As modern healthcare entities make the move to electronic records and communicate electronically via email, it has become more important than ever to have proper audit trails in place. Audit trails maintain a system of record for all application processes and system activity by individual users. Having audit trails in place allows covered entities to review inappropriate access, detect potential breaches and malicious activity, and provide evidence during investigations.
The HIPAA security rule provision on audit controls requires that covered entities and business associate implement systems that maintain record of all access to PHI (protected health information). Having these systems in place allows for covered entities and business associates to monitor all user application activity involving the creation, editing and deletion of PHI.
Covered Entities and Business Associates should review their audit logs on a regular basis to keep up to date on access to PHI as well as performance issues within system applications.The HIPAA security rule doesn’t indicate what specific information should be collected from an audit trail or at what frequency they should be monitored. Covered Entities and Business Associates need to evaluate the risk and exposure involved with regards to how their PHI is accessed within their applications and implement proper applications as necessary. Some factors to consider when selecting information systems include:
- What levels of security are in place and who has access to view PHI?
- How much traffic are these applications expected to experience on a daily basis?
- Does the application create friction and limit the staff’s ability to serve the patients best interest?