more thoroughly security incidents can be investigated. However, covered entities should carefully assess and decide on which data elements are stored in logs. It will be quicker and easier to review audit logs and trails if they only contain relevant information.
The HIPAA Security Rule does not specify how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered entity. Information gathered from audit logs and trails should be reviewed ‘regularly’.
A covered entity should determine the frequency of reviews based on the results of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when determining the review period.
OCR also points out that a review of audit logs and trails should take place after any security incident, such as a suspected breach, although reviews should also be conducted during real-time operations. Due to the potential for audit log tampering, OCR reminds covered entities that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”