• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Audit Control: What This HIPAA Security Rule Technical Safeguard Standard Means

June 9, 2009 Security No Comments

This is the second Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. There is not a separately described implementation specification. Rather, this standard’s implementation specification is connoted in the language of the standard and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

Covered entities are required to have in place audit controls to monitor activity on their electronic systems that contain or use electronic protected health information. In addition, they have to have a policy in place for regularly monitoring and reviewing of audit records to ensure that activity on those electronic systems is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits, and any security incidents.

Monitoring and review of audit trails must be as close to real time as possible to be useful. There is no benefit in discovering a problem days or weeks after it has occurred. How a covered entity sets its policies and procedures will be based on outcomes of the covered entity’s risk analysis. If a security incident occurs, failure to exercise this audit control standard may be proof in an inquiry that a covered entity had the capability of knowing what was occurring, but failed to exercise timely corrective action.

Tags: 20092010American Recovery and Reinvestment ActARRAaudit controlaudit recordsbusiness associatecorrective actioncovered entityelectronic protected health informationelectronic systemsFebruary 17HIPAA Administrative SimplificationHIPAA Security RuleHITECH Actimplementation specificationlogoffslogonsPresident ObamarequiredRisk Analysissecurity incidentTechnical Safeguard Standard
No Comments
Share
0

You also might be interested in

Exploring HIPAA and HITECH Act Definitions: Part 4

Nov 2, 2009

From now through November, HIPAA.com is providing a run through[...]

CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance

Nov 18, 2011

January 1, 2012, is the date for covered entities to[...]

HIPAA Final Rule: Modification of Business Associate Definition, Part (6)–Exceptions

Feb 14, 2013

February 14, 2013.  Today, we finish examining the business associate[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next