Guest author Roman Diaz, Touchstone Compliance June 2015
I'm going to talk a little bit today about audit trails — sometimes called "audit logs" — and the vital role they can play in your ongoing efforts to keep Protected Health Information (PHI) safe, your workforce honest, and hackers at bay.
According to Fundamentals of Law for Health Informatics and Information Management, an audit trail is basically a "record that shows who has accessed a computer system, when it was accessed, and what operations were performed." As that definition makes clear, one of the main functions of an audit trail is access management.
But an audit log has other uses, too, among them: pinpointing places within the computer where the system has failed — or could. Information gained from an audit trail provides answers to questions like these:
HIPAA mandates that you — the covered entity –"implement procedures and regularly review records of information system activity." So an audit trail isn't something that would be nice to have; it's actually something you've got to have.
And having one will serve you well in the event of a HIPAA audit by Health and Human Services (HHS). Why? Because a recent amendment to the Federal Rules of Civil Procedure recommends leniency to those healthcare practices that manage their information with "good faith practices" — like generating, reviewing, and saving audit logs.
An auditing subsystem is already built-in to Windows operating systems. Simply enable that feature, and you're off and running on The Ol' Audit Trail. That's the good news.
The bad news is that an audit trail generates a ton-load of data — approximately 3,500 lines per log-in per day. Generating an audit report can mean having to sift through a lot of confusing technical content. And let's face it, spending hours trying to make sense of an audit trail is not why most doctors and dentist chose to go into healthcare.
I can hear you thinking, "Great. First you tell me an audit log is important. Then you tell me it's almost impossible to figure out." But actually, there is a simpler way. Touchstone Compliance has recently added to its services an easy-to-deploy automated tool that scans workstations and networks and produces reports that do everything from analyzing user behavior to documenting the login history for each computer. And you don't have to have a degree in computer science to figure those reports out.
When breaches or unauthorized activity go undetected for long periods of time, an issue that could have been handled quickly and without serious repercussions can grow into something that threatens a healthcare practice. Don't let that happen. Put your audit trail to good use — and stay on the path to HIPAA compliance.
© Darnall Law Office 2015