If you don’t record and review system activity, hackers or unethical employees can harm your organization without a trace. Therefore, The Office for Civil Rights (OCR) prompts HIPAA-covered organizations to collect, secure, track, and review their system audit trails.
What Are Audit Trails?
As a HIPAA-covered organization, you must put in place hardware, software, and/or mechanisms that create an audit trail. The trail is a recording of your electronic system’s activity. OCR explains the audit trails your system can leave behind:
- Application audit trails track and log user activities in the application.
- System-level audit trails log successful and unsuccessful login attempts.
- User audit trails track and log user activity in a system.
What Are Audit Controls?
Audit controls generate an activity report, which you use in a system activity review. When you enable audit controls on your systems, you can monitor who accesses it, track unauthorized disclosures, detect potential intrusions, and provide evidence in the case of a security incident or breach. If you don’t have your audit controls enabled, your systems won’t track activity, and you won’t be able to review and detect harmful activity.
Review Audit Logs and Trails
If you’ve enabled audit controls, great! But are you reviewing the reports? Do you know who’s accessing your electronic systems and ePHI?
In February 2017, Memorial Healthcare Systems (MHS) paid a $5.5 million settlement for potential HIPAA violations. MHS employees had been accessing and disclosing information to other staff members. They had accessed ePHI every day for a year through the login of a former employee. This incident exposed the names, dates of birth, and SSNs of 80,000 individuals. How did this go on for so long? MHS had failed to review their system’s activity records.
Therefore, you must both enable audit controls and regularly audit the reports themselves. Make sure staff members cannot disable audit controls. Furthermore, only allow authorized individuals to access audit trails and reports.