Updated on November 24th, 2021.
This is the second part of our three-part series discussing the Security Rule section of HIPAA compliant healthcare application development. Here we’ll go over HIPAA auditing, what it means, why it must be done, the implications of not doing so, and how you should conduct a HIPAA audit.
What are HIPAA audits?
The OCR (Office of Civil Rights) can and will periodically conduct HIPAA audits on covered entities and business associates to ensure that they are safeguarding electronic protected health information (ePHI) as they should. HIPAA audits are conducted to gauge progress on compliance and to identify areas where improvement is needed.
Why you should care
In order to prevent fines associated with failed HIPAA audits, healthcare organizations should conduct regular risk assessments and take steps to prepare for HIPAA compliance audits.
There are several levels of penalties based on what a covered entity does or doesn’t do in accordance with HIPAA. Read the following to learn more: Is Your Healthcare Patient Portal HIPAA Compliant?
HIPAA audit log requirements
The HIPAA technical safeguards rule[¹] for covered entities were created to ensure that controls are in place for monitoring activity on electronic systems that use or contain ePHI. These entities must also have policies in place to systematically review and monitor audit records to establish that all activity on these electronic systems is appropriate. Logons and logoffs, file accesses, updates, edits, and security incidents are a few examples of activities that should be monitored.
The only obligatory audit is a risk analysis[²], which is required regardless of a provider’s size. In this analysis, providers must accurately determine whether potential vulnerabilities and risks to the integrity, confidentiality, and availability of ePHI exist within their systems. Conventional controls for these audits generally include the application of software, hardware, and/or procedural mechanisms that analyze activity in systems containing ePHI.
Rule 45 CFR § 164.316 states that audit records must be retained for six years[³] from the date of its creation or the date when it last was in effect, whichever is later. Logs of system activity and records of security breaches are examples of information that must be available from audits within six years.
Use a HIPAA compliant patient portal
Implementing HIPAA compliant patient portal software can ensure that your company is always ready for a HIPAA audit. Bridge Patient Portal ensures HIPAA compliance by:
- Going through multiple rounds of third-party HIPAA audits
- Being ONC 2015 Edition certified
- Conducting regular risk assessments
- Regularly reviewing records of system activity, including audit logs, access reports, and security incident tracking reports
- Maintaining ePHI integrity requirements by implementing information systems such as checksum verification or digital signatures
- Employing a full-time compliance officer
- Auditing is an important part of the Security Rule section of HIPAA but is only a small part of what the rule addresses.
This was the second part of our three-part series discussing the Security Rule section of HIPAA compliant healthcare application development. Catch up on Part 1: What You Need to Know About User Authentication or continue onto Part 3: What You Need to Know About Data Transfer.
- LII / Legal Information Institute. (n.d.). 45 CFR § 164.312 – Technical safeguards. [online] Available at: https://www.law.cornell.edu/cfr/text/45/164.312.
- Office for Civil Rights (OCR (2010). Guidance on Risk Analysis. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
- Compliance Deadlines What is the Security Series? (2005). [online] Available at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf.