In the previous few weeks, a lot of HIPAA-protected units have stated that workers have been found to have wrongly retrieved the protected health information/medical records of patients.
Two of the latest instances were found when protected units carried out usual checks of access records. In both cases, the workers were found to have wrongly retrieved the electronic protected health information (ePHI) of sick persons during a period of over 12 months. One case involved the watching of a luminary’s medical files by several workforce members.
Late previous week, OCR issued its January Cyber Consciousness Newsletter which described the significance of applying audit checks and regularly reviewing user, application, and system-level audit tracks. NIST describes audit records as logs of incidents based on system or users, applications, while audit tracks are audit records of system or users, applications.
Most info systems contain alternatives for recording user activity, containing access as well as failed access tries, the devices which have been utilized to log on, and the period of login intervals, and whether files have been seen.
Audit trails are specifically useful when safety events happen as they can be utilized to decide whether ePHI access has happened and which people have been disturbed. Records can be utilized to trace attempted intrusions, potential intrusions, unauthorized disclosures, and in forensic evaluations of cyberattacks and data breaches. Protected units can also use trails and logs to assess the operation of applications and to assist identify possible mistakes.
OCR verified that recording files like these and studying audit records and audit tracks is a condition of the HIPAA Safety Law. (45 C.F.R. § 164.312(b)).
The HIPAA Safety Law requires protected units to log audit records and check tracks for review, even though the kinds of records that must be collected aren’t stated by the law. The greater the variety of info collected, the more systematically safety cases can be probed. Nevertheless, protected units must carefully evaluate and make a decision on which data elements are stowed in records. It will be easier and quicker to study audit records and tracks if they only include pertinent information.
The HIPAA Safety Law doesn’t specify how frequently protected units must carry out evaluations of user actions, rather this is left to the decision of the protected unit. Information collected from trails and audit logs must be studied ‘regularly’.
A protected unit must decide the frequency of evaluations based on the outcomes of their risk studies. Companies must also take into account organizational aspects like their hardware/software capacities and technical infrastructure when deciding the review time.
OCR also mentions that an analysis of trails and audit logs must happen after any safety case, like a doubted breach, even though reviews must also be carried out during real-time jobs. Because of the possibility for audit log rigging, OCR reminds protected units that “Access to audit tracks must be strictly constrained, and must be provided only to official people.”