Implementing an Audit Program for HIPAA Compliance.pptVIP

Implementing an Audit Program for HIPAA ComplianceMike LynchSue PopkesSixth National HIPAA Summit March 28th, 2003 Why Audit? Both the Final Security and the Final Privacy rule require access on a minimum need-to-know basis. Must be able to demonstrate that system(s) for accessing information meets these standards And that the entity monitors access to verify that unauthorized access is not occurring. Why Audit? Section 160.310—Responsibilities of Covered Entities “A covered entity must keep such records and submit such compliance reports, in such time and manner and containing such information, necessary to enable the Secretary to ascertain whether the covered entity has complied or is complying with the applicable requirements of part 160 and the applicable standards, requirements, and implementation specifications of Subpart E of Part 164.” Refer to § 164.530 for discussion. Definitions The Final Security Rule specifies an information system activity review (Required). “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports”. The terms ‘audit trail’ and ‘audit control’ have been deleted. The Final Privacy Rule says that Health care entities are “required to put in place whatever mechanisms are deemed necessary that would enable the organization to record and examine system activity so that an organization can identify suspect data activity, see if high-risk patterns are present, assess its security program and respond to potential weaknesses”. Definitions An AUDIT TRAIL can be defined as the result of monitoring each operation on information. “(It) …is a chronological record of activities occurring in the system, created immediately concurrent with the user.” (Source: CPRI Security Guidelines). WEDI defines AUDIT TRAIL as “the result of monitoring each operation on information.” Generally Audit Trail identifies Who (login ID) did What (read-only