In order to ensure that confidentiality, integrity and availability of Protected Health Information (PHI) is HIPAA compliant, an organisation should keep audit logs for all activities. A well-documented audit trail as well as a log of all activity will help document breaches, and reviewing the logs on an ongoing basis it can also help prevent them. The U.S. Department of Health and Human Services (HHS) has set guidance on audit controls and logs. Application audit trails monitor and log user activities including any files that are created, read, edited, or deleted with respect to Electronic Health Records (EHR). Any system should also log successful or unsuccessful log-on attempts, ID/username, log-on/off date and time events, type of device, application accessed, and authentication method. The logs should also include any other activities such as commands executed by the user and any resources accessed.
These logs will establish access patterns for the employees and contractors in any organisation, and it will be possible to detect unauthorised access by stolen login credentials.
To meet HIPAA audit log requirements, it is best to track:
- User logins
- Database changes
- Moves, adds and changes of users
- User access levels and files accessed
- Logins to operating systems, firewalls and anti-malware
These requirements are for protecting PHI, but organisations must track access to paper PHI to ensure compliance using a sign in/sign process for paper files.