Monitoring and auditing of access to protected health information by many organizations is prompted by patient complaints or some other event triggering the need to conduct an investigation. This is reactive or for-cause access monitoring and auditing which is necessary but organizations should also be doing proactive, not-for-cause auditing and monitoring. Under the HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i). The regulations also require covered entities and business associates to “Implement procedures to regularly review records of information security system activity, such as audit logs, access reports and security incident tracking reports.” 45 CFR 164.308(a)(1)(ii)(D) It also requires the covered entity to implement hardware, software and/or procedural processes that record and examine activity in information systems containing electronic protected health information (ePHI). 45 CFR 164.312(b)
Dissecting the HIPAA Security Rule: Proactive Access Monitoring and Auditing Approach
Many covered entities do not engage in a proactive monitoring and auditing program of user access. It is even more of an issue for Business Associates (BAs). For those healthcare organizations doing something, it is very difficult for them to define why they feel what they are doing is sufficient to meet the requirement of the HIPAA Security Rule.
The regulations do not specify how much monitoring and auditing is enough to meet the criteria of the rule. However, the regulatory language leads to the clear conclusion that doing nothing will not meet the requirements. Moreover, the Office for Civil Rights (OCR) has not issued specific guidance regarding how much is sufficient. OCR shared the following recommendations in its January 2017 Cybersecurity Newsletter:
- Any monitoring and auditing plan should be tied to the organization’s risk analysis and organizational factors such as their technical infrastructure, hardware and software security capabilities.
- Regularly review information system activity to promote awareness of any information system activity that could suggest a security incident or breach.
- Implement audit controls that are reasonable and appropriate to record and examine activity in information security systems that access ePHI. This requires evaluating the audit control capabilities of information systems, assuring the organization is complying with its own audit control policies and procedure and assessing whether changes or upgrades to its system audit capabilities are necessary.
Evaluating the Audit Control Capabilities of Any New System
Evaluating audit control capabilities of any new system that will contain or store ePHI is a must. The system should be able to monitor user activity and show what files were opened and closed as well as whether the user created, read, edited or deleted records associated with ePHI. If an organization implements such a system without these capabilities it will be virtually impossible to meet the regulatory requirements.
Evaluating the Organization’s Risk Assessment and Environment
Understanding the organization’s major risks based on the risk assessment and the overall environment in which it operates are key to determining an appropriate proactive access monitoring and auditing program.
- Organizations with a large number of high profile individuals as patients are at risk for employees snooping in those records.
- Employees looking at medical records of their co-workers or family members is a risk for most organization, but an environmental factor that would likely increase this risk is being in a smaller, close-knit community.
Consider the most appropriate proactive program that best fits with the organization’s risk analysis and risk mitigation strategy. Train workforce members to only access ePHI when it is necessary to perform their job functions. Recognize that even with training, there is always the risk of employees engaging in compassionate or malicious snooping, even criminal conduct such as identity theft activities. Therefore, to maintain compliance and protection of ePHI at an optimum level requires some level of proactive access monitoring and auditing.
If an organization is currently doing nothing then it will be important to identify the necessary resources to implement a proactive monitoring and auditing program. Evaluating access logs is a daunting task if it has to be done manually. Consideration should be given to evaluating technology solutions that are available to allow for a more effective and efficient program. There are multiple solutions on the market today for organizations to consider.
Key Factors to Building or Enhancing an Access Monitoring and Auditing Program
- Recognition that doing nothing is not in compliance with the regulatory requirements.
- Minimize false positives that could increase the resources needed to investigate what is ultimately a non-issue.
- Maximize the nature of the proactive assessments performed based on the resources available.
- Educate senior leadership to expect an increase, at least initially, in the number of investigations, instances where sanction will likely be applied and reported breaches to OCR and, if applicable, state agencies.
- Educate the workforce to anticipate this and the increased instances in which their access to ePHI might be questioned.
- Anticipate the initial increase of investigations because it is likely violations will be identified if this is the first time the organization is looking at a particular form of access, like workforce access to co-workers or family members ePHI. Key here is thinking about the need for temporary resources to help with this by increasing staffing through either internal or external resources.
The Do Little or Nothing Plan
There are consequences to not having an access monitoring or auditing program. The OCR entered a resolution agreement where the covered entity was required to pay $5,500,000. One of the findings was the organization failed to implement procedures to regularly review records of information system activity. These requirements have been in place since April of 2005. Each day a covered entity or business associate allows to pass where they aren’t doing anything to address the regulatory requirement increases the risk of failing to identify security violations. It also increases the possible civil monetary penalties. In today’s environment, this is not an obligation covered entities and business associates can continue to ignore.