On January 13, 2017, OCR published a Cyber Awareness Newsletter about understanding the importance of audit controls.  OCR stated Covered Entities (CE) and Business Associates (BA) should make sure that they appropriately secure audit trails, and they use the proper tools to collect, monitor, and review those audit trails.  Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to hide their electronic tracks and cause harm to your organization.

The HIPAA Security Rule under the Audit Controls standard, requires the CE and BA to implement hardware, software, and/or procedural mechanisms that record activity in the electronic systems.  Most systems offer some level of audit controls that can provide a report.  OCR explains that application audit trails normally monitor and log user activities in the application.  System-level audit trails capture successful or unsuccessful log-on attempts to include ID/username, date, and time.  Finally, user audit trails monitor and log user activity in an e-PHI system.

Audit controls allow for reviewing inappropriate access, tracking unauthorized disclosures, detecting potential intrusions, and providing forensic evidence during an investigation of security incidents and breaches.  System activity review is a required standard under the rule, but if you don’t have your audit controls enabled on your systems, you won’t have any activity to review, and you can’t protect your organization from nefarious activity.

You may have your audit functions enabled, but the follow up question is “are you reviewing them”?  Are you periodically checking the reports?  Do you know who is accessing your electronic information systems, EHR/EMR, or your e-PHI?   The following case demonstrates what happens if you fail to regularly review records of information systems activity (audit logs and audit trails) on the applications that maintain e-PHI.  On February 16, 2017, Memorial Healthcare Systems (MHS) out of south Florida, paid Health and Human Services (HHS) $5.5 million dollars to settle potential HIPAA violations.  Individuals had their information impermissibly accessed by MHS employees and impermissibly disclosed to an affiliated physician’s office staff.  Specifically, the login credentials of a former employee of the affiliated physician’s office had been used to access the e-PHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.  The information impermissibly accessed consisted of the individual’s names, dates of birth, and social security numbers. HHS found that Memorial Healthcare Systems failed to regularly review records of information system activity on applications that maintained e-PHI.

This recent event demonstrates the importance of having your audit controls enabled and conducting an audit of the reports themselves.  Therefore, ensure the audit controls are enabled, the controls can’t be disabled by your staff, and the reports are being reviewed periodically.  For instance, you may add “Audit Report Review” to your compliance plan so the review is conducted periodically at a frequency that best supports your organization.  One more thing; only authorized individuals should have access to the audit trails and their reports. Use this link to view the full Cyber Awareness Newsletter from OCR:   Newsletter Issue #12 – PDF .   Use this link to view the full $5.5 million settlement against Memorial Healthcare Systems: https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html