HIPAA Compliance and Audit Controls - What You Need to Know

If you have read the news lately on healthcare and specifically HIPAA, you probably saw references to a recent HIPAA settlement between Memorial Health Systems of Florida and the Department of Health and Human Services (HHS). I’m sure the amount of the settlement caught your attention- a whopping $5.5M! You probably also noticed the reason for the fine: Lack of Audit Controls. With a fine of that caliber, it’s important to know what are the audit controls when discussing HIPAA compliance?

First, it’s important to begin by outlining why audit controls are so important. To do that, we don't need to look any further than the press release issued by HHS. In that release, Robinsue Frohboese, acting director of HHS, stated that access to ePHI must be provided only to authorized users. Makes sense. Then she took it a step further and said a lack of access controls and review of the audit logs makes breaches very difficult to prevent and recover from. 

Now that we have the "why" around audit controls, let's look at how HHS defines "audit controls" and what the rule states:

"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information"

One of the challenges with HIPAA compliance is that it provides a framework from a high level, but, it does not provide any specifics on how to achieve compliance. If you visit the link above to the HHS site, the second sentence clearly states this standard has no implementation specifications. As you continue reading, HHS points out that the security rule doesn't identify what data you should gather or how often you should review that data. Instead, the standard suggests that you use your risk analysis and technical infrastructure to determine appropriate audit controls for these systems. Talk about shades of gray!

The good news is that we can look at past incidents to determine how to implement audit controls for these systems.  Learn from others’ mistakes! Here are a couple of tips on how to reduce your risk of making headlines with a record fine from HHS:

Perform Regular Risk Assessments - For Memorial Health System, they didn't have any audit controls in place for several years, even though they identified this as a risk on their annual risk analysis from 2007 - 2012. If you are going to go through the process of conducting a risk assessment, take the next step and remediate the risks you identify.

Create Audit Log and Review Policies and Procedures - This is a requirement of HIPAA. If you have some spare time, review 45 CFR 164.308(a)(1)(ii)(D) of the administrative code related to HIPAA. It states that organizations are required to "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." If we are using Memorial Health System as the baseline, they didn't do this for a period of 18 months, during which time this breach happened. Create a policy and procedures and enforce them accordingly.

More Often is Better than Less Often - As I mentioned before, HIPAA compliance works in shades of gray. Therefore, I cannot tell you how often to review your audit and access control logs. What I can tell you is that you should review them on a regular basis. Memorial Health Systems didn't and it cost them $5.5M. When you combine this with the importance that HHS is putting on audit controls, more often is better than less often.

I know that HIPAA compliance can be daunting and confusing for any organization. We see it all the time with our clients. The good news is that we can help. If you have any questions around audit controls and HIPAA compliance in general, contact us to see how we can assist!