• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Audit Control: What to Do and How to Do It

June 10, 2009 Security No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the second Technical Safeguard Standard. There is not a separately described implementation specification. Rather, this standard’s implementation specification is connoted in the language of the standard and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.

How to Do It

During the risk analysis, a covered entity needs to define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain or use electronic protected health information. These reasons may include, but are not limited to, system troubleshooting, policy enforcement, compliance with the Security Rule, mitigating risks of security incidents, monitoring workforce member activities and actions. With regard to workforce member activities and actions, audit controls might focus on the following:

» Are workforce members accessing information or performing tasks beyond the scope of their job descriptions?
» Are workforce members sharing user IDs, measured by a user logged onto two or more workstations simultaneously?
» Are workforce members logged onto workstations for several days, indicating that users are not logging off?  An automatic logoff system may mitigate risk when workforce members leave workstations unattended during the workday, but the better practice at the end of the workday is for the covered entity to have a policy of workforce members taking the responsibility to log off.

In establishing or fine-tuning its policies and procedures with respect to audit controls, a covered entity should focus on the following, under the direction of its Security Official:

» Maintaining a regular and frequent review of audit trails and activity logs for electronic information systems containing electronic protected health information.
» Investigating immediately any suspicious entries such as unauthorized accesses or attempts to access electronic information systems containing electronic protected health information.
» Applying sanctions to workforce members for inappropriate activity related to electronic information systems containing electronic protected health information.
» Determining if workforce members are downloading executable files that may violate software licensing agreements or that may corrupt electronic information systems containing electronic protected health information.

Finally, with the Federal Trade Commission (FTC) Red Flags Rule to protect against identity theft, requiring compliance by covered entities that offer extended payment plans, covered entities need to examine their policies and procedures with respect to this Rule prior to the August 1, 2009 compliance date. Additional information is available on the HIPAA.com site.

Tags: 20092010American Recovery and Reinvestment ActARRAaudit controlaudit recordsaudit trailsAugust 1automatic logoffbusiness associatecovered entityelectronic information systemselectronic protected health informationFebruary 17Federal Trade CommissionFTCHIPAA Administrative SimplificationHIPAA Security RuleHITECH ActIdentity Theftimplementation specificationPresident ObamaRed Flags RulerequiredsanctionsSecurity Officialsoftware licensing agreementTechnical Safeguard Standardunauthorized accessworkforce membersworkstation
No Comments
Share
0

You also might be interested in

Contingency Plan: Sample Policy and Procedures

Apr 2, 2009

This is the seventh Administrative Safeguard Standard of the HIPAA[...]

Exploring HIPAA and HITECH Act Definitions: Part 4

Nov 2, 2009

From now through November, HIPAA.com is providing a run through[...]

hipaa compliance checklist

Five HIPAA Compliance Activities Your Organization Must Undertake

Aug 23, 2012

HIPAA Administrative Simplification was enacted on August 21, 1996 as[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next