In our series on the HIPAA Administrative Simplification Security Rule, this is the second Technical Safeguard Standard. There is not a separately described implementation specification. Rather, this standard’s implementation specification is connoted in the language of the standard and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
A covered entity is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.
How to Do It
During the risk analysis, a covered entity needs to define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain or use electronic protected health information. These reasons may include, but are not limited to, system troubleshooting, policy enforcement, compliance with the Security Rule, mitigating risks of security incidents, monitoring workforce member activities and actions. With regard to workforce member activities and actions, audit controls might focus on the following:
» Are workforce members accessing information or performing tasks beyond the scope of their job descriptions?
» Are workforce members sharing user IDs, measured by a user logged onto two or more workstations simultaneously?
» Are workforce members logged onto workstations for several days, indicating that users are not logging off? An automatic logoff system may mitigate risk when workforce members leave workstations unattended during the workday, but the better practice at the end of the workday is for the covered entity to have a policy of workforce members taking the responsibility to log off.
In establishing or fine-tuning its policies and procedures with respect to audit controls, a covered entity should focus on the following, under the direction of its Security Official:
» Maintaining a regular and frequent review of audit trails and activity logs for electronic information systems containing electronic protected health information.
» Investigating immediately any suspicious entries such as unauthorized accesses or attempts to access electronic information systems containing electronic protected health information.
» Applying sanctions to workforce members for inappropriate activity related to electronic information systems containing electronic protected health information.
» Determining if workforce members are downloading executable files that may violate software licensing agreements or that may corrupt electronic information systems containing electronic protected health information.
Finally, with the Federal Trade Commission (FTC) Red Flags Rule to protect against identity theft, requiring compliance by covered entities that offer extended payment plans, covered entities need to examine their policies and procedures with respect to this Rule prior to the August 1, 2009 compliance date. Additional information is available on the HIPAA.com site.