California HIPAA training for small businesses
  • Why an Audit Trail is Important

    Imagine this. You arrive at your healthcare practice ready to start the day. Before your first appointment, you turn on your computer expecting to answer a few emails. But instead of the icons that usually dot your desktop... Read more By Roman Diaz 12/2/15
  • Obtaining Medical Records for Litigation

    If medical facts are important to your case, it is important to grab the right end of the stick. A person can access medical records or agree to disclose them. You should also consider differences between HIPAA and California law. by Karen Darnall (Feb '16)
  • BA Contracts Between Covered Entities
    Author Name (2) 12/12/12 Company Link
  • Ransomware & Protected Health Information

    Imagine this. You arrive at your healthcare practice ready to start the day. Before your first appointment, you turn on your computer expecting to answer a few emails. But instead of the icons that usually dot your desktop... by Roman Diaz (12/2/15)
  • Is Texting Allowed by HIPAA?

    HIPAA compliance doesn't expressly require the use or avoidance of any specific modes of communication. In fact, the law doesn't even mention texting PHI! by Roman Diaz (12/2/15)

Why an Audit Trail is Important

Guest author Roman Diaz, Touchstone Compliance June 2015

I'm going to talk a little bit today about audit trails — sometimes called "audit logs" — and the vital role they can play in your ongoing efforts to keep Protected Health Information (PHI) safe, your workforce honest, and hackers at bay.

What is an Audit Trail

According to Fundamentals of Law for Health Informatics and Information Management, an audit trail is basically a "record that shows who has accessed a computer system, when it was accessed, and what operations were performed." As that definition makes clear, one of the main functions of an audit trail is access management.

But an audit log has other uses, too, among them: pinpointing places within the computer where the system has failed — or could. Information gained from an audit trail provides answers to questions like these:

  • Are staff members accessing information — especially PHI — outside of the scope of their job descriptions?
  • Are staff members sharing their user IDs? (Evidenced by a user logged-on from two or more workstations at the same time.)
  • Has an intruder found a way into the system? And if so, when did it happen?

  • Minus an audit trail, you could be toast

    HIPAA mandates that you — the covered entity –"implement procedures and regularly review records of information system activity." So an audit trail isn't something that would be nice to have; it's actually something you've got to have.

    And having one will serve you well in the event of a HIPAA audit by Health and Human Services (HHS). Why? Because a recent amendment to the Federal Rules of Civil Procedure recommends leniency to those healthcare practices that manage their information with "good faith practices" — like generating, reviewing, and saving audit logs.

    OK. How do I start one?

    An auditing subsystem is already built-in to Windows operating systems. Simply enable that feature, and you're off and running on The Ol' Audit Trail. That's the good news.

    The bad news is that an audit trail generates a ton-load of data — approximately 3,500 lines per log-in per day. Generating an audit report can mean having to sift through a lot of confusing technical content. And let's face it, spending hours trying to make sense of an audit trail is not why most doctors and dentist chose to go into healthcare.

    Help!

    I can hear you thinking, "Great. First you tell me an audit log is important. Then you tell me it's almost impossible to figure out." But actually, there is a simpler way. Touchstone Compliance has recently added to its services an easy-to-deploy automated tool that scans workstations and networks and produces reports that do everything from analyzing user behavior to documenting the login history for each computer. And you don't have to have a degree in computer science to figure those reports out.

    When breaches or unauthorized activity go undetected for long periods of time, an issue that could have been handled quickly and without serious repercussions can grow into something that threatens a healthcare practice. Don't let that happen. Put your audit trail to good use — and stay on the path to HIPAA compliance.

    Search Our Site

        © Darnall Law Office 2015