Overview:
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Action Items:
1) Obtain and review documentation relative to audit controls. Evaluate whether risk-based audit controls have been implemented over all electronic information systems that contain or use EPHI. Elements to review may include but are not limited to: Identification of the risk-based audit controls over all information systems that contain or use ePHI; How are systems and applications evaluated to determine if auditing controls should be implemented; Identification of what applications and systems will be audited; Procedures on how systems will be audited
2) Obtain and review documentation demonstrating the implementation of hardware, software and/or procedural mechanisms to record and examine activity. Evaluate and determine whether information systems that contain or use EPHI activities are being recorded and examined; activities being recorded and examined appropriately and in accordance with related policies and procedures.
Related Documents:
1) Documentation relative to audit controls
2) Documentation demonstrating the implementation of hardware, software and/or procedural mechanisms to record and examine activity.
Additional Guidance:
Most information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity, especially when determining if a security violation occurred.
It is important to point out that the Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use EPHI.
Sample questions for covered entities to consider:
- What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use EPHI?
- What are the audit control capabilities of information systems with EPHI?
- Do the audit controls implemented allow the organization to adhere to policy and procedures developed to comply with the required implementation specification at ยง 164.308(a)(1)(ii)(D) for Information System Activity Review?
Article ID: 480
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-audit-controls-164-312-b-480.html