The HIPAA minimum necessary standard requires healthcare organizations to only access PHI for a specific purpose within their job role. By keeping audit logs, normal access patterns for each employee are established. By establishing access patterns for each employee, administrators can easily detect when an employee is abusing their access rights, or if an unauthorized party has stolen an employee’s login credentials to access data illegally.
HIPAA audit log requirements include the necessity to retain audit log records for six years. However, some states also have their own retention requirements that require healthcare organizations to retain records for longer than six years. When a state law requires stricter retention requirements, healthcare organizations must adhere to the stricter standard.
As part of HIPAA audit log requirements, healthcare organizations must track the following:
- Each time a user logins
- Whenever changes are made to databases
- When new users are added
- Access levels for each user
- File access by users
- Logins to operating systems
- Firewall logs
- Anti-malware logs
All of the above-mentioned HIPAA audit log requirements are for electronic PHI access. However, access to paper PHI must also be tracked. It is therefore important for employees to sign out paper files, and for organizations to keep an audit log for this access.
HHS Provides Questions that Covered Entities and Business Associates Should Consider
- What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
- What are the audit control capabilities of information systems with ePHI?
- Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
- Are changes or upgrades of an information system’s audit capabilities necessary?