Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Is an Audit Trail Enough For HIPAA Compliance?

A client posed this question, and I decided it would be a great opportunity to clarify how you communicate securely with your clients when using encrypted email and the like.

When reviewing the capabilities of a file-sharing program with a client, they stated they met HIPAA guidelines for protecting ePHI in transit because they had an audit trail, and the information was encrypted in transit. This makes it HIPAA compliant, right? Well, I saw a slight issue with their solution. All they required initially was the client verifying who they are, and they weren’t requiring the user to set up a name and password for future access. The client’s identity is established in the first step, but there is no future validation process to determine the client is whom they say they are when information arrives.

Here is where a unique username and password requirement to open the communication are essential to protect the information. The initial authentication makes sense. Having the audit trail is valuable, too… but you are trusting that the client is going to be the only person on the computer accessing that communication. What happens if someone else is using the client’s computer and clicks on that information, the client’s email is hacked, re-directed, or someone else finds the unprotected URLs? These scenarios are not that far fetched when you look at the cyber crimes that are happening these days, and unfortunately, you would have a breach on your hands.

Hopefully, we know better than to blindly trust when it comes to HIPAA, right? Trust, but verify, before releasing that information. This is where PASSWORD PROTECTION comes in, and it’s vital to protecting your clients and your company or practice.

Am I Really Going to Get Audited For This?

A few weeks ago I wrote about the recent Connecticut Supreme Court Ruling, which states that HIPAA can be used as a standard of care. This means people have come to expect privacy, and can sue you for unauthorized release of their Protected Health Information (PHI). This also means as a Covered Entity or Business Associate or Subcontractor, that you have a new worry besides HHS and States Attorney Generals… you have the patient or client who is policing you. (Just this week, we received a call from a man complaining of a HIPAA breach who wanted to know if he would get some of the fine if he reported it to HHS.)

Neal Eggeson, the attorney for the woman who sued Walgreens, is quoted saying, “I did not sue Walgreen for violating HIPAA, I sued Walgreen for negligence, but I used HIPAA to prove that Walgreen was negligent. Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly-accepted standard for privacy protection.” 1

This means clients expect you to protect their valuable PHI, and they can sue you for mismanagement of this information. Now it’s not just HHS and the Attorney General that can come knocking on your door, this gives your clients and patients incentive to bring civil suits when they feel there information has been compromised. This is why it’s in your best interest to protect PHI with every tool in your toolbox: encrypting those emails, keeping an audit trail of who has been accessing them, and most importantly, PASSWORD PROTECTING that information!

1. The Health Care Blog.” A New Way to Sue Health Care Professionals Using HIPAA? | The Health Care Blog. The Healthcare Blog, 06 Sept. 2013. http://thehealthcareblog.com/blog/2013/09/06/a-new-way-to-sue-health-care-professionals-using-hipaa/.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)