The 2016 Phase 2 HIPAA Audit Program included the review policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. In the latest Office for Civil Rights (OCR) audit controls newsletter on January 2017, the OCR urges healthcare organizations to properly safeguard audit logs and audit trails to prevent hackers and malicious insiders from creating a potential data breach. The OCR has started Desk Audits on a few Business Associates. These Desk audits will consist of BA specified documentation applicable to their policies, procedures, evidence of implementation to protect e-PHI Data.
HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk.
HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
Business Associates Audit
Business Associates will not need to make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails.
Questions that Covered Entities and Business Associates should consider:
• What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
• What are the audit control capabilities of information systems with ePHI?
• Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
• Are changes or upgrades of an information system’s audit capabilities necessary?