How to Stay HIPAA Compliant with Audit Logs

Audit Logs

The U.S. Department of Health and Human Services Office for Civil Rights released a cyber newsletter highlighting the importance of HIPAA logging requirements.1 Why are audit controls so important? Logs are a critical – not to mention required – way for your company to monitor activity on your network. Whether this traffic is from an employee or another source, these logs are vital to protecting the information your organization holds. Keeping these logs is an important risk management measure.

On January 18th, a federal grand jury indicted a former MedStar Ambulance paramedic on counts of identity theft and fraud. He altered patient records as part of a scheme to steal narcotics from a local hospital from January 2013 to May 2015.2 The paramedic was finally caught after someone discovered his logs had various irregularities compared to the corresponding hospital records. This incident highlights just how important it is to maintain detailed logs and to monitor regularly. HIPAA log retention is also crucial; if the hospital had not archived the logs, investigators could not have found the incriminating records. HIPAA log retention requirements mandate that entities store and archive these logs.

What HIPAA Security Rule Mandates

45 C.F.R. § 164.312(b) (also known as HIPAA logging requirements) requires Covered Entities and Business Associates to have audit controls in place. These organizations must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).1 Information systems include all electronic devices and applications used within your company’s network (e.g. smartphones, computers, emails, file sharing application, internal server).

In plain English, HIPAA auditing requirements call for organizations to regularly review network activity and device usage. Whether you are a medical or dental practice, health insurance agency, or an employee of an organization that manages health records, you need to record and review audit logs to stay compliant with HIPAA and protect the information you maintain. Creating a log is not as complicated as it seems. You can follow a HIPAA audit log template for your records.

Your Audit Logs Should Include This Information:

  1. User logging in
  2. Changes to databases
  3. Adding a new user
  4. Giving a user new level of access
  5. Files a user has accessed
  6. Operating System Logs
  7. Firewall logs
  8. Anti-malware logs

This extends beyond your electronic systems. If you use paper files to store information, keep a log of employee access. These logs should also include information about when the files leave the file room. We suggest requiring employees to “sign files out.”

Log repairs to any physical assets. You should also keep track of disposed devices. Make sure you are properly protecting or sanitizing these devices.

Many of the software systems you currently use already have the ability to keep detailed logs of activity. Your IT department should consolidate these logs so they are easy to review.

In the event of a security incident, audit trails and logs should be reviewed as soon as possible. This will help you determine if there is tampering with the information. Outside of cybersecurity incidents, audit trails can help you identify flaws in your network before things go wrong. This process will also help you make sure applications are performing as intended.

How to Maintain Compliance with HIPAA

Keeping detailed logs is the first step toward HIPAA compliance. Consider implementing the following three steps to protect your business. First, create detailed policies and procedures around audit handling. Second, educate staff on changes in procedures. Third, keep up-to-date with regular reviews of audit logs and audit trails.

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

In conclusion, a HIPAA compliance service (like us) provides helpful guidance on establishing the logs that will help you monitor your network. With the right documents in place, your staff can safeguard PHI from internal and external attempts to compromise the data.

  1. https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf?language=es
  2. http://www.healthcareinfosecurity.com/insider-threat-paramedic-indicted-for-narcotics-theft-a-9654