Understanding the HIPAA Audit Trail Requirements: Essentials for Compliance

Understanding the HIPAA Audit Trail Requirements: Essentials for Compliance

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect consumers’ right to access and control their own protected health information (PHI), including medical records, billing information, and health status. If your organization works with PHI in any capacity, you will need to have a plan. If you’re wondering how to be HIPAA compliant, it requires understanding and following HIPAA audit trail requirements. Each piece of private health data that moves through your organization needs to be tracked and logged to maintain the utmost security and ensure your organization is HIPAA compliant. This article gives a brief background on the three rules of HIPAA, defines audit logs and audit trails, and provides an overview of HIPAA audit trail requirements. 

What Are the 3 Rules of HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is governed by three interconnected rules: the privacy rule, the security rule, and the breach notification rule. 

1. The Privacy Rule

The HIPAA Privacy Rule defines the two types of parties that must abide by HIPAA: covered entities and business associates. The privacy rule prevents covered entities and business associates from disclosing patients’ protected health information (PHI) without their consent or knowledge and provides an overview of patients’ rights regarding their personal medical records, including actions covered entities and business associates must take to make those records easy to access and correct. 

2. The Security Rule

The HIPAA Security Rule defines how to securely share, store, and collect electronic protected health information (ePHI). The security rule includes three types of safeguards that organizations must implement in order to remain HIPAA compliant: physical, technical, and administrative. This rule sets standards for how ePHI is shared via email and mobile systems, housed in servers, and stored in the cloud. The Security Rule includes a special provision on Audit Controls (45 C.F.R. § 164.312(b)) requiring “Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).” 

3. The Breach Notification Rule

The HIPAA Breach Notification Rule covers the actions that covered entities and business associates must take following a data breach. The rule provides timelines for notifying the OCR and individuals whose PHI has been impacted by the breach, as well as specific actions that organizations must take to resolve the breach and secure their systems. 

What Are Audit Logs and Audit Trails? 

In their January 2017 Cybersecurity Newsletter, HHS defines audit logs and audit trails as follows: 

“According to the National Institute of Standards and Technology (NIST), audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.”

Essentially, audit logs track data related to user activities and any system activities run by automated processes; audit trails track the data stored in audit logs over time, allowing you to monitor changes and alerting you to breaches. 

What Are the HIPAA Audit Trail Requirements?

While covered entities and business associates must maintain clear audit logs and audit trails, the Security Rule doesn’t offer a list of specific information that needs to be tracked. HHS says this is where your own risk assessment plan comes into play; your organizational context, including your current information security system, will determine what information is most important for your organization to track. In general, you should monitor the use and integrity of any system through which ePHI is transmitted or stored. HIPAA audit trail requirements fall under three interconnected categories: the user, the system, and the application. 

1. User Audit Trail Requirements 

It is crucial to keep a clear audit log for each of the users accessing ePHI across your organization. A user audit trail usually includes identifying information about users, log-on events, such as when a user logs onto or off of your system, authentication attempts, and password updates. Review of these logs can give you an early alert to a breach, if a user seems to have anomalous login activity indicating their credentials may have been stolen. 

2. System Audit Trail Requirements 

A system audit trail consists of audit logs of log-on credentials, attempts, and time-stamps. The audit trail also tracks the devices that were used for log-on, IP address, and whether those devices were inside or outside of the organization’s firewall. Regularly monitoring these activity logs will help you determine whether an employee or user is abusing their access or taking actions that might violate HIPAA privacy or security rules. 

3. Application Audit Trail Requirements 

While the system audit trail will record the specific applications your users have accessed, the application audit trail records their activities within each application. Any application that allows a user to access ePHI should be monitored, including when users access and open files containing ePHI, and the creation, revision, and deletion of ePHI records. 

Why Is Having a HIPAA Audit Trail Important? 

Having a HIPAA audit trail allows you to regularly review your information system activity for anomalies and changes, and hopefully to catch security breaches before they occur. Audit trails are part of any good Operational Risk Management (ORM) strategy for organizations that deal with ePHI. Since you will want to actively monitor data, and not just store it away, you should designate one or two members of your IT team to actively monitor your audit logs and trails. However, HHS mandates that access to audit trails be “strictly restricted,” meaning that only those in charge of audits and members of your IT management team directly monitoring data and security should have access to these trails. 

How to Maintain Compliance with HIPAA

If you qualify as a covered entity or business associate under the HIPAA privacy rule, you will benefit from investing in HIPAA compliance across your organization. A risk-based audit approach can help you to ensure that you are compliant across HIPAA rules, including an extra Final Omnibus Rule added in 2008 that outlines stricter criteria regarding the use of ePHI. When it comes to maintaining clear audit trails and audit logs, it can help to automate your audit process. Implementing connected compliance management software can assist you in keeping track of your user, system, and application audit trails — ensuring that your audit logs and trails are regularly monitored, and freeing up your team to isolate anomalies and stop breaches before they happen.