What Are Audit Trails, and Why Are They Important?


If you don’t record and review system activity, hackers or unethical employees can harm your organization without a trace. Therefore, The Office for Civil Rights (OCR) prompts HIPAA-covered organizations to collect, secure, track, and review their system audit trails.

What Are Audit Trails?

As a HIPAA-covered organization, you must put in place hardware, software, and/or mechanisms that create an audit trail. The trail is a recording of your electronic system’s activity. OCR explains the trails your system can leave behind:

  • Application audit trails track and log user activities in the application.
  • System-level audit trails log successful and unsuccessful login attempts.
  • User audit trails track and log user activity in a system.

What Are Audit Controls?

Audit controls generate an activity report, which you use in a system activity review. When you enable audit controls on your systems, you can monitor who accesses it, track unauthorized disclosures, detect potential intrusions, and provide evidence in the case of a security incident or breach. If you don’t have your audit controls enabled, your systems won’t track activity, and you won’t be able to review and detect harmful activity.

Review Audit Logs and Trails

If you’ve enabled audit controls, great! But are you reviewing the reports? Do you know who’s accessing your electronic systems and ePHI?

In February 2017, Memorial Healthcare Systems (MHS) paid a $5.5 million settlement for potential HIPAA violations. MHS employees had been accessing and disclosing information to other staff members. They had accessed ePHI every day for a year through the login of a former employee. This incident exposed the names, dates of birth, and SSNs of 80,000 individuals. How did this go on for so long? MHS had failed to review their system’s activity records.

Therefore, you must both enable audit controls and regularly audit the reports themselves. Make sure staff members cannot disable audit controls. Furthermore, only allow authorized individuals to access audit trails and reports.

Being Prepared For Investigations

Are you prepared for a potential investigation?

Don’t wait until the Office of Civil Rights (OCR) comes knocking. Use this checklist to prepare now for potential investigations and find the confidence that comes from knowing you can prove compliance.

To learn how the HIPAAtrek platform can help you manage your HIPAA compliance program, contact us at support@hipaatrek.com.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »