In a perfect world, access controls alone would ensure the privacy and security of electronic protected health information (ePHI). However, the complexities of today’s healthcare environment make it extremely challenging to limit access to the minimum information necessary that members of the workforce require in order to perform their jobs.
In smaller organizations and community-based hospitals, employees may perform multiple functions, each of which requires different levels of access. Without having access to specific portions of every patient’s health record, employees’ effectiveness could be significantly inhibited, and patient care and safety could be compromised. Organizations must develop security audits and related policies and procedures to hold members of the workforce accountable for their actions when accessing ePHI through the electronic health record (EHR).
Organizations must perform security audits using audit trails and audit logs that offer a back-end view of system use. Audit trails and logs record key activities, showing system threads of access, modifications, and transactions.
Performance of periodic reviews of audit logs may be useful for:
This Practice Brief identifies and defines the components necessary for a successful security audit strategy. It also outlines considerations for legal and regulatory requirements, how to evaluate and retain audit logs, and the overall audit process.
Legal and Regulatory
Requirements
Many regulatory requirements drive how and why security audits are
conducted. HIM professionals should consider the following legal
and regulatory requirements when developing the organization’s
security audit strategy.
HIPAA Security
Rule
The HIPAA Security Rule includes two provisions that require
healthcare organizations to perform security audits. They are:
Payment Card Industry Data
Security Standard
In 2006, the five major credit card companies (American Express,
MasterCard Worldwide, Visa Inc., Discover Financial Services, and
JCB International) worked collaboratively to create a common
industry standard for security known as the Payment Card Industry
Data Security Standard (PCI DSS). The standard states that any
organization that accepts credit cards for payment may be fined or
held liable for losses resulting from a compromised credit card if
it lacks adequate security controls.
The standard mandates organizations implement the following audit requirements:
HITECH Act Audit Provisions
The Health Information Technology for Economic and Clinical Health
(HITECH) Act, part of the American Recovery and Reinvestment Act of
2009 (and finalized in the HITECH Omnibus Rule in January 2013),
also includes provisions requiring organizations to conduct audits.
In essence, healthcare organizations and third-party payers are
expected to monitor for breaches of PHI from both internal and
external sources.
Section 164.404(a)(2) of 45 CFR Parts 160 and 164 of the “Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” and finalized in the HITECH Omnibus Rule, implies that organizations perform reasonable due diligence by actively auditing and monitoring for PHI breaches. Exercising this due diligence protects organizations in the event that a violation occurs, and it may help to identify violations that wouldn’t have otherwise been uncovered.
Meaningful Use Audit
Requirements
EHR and electronic medical record (EMR) vendors must demonstrate
that their products meet the “technical safeguards” in the HIPAA
Security Rule, including audit requirements, in order to become
certified through the Office of the National Coordinator (ONC) and
participate in the multi-stage “meaningful use” EHR Incentive
Program.
Stage 1 of certification criteria for meaningful use, Section 170.302(r), Audit log, requires entities to:
Stage 2 of the meaningful use certification criteria includes section §170.314(d)(3) Audit report(s). This section requires a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards at §170.210(e). The federal government requires vendors to implement appropriate controls and reporting mechanisms. Covered entities are expected to use these controls and reporting mechanisms to monitor the behaviors of their workforce and to prevent unauthorized access and disclosure of ePHI.
Joint Commission’s Privacy
and Security Standards
The Joint Commission includes two information management (IM)
standards in its manuals that address a healthcare organization’s
responsibility to maintain (monitor) privacy and security:
Elements of performance for both of these standards require written policies, the enforcement of those policies, monitoring policy compliance, and monitoring of information to improve privacy, confidentiality, and security.
E-Discovery
Audit log information may also be useful for legal proceedings,
such as responding to an electronic discovery or e-discovery
request. E-discovery refers to the revisions to the Federal Rules
of Civil Procedure and Uniform Rules relating to discovery of
electronically stored information, which went into effect December
1, 2006. It refers to the information that an organization can
request and expect to produce in response to litigation such as
audit trails, the source code of a program, metadata and any other
electronic information subject to motion for compulsory
discovery.
