May 2017

HIM Challenges: OCR Puts Audit Controls on the Front Burner
By Rick L. Hindmand, JD
For The Record
Vol. 29 No. 5 P. 30

Within the first two months of 2017, the Office for Civil Rights (OCR) issued guidance and announced a settlement making it clear that it views audit controls as an essential element of cybersecurity and HIPAA compliance.

The HIPAA Security Rule sets forth information system review and audit control provisions requiring covered entities and business associates to implement procedures to regularly review records of information system activity (eg, audit logs, access reports, and security incident tracking reports), and hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).

OCR's January guidance and February settlement shed light on its expectations for audit control as well as some of the risks from failure to effectively maintain and review audit logs and trails.

Cyber Awareness Newsletter
In its January 2017 Cyber Awareness Newsletter, "Understanding the Importance of Audit Controls," OCR advised HIPAA-covered entities and business associates to use proper audit control tools to collect, monitor, and review audit trails, protect the integrity of audit records, and prevent tampering.

OCR observes that audit controls work in conjunction with audit logs and audit trails, which OCR describes based on National Institute of Standards and Technology standards. Audit logs are records of events based on applications, users, and systems. Audit trails, which involve audit logs of applications, users, and systems, maintain a record of system activity based on application processes and user activity within the systems and applications.

OCR notes several examples of audit trails, including the following:

• application audit trails, which monitor and log user activities in a given application such as the opening and closing of data files and the creation, reading, editing, and deletion of application records;

• system-level audit trails, which usually capture log-on attempts (both successful and unsuccessful), as well as log-on identification, date and time, devices used, and the application accessed; and

• user audit trails, which normally monitor and log user activity by recording events initiated by the user.

Audit controls must be customized to fit the needs and environment of the covered entity or business associate. The OCR newsletter suggests that covered entities and business associates consider which audit tools will be most helpful in both reducing nonuseful information and extracting useful information. It also notes that the Security Rule does not identify what information should be collected or how often audit reports should be reviewed.

OCR expects covered entities and business associates to consider their risk analysis results and organizational factors when determining reasonable and appropriate audit controls for the organization's information systems. This provides another reminder of the importance of risk analysis, which has been a focus of OCR's HIPAA enforcement activities in recent years.

OCR views it as "imperative" for covered entities and business associates to review their audit trails regularly—not only following security incidents and breaches, but also during real-time operations. The newsletter also states that access to audit trails should be "strictly restricted" and limited to authorized personnel.

The newsletter is available at www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf.

$5.5 Million HIPAA Settlement
On February 16, 2017, OCR announced the payment of $5.5 million by Memorial Healthcare System (MHS) to settle potential violations of the HIPAA privacy and security rules for failure to implement effective audit controls for its information systems. MHS operates various facilities in south Florida, including six hospitals, and is the third largest public health care system in the United States.

In April 2012, MHS reported to OCR that two MHS employees inappropriately accessed patient information. Three months later, MHS notified OCR that during its internal investigation, it discovered that 12 users at affiliated physician offices had gained impermissible access to PHI. Of particular concern, the login credentials of a former employee of an affiliated physician's office were used to access ePHI from MHS on a daily basis for more than 12 months without detection. These incidents affected 115,000 individuals and resulted in federal charges for selling PHI and filing fraudulent tax returns.

OCR found Security Rule violations based on MHS' failure to do the following:

• maintain procedures for the review, modification, and termination of rights of access for users (even though MHS maintained other workforce access policies and procedures); and

• implement procedures to regularly review records (such as audit logs, access reports, and security incident tracking reports) of information system activities by users within the MHS workforce and from affiliated physician practices, even though MHS identified the risk of such access in multiple risk analyses between 2007 and 2012.

In addition to the $5.5 million payment (the second-largest HIPAA settlement by OCR to date), the resolution agreement requires MHS to implement and maintain a robust corrective action plan for three years.

In a press release, OCR Acting Director Robinsue Frohboese says, "Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen."

OCR's press release, the Resolution Agreement, and the Corrective Action Plan are available at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial/index.html.

Broader Implications
Access controls are crucial to achieving the broader objectives of protecting the privacy and security of ePHI, as well as maintaining the integrity of the legal health record and the EHR. In its newsletter, OCR points to audit logs and audit trails as tools to assist covered entities and business associates in reviewing inappropriate access, tracking unauthorized disclosures, detecting performance problems and malicious activity, and providing forensic evidence during security incident and breach investigations. Audit controls are particularly intertwined with ensuring that access to ePHI is limited to authorized users and that rights of access are terminated or otherwise modified to reflect changes in status such as termination of employment or changes in responsibilities.

The recent OCR guidance and MHS settlement should provide a wakeup call about the need to implement effective audit controls and monitor access to ePHI. Covered entities and business associates must be vigilant in reviewing information system activity through audit trails, access reports, and security incident tracking reports for signs of improper access or threats. Access by users should be terminated when no longer needed or justified.

Failure to take these steps can create serious consequences, including misuse and improper disclosure of patient information leading to enforcement actions by OCR and state attorneys general as well as class action lawsuits and a loss of goodwill.

— Rick L. Hindmand, JD, is a health care attorney with McDonald Hopkins LLC in Chicago who works with providers and organizations on regulatory, data privacy, cybersecurity, corporate, transactional, and reimbursement matters.