Illuminating a Black Box in Healthcare: Translating HIPAA Auditing Requirements, Access Logs, and System Logs

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, went into effect on February 20, 2003. The Rule, as we all know, is about protecting patient privacy and preventing medical data breaches. It lays out the minimum standards a healthcare organization must meet in order to guard the electronic protected health information (ePHI) of their patients.

A crucial part of being HIPAA compliant is keeping and auditing access and system activity logs. These logs help an organization identify threats to patient privacy and provide an audit trail in the case of a data breach. This post examines what the HIPAA Security Rule says regarding the creation and review of access and system activity logs, as well as looking at how an organization can implement these standards in order to better protect the privacy of their patients. We also try to provide some useful analogies when explaining the HIPAA Security Rule to others.

If you want more information about basic implementation of these standards, and where that fits into the eight stages of a comprehensive privacy monitoring program, download the Protenus Privacy Primer.

HIPAA Auditing Requirements

Let’s begin by looking at what the HIPAA Security Rule itself says about auditing records of information system activity. 45 CFR 164.308 – Administrative safeguards and 45 CFR 164.312 – Technical safeguards are the two particular sections that lay out what a healthcare organization must do in order to meet the HIPAA standards.

Within 164.308, there are two subsections that deal directly with reviewing and auditing system activity:

• 164.308(a)(1)(ii)(D): “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
• 164.308(a)(5)(ii)(C): “Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.”

164.312 has one subsection that outlines the HIPAA requirements regarding reviewing and auditing system activity:

• 164.312(b): “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

There are two main reasons why the HIPAA Security Rule established these requirements. Firstly, the requirements enable organizations to identify threats to ePHI as they are happening so those threats can be eliminated as quickly as possible, and, secondly, these requirements give organizations an audit trail that they can follow in the case of a data breach.

What It All Means – Application Access and System Activity Logs

So, what do these three subsections mean in practical terms for a healthcare organization? The HIPAA Security Rule requires organizations to keep access and system activity logs, including both action and event logs. Moreover, organizations must regularly review those logs in order to ensure that ePHI is not being accessed or changed without proper authorization, either by employees snooping in the EHR or hackers outside of it. This information must also be available in the case of a healthcare breach so that forensic investigators can determine what records were accessed, who accessed those records, and how they accessed them.

The first type of log that HIPAA requires organizations to keep is an application access log. For the EHR, an application access log keeps records of users accessing the medical record through a system like EPIC or Cerner. You can think of the access log like a teacher keeping track of the her classroom. She is monitoring children, if they are using the classroom computer, reading a book, or writing in their journal. She keeps track of students heading to lunch, using a hallway pass, and making sure she knows any adults who walk in through her door. She is making sure that everything is running smoothly and will have records of students logging on to the computer, signing out a hallway pass, submitting homework and more. All these records will be in her “application access log.” Within the EHR, application access logs keep track of who was trying to access ePHI, what ePHI they were trying to access, when they tried to access it, and how they tried to access it. With this information, security, compliance, and privacy officials can determine whether an employee or business associate was trying to access ePHI without authorization (like a student going to the bathroom without permission).

The other type of log that HIPAA requires an organization to keep is a system activity log. Extending our education analogy, think of a system or network activity log as a school custodian or building engineer who is making sure the school doors’ locks are functioning, there are no obstructions in the hallways, the sprinkler system works, the electricity in classrooms is on and safe. The custodian may notice students walking in the hallways, but she may not know that they are heading to lunch or simply to another class (unless part of her job is to know that). A system activity log within a hospital system monitors the infrastructure of the network, not what is going on inside applications like EPIC or Cerner. It records actions – such as changing a network password or downloading a file – as well as events – such as installing a software update – and this information allows security officials to determine if users are accessing the network without proper authorization.

Ongoing Monitoring of Logs is One of the Best Ways to Protect Hospital Medical Records

This information becomes particularly useful in the case of a ePHI breach because it allows healthcare organizations HIPAA violation forensics to reconstruct what happened during the incident. Security officials can determine exactly what records were breached and how they were breached. This, in turn, allows them to notify only those patients whose information was affected, thus limiting the damage and cost of a healthcare data breach.

But, the benefits of recording and reviewing application access and system activity through their respective logs extend far beyond damage control in the case of a breach. Generating logs and performing continuous monitoring of them is an important step that a healthcare organization can take to establish a posture of proactive patient privacy because it helps to create a “culture of responsibility and accountability.” If healthcare organizations are serious about patient privacy, they must be willing to take the appropriate steps to protect their patients’ information.

For a closer look at the different privacy programs available and to see which one is right for your organization, check out Protenus’ Patient Privacy Primer.