OCR newsletter emphasizes audit controls

The Department of Health and Human Services Office for Civil Rights (OCR) issued its January 2017 Cyber Awareness Newsletter today advising HIPAA covered entities and business associates to use proper audit control tools and also secure and regularly review audit trails. 

The HIPAA Security Rule audit control provision requires covered entities and business associates to implement hardware, software and procedural mechanisms that record and examine activity in information systems containing or using electronic protected health information (ePHI). OCR expects covered entities and business associates to consider their risk analysis results and organizational factors when determining reasonable and appropriate audit controls for the organization’s information systems. This provides another reminder of the importance of risk analysis, which has been a focus of OCR’s HIPAA settlements. 

OCR views it as “imperative” for covered entities and business associates to review their audit trails regularly, not only after security incidents and breaches, but also during real-time operations. The Newsletter also states that “access to audit trails should be “strictly restricted” and limited to authorized personnel.

This OCR Cyber Awareness Newsletter is available here.