OCR Issues Guidance Emphasizing Importance of Audit Controls

January 16, 2017 David Holtzman

OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information. Often overlooked, demonstrating compliance with the Audit Controls Standard and evidence of information system activity reviews are a key feature in OCR’s investigations into breaches involving hacking and ransomware incidents.

OCR refers to guidance authored by the National Institute of Standards and Technology (NIST) Guide to Computer Security (NIST SP-800-12) that explains audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications. Effective audit controls produce audit reports that work in conjunction with audit logs and audit trails.

Audit logs and trails assist covered entities and business associates with reducing risk associated with:

  • Reviewing inappropriate access
  • Tracking unauthorized disclosures of ePHI
  • Detecting performance problems and flaws in applications
  • Detecting potential intrusions and other malicious activity
  • Providing forensic evidence during investigation of security incidents and breaches

As part of this process, covered entities and business associates should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.

The enterprise-wide information security risk analysis that is periodically performed by every covered entity and business associate is critical to identifying the information that should be collected from an audit log and how often the audit reports should be reviewed. During the risk analysis, a covered entity needs to define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain or use electronic protected health information. These reasons may include, but are not limited to:

  • System troubleshooting
  • Policy enforcement
  • Compliance with the Security Rule
  • Mitigating risks of security incidents
  • Monitoring workforce member activities and actions.

The OCR blog post on audit controls does not guide on the issue of data retention requirements for access logs and audit trails. However, a good rule of thumb is that organizations should have policies and processes that ensure access logs are retained long enough to be reviewed for inappropriate access or usage. Log files that are evidence of improper access or security incident must be retained for the six year HIPAA document retention period. Audit logs must be retained for the six year document retention period because they are evidence of actions taken to comply with the requirements of the Security Rule.

If you have questions about performing a system audit or evaluating effective audit controls please contact us at advisory@cynergistek.com.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Article
OCR Penalizes Health System for Multiple HIPAA Violations
OCR Penalizes Health System for Multiple HIPAA Violations

On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Med...

Next Video
What's HIM's Role in HIPAA Privacy and Security?
What's HIM's Role in HIPAA Privacy and Security?

While at AHIMA 2016, Healthcare Scene talked with Mac McMillan, CEO and Co-Founder of CynergisTek, about th...