What Are Audit Trails, and Why Are They Important?

Image of hands at a laptop with the word Audit on the screen
Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest

If you don’t record and review system activity, hackers or unethical employees can harm your organization without a trace. Therefore, The Office for Civil Rights (OCR) prompts HIPAA-covered organizations to collect, secure, track, and review their system audit trails.

What Are Audit Trails?

As a HIPAA-covered organization, you must put in place hardware, software, and/or mechanisms that create an audit trail. The trail is a recording of your electronic system’s activity. OCR explains the trails your system can leave behind:

  • Application audit trails track and log user activities in the application.
  • System-level audit trails log successful and unsuccessful login attempts.
  • User audit trails track and log user activity in a system.

What Are Audit Controls?

Audit controls generate an activity report, which you use in a system activity review. When you enable audit controls on your systems, you can monitor who accesses it, track unauthorized disclosures, detect potential intrusions, and provide evidence in the case of a security incident or breach. If you don’t have your audit controls enabled, your systems won’t track activity, and you won’t be able to review and detect harmful activity.

Review Audit Logs and Trails

If you’ve enabled audit controls, great! But are you reviewing the reports? Do you know who’s accessing your electronic systems and ePHI?

In February 2017, Memorial Healthcare Systems (MHS) paid a $5.5 million settlement for potential HIPAA violations. MHS employees had been accessing and disclosing information to other staff members. They had accessed ePHI every day for a year through the login of a former employee. This incident exposed the names, dates of birth, and SSNs of 80,000 individuals. How did this go on for so long? MHS had failed to review their system’s activity records.

Therefore, you must both enable audit controls and regularly audit the reports themselves. Make sure staff members cannot disable audit controls. Furthermore, only allow authorized individuals to access audit trails and reports.

To learn how the HIPAAtrek platform can help you manage your HIPAA compliance program, contact us at support@hipaatrek.com.

Please share to your communities

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.