Establish Security Audit
Strategy and Process
A multidisciplinary team is essential to developing and
implementing an effective security audit strategy. At a minimum,
the team should include IT, risk management, and HIM. The
organization’s designated security official should lead the team in
coordination with the designated privacy official.
The team should take the following actions when identifying a strategy and process:
Audit information may also be useful as forensic data and valuable evidence during investigations into security incidents and privacy breaches, especially if sanctions will be applied against a workforce member, business associate, or other contracted agent.
Determining What to
Audit
It would be prohibitive to perform security audits on all data
collected. Good-faith efforts to investigate the compliance level
of individuals educated on privacy and information security issues
can be achieved through a well-planned approach. When determining
what to audit, healthcare organizations must identify and define
“trigger events,” meaning the criteria that will flag questionable
access of confidential ePHI and prompt further investigation. Some
trigger events will be appropriate, while others will be specific
to a department or unit. Once identified, trigger events should be
reviewed on a regular basis, such as annually, and updated as
necessary.
Examples of trigger events include employee viewing of the following information:
Those individuals who review the audit logs should evaluate the number of trigger events as well as the system’s ability to log the data desired for such reviews.
Implementing Audit
Tools
Certified EHRs that meet the stage 1 or stage 2 meaningful use
criteria will also meet health IT audit criteria. The health IT
audit criteria may provide enough detail to determine whether
unauthorized access into a patient’s record occurred.
These built-in audit logs easily store millions of entries of application transactions. It can be extremely time consuming to search through these detailed logs to find the specific information necessary to conduct an investigation regarding a particular encounter. Analyzing the audit logs also requires specialized skills in reading and interpreting the data. Breaches often go undetected in manual reviews of audit logs due to the sheer volume of data. Conducting manual audits of user access is like the old cliché of “searching for a needle in a haystack.”
To help ensure greater efficiency in audit reviews, many healthcare organizations rely on third-party audit tools that systematically and automatically analyze data and quickly generate reports based on search criteria that match the organization’s audit strategy or defined triggers.
Specialized audit tools can be programmed to:
Third-party tools can be expensive to purchase and install. Up-front costs may include audit software, server and operating system for running the software, and labor costs for installation, training, and modification. In addition, there may be annual licensing and support fees that must be factored into an organization’s operating budget.
Some vendors offer audit tools as software as a service. This eliminates many of the upfront costs because the vendor supplies and owns the necessary hardware and software. The vendor also provides the programming support. Healthcare organizations pay a monthly fee to use the tool, usually through a Web interface.
Determining When and How
Often to Audit
Due to a lack of resources, healthcare organizations typically
examine their audit trails only when there is a suspected problem.
Although this is a common practice, it is definitely not a best
practice.
It is crucial for a healthcare organization’s security audit strategy to outline the appropriate procedure for responding to a security incident. However, the strategy must also define the process for the regular review of audit logs. At a minimum, review of user activities within clinical applications should be conducted monthly. It is best to review audit logs as close to real time as possible and as soon as possible after an event occurs. This is especially important for audit logs that could signal an unauthorized access or intrusion into an application or system. Automated audit tools can be helpful for providing near real-time reports.
Department managers and supervisors are in the best position to determine the appropriateness of staff access. Therefore, they should review the audit reports. The healthcare organization’s information security and privacy officials must provide education to the directors, managers, and supervisors who are responsible for reviewing security audit report findings. This ensures that these individuals are equipped to interpret results and determine appropriate access based on defined and approved access permissions.
Presenting Audit Report
Findings to the Workforce
If an audit reveals that an employee has potentially
inappropriately accessed PHI, the healthcare organization must
first notify certain individuals before reporting the findings to
the entire workforce. These individuals include a member of human
resources or risk management as well as a union representative (if
the workforce is unionized) and legal counsel (as appropriate).
