The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers, clearinghouses, and their business associates to protect the privacy of patients’ Protected Health Information (PHI). This means that these companies must take the necessary steps to make sure they are compliant with HIPAA. One of the technical safeguards in the HIPAA security rule 45 C.F.R. § 164.312(b) is audit trails. As the legislation states, covered entities and business associates are required to “implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
An audit trail system tracks who has accessed data and what was done with it – this helps identify any breaches in security. This blog post will discuss how audit trails work and why they’re essential for complying with HIPAA.
What Is an Audit Trail?
Let’s first demystify the concept of an audit trail. The term originated in accounting, where it referred to a log of all changes made to an account. In the IT world, “audit trail” is used more generally to refer to any type of activity log or data trail that’s accessible later for analysis purposes. In most cases, an audit trail records who has accessed data, the date and time of access, what was done with it, and what changes were made.
According to an IBM study, the average time to detect a data breach in 2020 was 228 days. A Verizon study also found that data breaches in the health care sector increased by 58% in 2020. Unfortunately, a company will only ever detect a small percentage of data breaches. This is because it’s often challenging to detect security breaches while they’re still in progress. This is where an audit trail comes in. Audit trails provide a way to identify and potentially stop any breaches before they do too much damage.
Audit Trails in Healthcare
An audit trail allows the HIPAA Security Officer to establish new ways to safeguard patient data and investigate previous breaches, which contributes greatly to the overall goal of compliance with HIPAA. Therefore, information systems must record and examine activity containing or using electronic protected health information (ePHI).
What Is an Audit Trail in Healthcare?
The HIPAA Security Rule requires that organizations take steps to monitor data access and changes. Audit trails are one way for covered entities, business associates, their subcontractors, and other system users to comply with these requirements. An audit trail is a chronological record of system activities. This allows the organization to monitor who did what, when and where, in a computerized environment.
Which Information Should an Audit Trail in Healthcare Contain?
Creating an audit trail isn’t as complicated as it seems. Below is an overview of the information that an audit log should contain:
- User logins: Tracking user login events is helpful because it can help your organization identify users who are inappropriately accessing data. This may indicate that someone has obtained unauthorized access to a system or network, which could lead to HIPAA violations and fines if not corrected immediately.
- Changes made to databases: Organizations must track changes made in their database systems. This can help with accountability when an audit is performed. Knowing what changes were made, by whom and at what time of day will allow for a thorough review of the incident in question.
- New users added: It’s important to track new user additions because it helps your organization identify issues that arise after people are granted access to systems or networks. For example, if a new user is granted access to patient records and then the same day they leave the company, it could indicate something fishy in the hiring process.
- New users’ access levels: It’s also necessary to track changes made to who has what level of access so your organization can update permissions appropriately when needed.
- Files accessed: Tracking files that user’s access is essential because it helps your organization identify the people who have been accessing certain data. For example, if there’s a breach, knowing what files or parts of an electronic system were compromised will help you determine where to focus your investigation efforts.
- Operating system logs: These can be found in various places but generally monitor file access. This can be especially helpful for organizations that have large databases where changes may not be viewed in the system itself, making it difficult to see what’s being accessed and by whom.
- Firewall logs: Firewalls help protect systems from unauthorized users who try to gain access over a network or internet connection. It’s important to monitor these logs regularly and closely to provide insight into potential security issues.
- Anti-malware logs: Anti-malware programs prevent the installation of malicious software on a computer by scanning all files that come in contact with your network or system for things like viruses, spyware and other types of malware. Anytime a file is blocked, the system records it in an anti-malware log.
Three Steps to Maintain HIPAA Compliance with Audit Trails and Audit Handling
Taking steps to maintain HIPAA compliance includes keeping detailed documentation of your audit trail process. Below are three measures to ensure you effectively use audit trails to maintain HIPAA compliance.
- Detailed audit handling policies and procedures: Your organization must have a clear plan in place that explains how you will handle audits. This includes the process of who, what and when information is logged and any steps that need to be taken after an audit has been completed.
- Regular review of logs: It’s essential to regularly monitor the different parts of your audit trail, especially if there is an event that triggers suspicion. Reviewing these logs can help you identify any red flags or suspicious activity that may need further investigation and address accordingly.
- Educate users: It’s crucial to have a training program in place for new employees about HIPAA regulations and what information must be documented in your audit trail process.
Audit trails are essential to maintaining HIPAA compliance. Without knowing what changes were made and by whom, it’s difficult to determine the cause behind an issue or even know if a security incident occurred.
Keeping detailed documentation of your audit trail will help you identify potential risks and maintain accountability for all users who have access to patient records. For more information on how to get started with audit trails, download our HIPAA eBook.