DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). These mechanisms are known as audit controls. Audit controls include audit logs and audit trails.
What is the Difference Between Audit Logs and Audit Trails, in General?
An audit trail can be thought of as a “paper trail,” essentially. A paper trail is the documentation by an organization of a significant event – made by writing a record, indicating what happened, and when it happened. The details contained in audit trails can be put into an audit log, allowing an organization to document significant events on one single log that summarizes all of these events.
What are HIPAA Audit Logs and Audit Trails?
HIPAA audit logs summarize events pertaining to applications, users, and systems. A HIPAA audit log summarizes the contents of HIPAA audit trails. HIPAA audit trails themselves capture event information about applications, users, and systems.
What are the Purposes of HIPAA Audit Logs and HIPAA Audit Trails?
Audit trails’ main purpose is to maintain a record of system activity, both by application processes and by user activity within systems and applications. The record can be examined to determine whether there has been unauthorized access to an information system and to determine if there is anomalous or suspicious activity that might warrant further investigation (e.g., repeated attempts to access the system with an incorrect user ID or password within a brief time frame).
Audit logs and trails assist covered entities and business associates with reducing risk associated with: reviewing inappropriate access; tracking unauthorized disclosures of ePHI; detecting performance problems and flaws in applications; detecting potential intrusions and other malicious activity; and providing forensic evidence during the investigation of security incidents and breaches.
What are the Different Types of Audit Trails?
HHS guidance specifies that there are three kinds of audit trails, with each audit trail monitoring specific activities.
Application audit trails: Application audit trails normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.
System-level audit trails: System-level audit trails Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log on, and the application the user successfully or unsuccessfully accessed.
User audit trails: User audit trails normally monitor and log user activity in an ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, logon attempts with identification and authentication, and access to ePHI files and resources.
What Information Should be Collected from an Audit Log or Trail?
The HIPAA Security Rule does not identify exactly what information should be collected from an audit log or trail or how often, exactly, the audit reports should be reviewed. When determining reasonable and appropriate audit controls for information systems containing or using ePHI – that is, when determining what to include in audit controls and audit trails, and how often to review reports of them, covered entities and business associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities
Covered entities and business associates should review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article