
The HIPAA Compliance Hub
Read articleIn today’s modern healthcare system, patients don’t just entrust their care providers with their health — but an abundance of sensitive personal data as well. This data can include anything from contact details to payment information and medical records, which in the hands of bad actors, can lead to identity theft and fraud.
One of the central goals of the Health Insurance Portability and Accountability Act (HIPAA) is to improve the security and confidentiality of patient health records.
HIPAA regulations require covered entities and business associates to maintain the security and privacy of patient data, which includes tracking information system activity and monitoring who accesses patient records, when, and how. This tracking is done through audit logs, which act as system records and are required for HIPAA compliance.
Learn what to include in a HIPAA audit log, why they’re important for your security and privacy programs, tips to help you get started, and other nitty-gritty compliance details below.
The HIPAA Security and Privacy Rules specify that all covered entities and business associates must implement physical, technical, and administrative safeguards to secure protected health information (PHI) and electronic protected health information (ePHI). Part of those safeguards includes maintaining audit logs that record how and when either type of PHI is created, processed, accessed, and/or shared.
HIPAA audit logs are records of system activities: who accessed the network, when, what they did, and what documents or patient data they viewed.
Why would a giant laundry list of system activities be useful for stronger security and privacy? IT administrators and cybersecurity experts can review them to spot trends and anomalies and more effectively manage risks. Proper audit logs help organizations prevent security incidents, detect data breaches quickly, and understand how and why they occurred.
Audit logs also help organizations maintain compliance with HIPAA’s Minimum Necessary Rule, which requires healthcare providers to only access PHI for a specific purpose within their job function. Audit logs establish and track normal access patterns for each employee and business associate. These patterns and trends make it easier to notice anomalies that could indicate when a user is abusing access rights or if an unauthorized user is attempting to access a system, application, or file.
Audit logs are typically used for:
This guide covers everything you need to know about safeguarding sensitive healthcare information and achieving HIPAA compliance.
Download ebookAudit logs should cover all electronic devices and applications within your healthcare organization’s network. This includes computers, mobile devices, databases, internal servers, and cloud applications such as email and fire sharing.
HIPAA compliance requires three types of audit logs:
Covered entities and business associates are also required to log specific activities within their audit trails. These include:
Organizations must also keep separate audit logs to record access to paper records and files.
All HIPAA compliance documentation, including audit logs, should be retained for at least six years. However, some states have their own retention requirements that are longer than six years. Healthcare organizations must comply with whichever requirement is stricter.
According to the US Department of Health and Human Services (HHS), logs should be stored in raw format for at least 6-12 months, after which they can be stored in a compressed format.
The HIPAA Compliance Hub
Read articleTo help healthcare organizations navigate the safeguards specified in the HIPAA Security Rule, including audit log requirements, the National Institute of Standards and Technology (NIST) released Special Publication 800-66.
NIST 800-66 includes a series of questions organizations can use to guide their approach to creating and maintaining HIPAA-compliant audit logs:
To help you get started, we’ve created a sample audit log populated with key fields to track. The sample also includes a list of HIPAA compliance documentation you may want to store with your audit logs for quick reference, including risk assessments, business associate agreements, and key policies such as an information security policy and privacy policy.
Our security and privacy automation platform makes it easy to determine what ePHI you handle and how it flows through your organization, which is crucial for a strong security and privacy program and continuous HIPAA compliance.
We can also help you evaluate your security safeguards and audit controls, complete a risk analysis, and identify weaknesses to provide a clear picture of your security and privacy posture.
For more information on how Secureframe can help you achieve and maintain HIPAA compliance, request a demo today.