New OCR Audit Control Guidance
The Department of Health and Human Services' Office for Civil Rights (OCR), in January 2017, published a cyber newsletter regarding the importance of audit controls with respect to HIPAA compliance. The HIPAA Security Rule requires covered entities and business associates to have mechanisms in place to record and examine activity in information systems housing electronic protected health information (ePHI).
The newsletter provides details about what audit logs and audit trails are, and provides useful guidance to security officials regarding what OCR expects in terms of analyzing audit-related information. OCR notes that the HIPAA Security Rule does not dictate exactly what information must be collected or how often it should be reviewed. Instead, covered entities and business associates should determine what measures are reasonable and appropriate in light of their risk analyses and organizational capabilities. The newsletter lists a number of factors that entities should consider when analyzing audit logs and audit trails including:
- the audit control mechanisms that are reasonable and appropriate to implement
- the types of audit control capabilities that are in place in information systems containing ePHI
- the capabilities of existing audit controls with respect to allowing the organization to follow its audit-related policies and procedures
- changes or upgrades to a system's audit capabilities that may be necessary