HIPAA Compliance Audit Reports

Compliance Audit Reports for Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Compliance Audit Report

The Health Insurance Portability And Accountability Act (HIPAA) regulation impacts those in healthcare that exchange patient information electronically. HIPAA regulations were established to protect the integrity and security of health information, including protecting against unauthorized use or disclosure of the information.

HIPAA states that a security management process must exist in order to protect against "attempted or successful unauthorized access, use, disclosure, modification, or interference with system operations". In other words being able to monitor, report and alert on attempted or successful access to systems and applications that contain sensitive patient information.

EventLog Analyzer meets the most challenging HIPAA Compliance Standards for monitoring and auditing system activity. With EventLog Analyzer, you can easily monitor your network systems for any insider activity. HIPAA regulations mandate analysis of all logs, including OS and application logs.

The types of reports that EventLog Analyzer provides for HIPAA Compliance Audits are as follows:

  • User Logon report:
    HIPAA requirements (164.308 (a)(5) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  • User Logoff report:
    HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  • Logon Failure report:
    The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
  • Audit Logs Access report:
    HIPAA requirements (164.308 (a)(3) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.
  • Object Access report:
    Identify when a given object (File, Directory, etc.) is accessed, the type of access (e.g. read, write, delete) and whether or not access was successful/failed, and who performed the action.
  • System Events report:
    Identifies local system processes such as system startup and shutdown and changes to the system time or audit log.
  • Host Session Status report:
    Indicates that someone reconnected to a disconnected terminal server session. (This is only generated on a machine with terminal services running).
  • Successful User Account Validation report:
    Identifies successful user account logon events, which are generated when a domain user account is authenticated on a domain controller.
  • UnSuccessful User Account Validation report:
    Identifies unsuccessful user account logon events, which are generated when a domain user account is authenticated on a domain controller.

HIPAA enforcement became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations.

The relevant extract of the HIPAA compliance act is given below:

PART 164—SECURITY AND PRIVACY 
Subpart C—Security Standards for the Protection of Electronic Protected Health Information 
§ 164.308   Administrative safeguards

164.308(a)(5)(ii)(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

164.308(a)(3)

(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

(ii) Implementation specifications:

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

164.308(a)(4)

(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

(ii) Implementation specifications:

(A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

(C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

 
Customer Speaks
 
"Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application."
Jim Lloyd
Information Systems Manager
First Mountain Bank