Unit 6 – Information Activity Review Audit Trail
Assignment Introduction
According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a covered entity must implement policies and procedure to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports (45 CFR 164.308(a)(1)(ii)(D)). Find out more information regarding the requirement here:
∙ HIPAA Security Series –
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es
∙ HIPAA Regulation – https://www.law.cornell.edu/cfr/text/45/164.308
In addition, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use protected health information (45 CFR 164.312(b)). Find out more information regarding the requirement here:
∙ HIPAA Security Series, Technical Safeguards –
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf?language=es
∙ HIPAA Regulation Text – https://www.law.cornell.edu/cfr/text/45/164.312
Other resources:
∙ https://www.health.state.mn.us/facilities/ehealth/privacy/index.html#11
∙ www.hipaacow.org
∙ http://library.ahima.org/doc?oid=300276
∙ http://bok.ahima.org/doc?oid=300244#.V_6UnfkrJhE
∙ http://library.ahima.org/doc?oid=300262#.V_6UufkrJhE
For this assignment, you will use the information above to create an audit form report template with the appropriate fields that are needed to successfully review activity within information systems containing protected health information.
Assignment Scenario
You just accepted a position at Scholastica Hospital as the Director of Data Integrity and Health Information Management. One of your main responsibilities is the oversight of the HIPAA Privacy and Security Regulations. You are currently evaluating the process for reviewing activity with your electronic health record. You discover the electronic health record vendor produces an audit report that provides the following information regarding access into the records:
∙ User Name (Workforce Member)
∙ Patient’s Name (Who they are looking at)
∙ Date/Time of Access
∙ Workstation ID
When reviewing these reports, you determine that there is not enough information to understand what the user is doing within the information system. You only know if an employee was in a patient’s chart and the date/time of the access. There is no information or indication to inform you on what the user is doing within the chart, what the user is looking at, and how long the user was in the chart. Because of this, audits into the electronic health record are not going well as there is not enough information on access and reason for access.
Assignment Instructions
1. Research the regulation and best practices for implementation of information system activity review based on the HIPAA regulations
2. Write a synopsis of the findings from the research, including best practices when designing an information activity review program for Scholastica Hospital (1 – 2 Pages)
3. Create a template, with the appropriate fields, for an audit log
a. Think about what information you would need to have in order to properly evaluation access into the electronic health record
b. This may be in Microsoft Word or Excel
4. Create a findings report for the outcomes of the information activity reviews that you conduct
a. Think about what information you would want to report out to leadership regarding the
audits
Assignment Deliverables
25 Points Possible
1. A 1-2 page synopsis of the HIPAA regulations regarding information system activity, including best practices when designing an information activity review process (10 Points)
2. A template for an audit report, with the appropriate fields that are needed to properly conduct an audit. Think about what information you would need on an audit trail from your electronic system to be able to properly conduct audits (10 Points)
a. This can be in Microsoft Word of Microsoft Excel
3. A report template for documenting the outcomes of the information activity reviews that you will conduct (5 Points)
Format: Follow correct APA Style and include all required components. 7th edition
Expert Solution Preview
Question: What is the purpose of regularly reviewing records of information system activity in accordance with HIPAA regulations?
Answer: The purpose of regularly reviewing records of information system activity in accordance with HIPAA regulations is to ensure that covered entities are implementing policies and procedures to monitor access to protected health information, and to detect and respond to security incidents that affect the confidentiality, integrity, and availability of that information. This helps to identify potential security breaches or unauthorized access to patients’ personal health information, and ensures that corrective actions are taken to protect patient privacy and prevent future incidents.
