Recently, we ended up in several discussions about HIPAA access logs and what they really require with our clients. As per usual, any topic that comes up multiple times in my “real job” becomes a discussion for HMWH. So, today we are talking about HIPAA access logs to attempt to clear up some confusion we have encountered. There are multiple types of HIPAA access logs being created in most environments and you should be dealing with pretty much all of them in some manner.
HIPAA Access Logs
When discussing HIPAA access logs some people may not realize exactly what that includes. There are HIPAA rules about it and meaningful use rules about it. There are logs created by the systems, technical, and networking devices plus logs created by all your applications. The actual HIPAA and meaningful use statutes that relate to HIPAA access logs are as follows:
Information System Activity Review §164.308(a)(1)(ii)(D) (Required) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Audit Controls § 164.312(B) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
- §170.314(d)(3) Audit report(s). Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards at § 170.210(e).
- § 170.210(e)(1)(i) – The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at §170.210(h) when EHR technology is in use.
- § 170.210(e)(1)(ii) – The date and time must be recorded in accordance with the standard specified at § 170.210(g).
- § 170.210(e)(2)(i) – The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the audit log status is changed.
- § 170.210(e)(2)(ii) – The date and time each action occurs in accordance with the standard specified at § 170.210(g).
- § 170.210(e)(3) – The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by the EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g)
Clearly, audit logs are a big thing but what does it really mean? Why does it matter? How can it really be done?
Technical Systems Access Logs
System access logs address the user access to your network and computer systems. These logs are included on your physical devices throughout the network. The tools that exist to watch over these logs are varied and generally very technical. Your IT staff or BA will be the source for making a workable plan to evaluate all this data. Unless you have some understanding of this type of information the logs will make no sense to you.
Most MSPs have tools that should be able to generate reports showing you what is being logged in some, if not all, of your systems. Make sure that your plan with them includes the capture, evaluation, and reports to you on the status with these log reviews.
The tools for the technical logs vary in price and features. The most effective tools are call SIEM (we say sim) tools. They collect logs from all your different network devices and evaluate them for problems automatically. The reports and alerts generated by these tools look at all details on the network not just what you happen to check out manually. While very helpful, these tools have been very expensive in the past. Now, the price seems to be coming down a bit. Here some information on SIEM tools:
You can use a wide variety of tools to meet your HIPAA access logs requirements for the IT parts. It is important to make sure someone is watching something even if it is a manual process that occurs from time to time. Check the logs on the routers and firewall devices, servers, workstations, WiFi access points, laptops, etc.
PHI Access Logs
Most people who are focused on the security rule only do not include this access log requirement in their planning and processes. Your systems should all be writing a log of some sort tracking access to PHI. All certified EHRs had to write them to pass MU requirements. However, they don’t have to do anything more with them. You can select a specific patient and see the log for that patient. Just like all the network devices, they don’t have tools that monitor those audit logs for anomalies and alert you to the problem, they just create the logs.
Technically, you should be doing random audits on those access logs if you have to do them manually. HIPAA access logs requirements don’t refer to just the network resources. Of course, there are tools available for collecting and analyzing those logs also. There are generally two types of processing options for these tools.
- Rules based – You define the rules that the audit engine uses to look for problems. Basically, you tell it what to look for in the logs and alert you when it sees what you are worried about.
- Behavioral based – The engine “learns” what is normal access and what is a potential problem. You tell it what it should do when it finds any access log entry that isn’t within your normal processing and workflow.
In a previous episode, we interviewed Ray Ribble from Spher, Inc. about their product, also called Spher. It is a behavioral based patient access audit tool. Listen in on that episode to hear more about how these systems work.
Ray has told us several stories of how the Spher product has been very successful. The tool meets the needs for HIPAA access logs audits as well as Meaningful Use requirements. He even mentioned a case to me where Spher found an ex-employee trying to access the EHR at a site. The EHR system didn’t allow them in but all the remote access systems let the employee access the network. If Spher hadn’t seen the login failure, the employee may still be out there trying to get into the systems because none of the IT checks found it to be a problem.
Ray Ribble is joining Donna for a Symposium on managing HIPAA compliance on May 26 in Atlanta. Limited seats are available, though. Reserve your seat today.
Here are some case example of what happens when access logs audits are used or should have been used to see these kinds of things.
- Fourteen employees caught snooping: Carilion Clinic in Roanoke, Va. 14 employees accessed high-profile medical records without reason. These breaches were caught in their HIPAA access logs.
- In October 2013, a similar incident transpired at the Iowa-based UnityPoint Health after they notified nearly 2,000 patients of a HIPAA breach after officials discovered an employee of the health system’s third party contractor gained unauthorized access to patients records. The individual was able to access the records for nearly six months before being discovered.
- Employee sentenced to jail for accessing PHI: Former health plan employee slated to get jail time for accessing member records. Tufts Health Plan employee was convicted of disclosing patient information in a fraudulent tax refund scheme after stealing the personal data of more than 8,700 members.
- Nearly 700 patients notified of unauthorized employee access: Cleveland-based University Hospitals on Friday notified nearly 700 patients of a HIPAA privacy breach after one of its employees was caught snooping on confidential medical records.
- 4 Year Long Breach discovered in random health system audit
Obviously, people are more likely to snoop on friends and family members or coworkers than VIPs! HIPAA log audits are key to finding and correcting these problems before they become bigger than they should be in your organization.
Links to relevant Information or Mentioned Episodes
Episode 10: ONC Sample Seven-Step Approach for Implementing a Security Management Process