Organizations should consider factors such as education, experience, privacy and security training, and barriers to learning (i.e., language) when evaluating workforce actions. Remember that an individual may have had a reasonable explanation for the access, even if the initial review indicates otherwise. For example, a physician may request a nurse to look up a patient’s lab results as a favor. In addition, organizations should avoid interrogating the workforce member involved in the inappropriate access. Instead, treat the questioning as an inquiry.
Organizations must apply security and privacy audit policies and sanctions consistently and without exceptions. Therefore, organizations should develop and implement graduated sanctions so that the punishment fits the incident. Making exceptions to the policy jeopardizes the trust of the workforce and consumers, and it poses a risk to legal defense. Healthcare organizations leave themselves vulnerable to both individual and class action lawsuits when they do not have a strong and consistent enforcement program. For non-employed physicians, medical staff bylaws may also be used in determining appropriate sanctions.
In conjunction with sanction policies, healthcare organizations must develop and implement strong policies and procedures to address the processing of breaches. These policies and procedures must be compliant with federal and state laws and regulations in the event that any security audit findings indicate that a breach has occurred.
Protecting and Retaining
Audit Logs
HIPAA requires covered entities to maintain proof (i.e.,
documentation) that they conduct ongoing audits. Such documents may
include policies, procedures, and past audit reports. This
documentation must be retained for six years. State statutes of
limitations relative to discoverability and an organization’s
records management policies may require that this information be
kept longer.
Healthcare organizations must review pertinent regulatory requirements, including applicable federal and state laws, when determining the appropriate retention period for security audit logs. Security and privacy officials should collaborate to establish the most effective schedule for the organization.
There is no HIPAA requirement, standard, or prevailing practice that dictates how long the actual audit logs must be retained. Covered entities and business associates should consider retaining EMR and EHR audit logs for three years because of the length of time in can take for civil cases to proceed. However proof of compliance with the HIPAA Security Rule (i.e., proof that audit logs are reviewed and that the covered entity has an audit strategy) must be retained for six years.
An organization’s audit strategy should also stipulate the following actions to protect and retain audit logs:
Prevention through
Education
Healthcare organizations should reinforce this message to
employees: “Just because you can access PHI, doesn’t mean you
should access PHI.” Education is a preventive measure that
organizations must execute and re-execute to ensure optimal
outcomes and the success of a security audit strategy.
To ensure success, organizations should:
Part l-Security Audits (llc.2] Last month, your information system was hacked. As part of the ongoing...
The discussion: 150 -200 words. Auditing We know that computer security audits are important in business. However, let’s think about the types of audits that need to be performed and the frequency of these audits. Create a timeline that occurs during the fiscal year of audits that should occur and “who” should conduct the audits? Are they internal individuals, system administrators, internal accountants, external accountants, or others? Let me start you: (my timeline is wrong but you should use some...
THE NEED FOR health information management (HIM) professionals in long-term and post-acute care (LT-ÉAC) settings has grown exponentially in the past decade. With the implementation of setting-specific reimbursement models and quality initiatives, the skill sets that HIM professionals bring to the table are invaluable to any healthcare organization. 'Ihey are a source of expertise in data analysis, documentation, privacy and security, quality, compliance, coding, and information systems. Organizations and HIM professionals from the various LTPAC settings have reached out to...
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...
Please read the article and answer about questions. You and the Law Business and law are inseparable. For B-Money, the two predictably merged when he was negotiat- ing a deal for his tracks. At other times, the merger is unpredictable, like when your business faces an unexpected auto accident, product recall, or government regulation change. In either type of situation, when business owners know the law, they can better protect themselves and sometimes even avoid the problems completely. This chapter...
I have this case study to solve. i want to ask which
type of case study in this like problem, evaluation or decision? if
its decision then what are the criterias and all?
Stardust Petroleum Sendirian Berhad: how to inculcate the pro-active safety culture? Farzana Quoquab, Nomahaza Mahadi, Taram Satiraksa Wan Abdullah and Jihad Mohammad Coming together is a beginning; keeping together is progress; working together is success. - Henry Ford The beginning Stardust was established in 2013 as a...