This is the second Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. There is not a separately described implementation specification. Rather, this standard’s implementation specification is connoted in the language of the standard and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
Covered entities are required to have in place audit controls to monitor activity on their electronic systems that contain or use electronic protected health information. In addition, they have to have a policy in place for regularly monitoring and reviewing of audit records to ensure that activity on those electronic systems is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits, and any security incidents.
Monitoring and review of audit trails must be as close to real time as possible to be useful. There is no benefit in discovering a problem days or weeks after it has occurred. How a covered entity sets its policies and procedures will be based on outcomes of the covered entity’s risk analysis. If a security incident occurs, failure to exercise this audit control standard may be proof in an inquiry that a covered entity had the capability of knowing what was occurring, but failed to exercise timely corrective action.