We all like to believe (and hope) that the people we hire will do their jobs without potentially compromising patient care or privacy. And to that point, most people we meet are honest and hard working. Yet this morning, we read that Aultman Health Foundation in Ohio has discovered (and terminated) an employee reviewing of PHI outside of "minimum necessary to perform their job" for the past 12 years. In response, Aultman Health Foundation is notifying 7,300 patients, is offering identity theft protection and credit monitoring, and is advising that patients review their insurance statements for accuracy.
§164.308(a)(1)(ii)(D) and §164.312(b) are required by the HIPAA Security Rule. The former, an administrative security control, directs us to "...implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports..." while the latter is a technical security control that requires us to "...implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information...". The extent that audits are configured and performed should be based on a "reasonable and appropriate" principle as resources allow and operating environment complexity frame.
We hope that this post reminds our readers that audits, while as much fun as being poked in the eye with a spoon, are a necessary part of a healthy HIPAA Security (and Privacy) program.
Stay (HIPAA) safe, Alan -