OCR Issues Guidance Emphasizing Importance of Audit Controls

OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information. Often overlooked, demonstrating compliance with the Audit Controls Standard and evidence of information system activity reviews are a key feature in OCR’s investigations into breaches involving hacking and ransomware incidents.

OCR refers to guidance authored by the National Institute of Standards and Technology (NIST) Guide to Computer Security (NIST SP-800-12) that explains audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications. Effective audit controls produce audit reports that work in conjunction with audit logs and audit trails.

Audit logs and trails assist covered entities and business associates with reducing risk associated with:

  • Reviewing inappropriate access
  • Tracking unauthorized disclosures of ePHI
  • Detecting performance problems and flaws in applications
  • Detecting potential intrusions and other malicious activity
  • Providing forensic evidence during investigation of security incidents and breaches

As part of this process, covered entities and business associates should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.

The enterprise-wide information security risk analysis that is periodically performed by every covered entity and business associate is critical to identifying the information that should be collected from an audit log and how often the audit reports should be reviewed. During the risk analysis, a covered entity needs to define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain or use electronic protected health information. These reasons may include, but are not limited to:

  • System troubleshooting
  • Policy enforcement
  • Compliance with the Security Rule
  • Mitigating risks of security incidents
  • Monitoring workforce member activities and actions.

The OCR blog post on audit controls does not guide on the issue of data retention requirements for access logs and audit trails. However, a good rule of thumb is that organizations should have policies and processes that ensure access logs are retained long enough to be reviewed for inappropriate access or usage. Log files that are evidence of improper access or security incident must be retained for the six year HIPAA document retention period. Audit logs must be retained for the six year document retention period because they are evidence of actions taken to comply with the requirements of the Security Rule.

If you have questions about performing a system audit or evaluating effective audit controls please contact us at advisory@cynergistek.com.

January 16th, 2017|

About the Author:

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.