Unit 6 – Information Activity Review Audit Trail
Assignment Introduction
According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a covered entity must implement policies and procedure to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports (45 CFR 164.308(a)(1)(ii)(D)). Find out more information regarding the requirement here:
∙ HIPAA Security Series –
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es
∙ HIPAA Regulation – https://www.law.cornell.edu/cfr/text/45/164.308
In addition, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use protected health information (45 CFR 164.312(b)). Find out more information regarding the requirement here:
∙ HIPAA Security Series, Technical Safeguards –
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf?language=es
∙ HIPAA Regulation Text – https://www.law.cornell.edu/cfr/text/45/164.312
Other resources:
∙ https://www.health.state.mn.us/facilities/ehealth/privacy/index.html#11
∙ www.hipaacow.org
∙ http://library.ahima.org/doc?oid=300276
∙ http://bok.ahima.org/doc?oid=300244#.V_6UnfkrJhE
∙ http://library.ahima.org/doc?oid=300262#.V_6UufkrJhE
For this assignment, you will use the information above to create an audit form report template with the appropriate fields that are needed to successfully review activity within information systems containing protected health information.
Assignment Scenario
You just accepted a position at Scholastica Hospital as the Director of Data Integrity and Health Information Management. One of your main responsibilities is the oversight of the HIPAA Privacy and Security Regulations. You are currently evaluating the process for reviewing activity with your electronic health record. You discover the electronic health record vendor produces an audit report that provides the following information regarding access into the records:
∙ User Name (Workforce Member)
∙ Patient’s Name (Who they are looking at)
∙ Date/Time of Access
∙ Workstation ID
When reviewing these reports, you determine that there is not enough information to understand what the user is doing within the information system. You only know if an employee was in a patient’s chart and the date/time of the access. There is no information or indication to inform you on what the user is doing within the chart, what the user is looking at, and how long the user was in the chart. Because of this, audits into the electronic health record are not going well as there is not enough information on access and reason for access.
Assignment Instructions
1. Research the regulation and best practices for implementation of information system activity review based on the HIPAA regulations
2. Write a synopsis of the findings from the research, including best practices when designing an information activity review program for Scholastica Hospital (1 – 2 Pages)
3. Create a template, with the appropriate fields, for an audit log
a. Think about what information you would need to have in order to properly evaluation access into the electronic health record
b. This may be in Microsoft Word or Excel
4. Create a findings report for the outcomes of the information activity reviews that you conduct
a. Think about what information you would want to report out to leadership regarding the
audits
Assignment Deliverables
25 Points Possible
1. A 1-2 page synopsis of the HIPAA regulations regarding information system activity, including best practices when designing an information activity review process (10 Points)
2. A template for an audit report, with the appropriate fields that are needed to properly conduct an audit. Think about what information you would need on an audit trail from your electronic system to be able to properly conduct audits (10 Points)
a. This can be in Microsoft Word of Microsoft Excel
3. A report template for documenting the outcomes of the information activity reviews that you will conduct (5 Points)
Format: Follow correct APA Style and include all required components. 7th edition
Expert Solution Preview
In order to successfully review activity within information systems containing protected health information (PHI), it is essential to implement policies and procedures that comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA requires covered entities to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Additionally, covered entities must implement mechanisms that record and examine activity in information systems that contain or use PHI.
To design an effective information activity review program for Scholastica Hospital, the following steps can be followed:
1. Research the HIPAA regulations and best practices for implementing information system activity reviews. This research will provide insights into the specific requirements and recommendations for conducting audits and ensuring the security of PHI.
2. Write a synopsis of the findings from the research, including the best practices for designing an information activity review program. This synopsis should outline the key regulations, requirements, and recommendations for conducting audits, as well as any additional best practices that can enhance the effectiveness of the review program.
3. Create a template for an audit log that includes the appropriate fields necessary for evaluating access into the electronic health record (EHR). Consider including fields such as:
– User Name (Workforce Member): Identifies the individual accessing the EHR.
– Patient’s Name: Indicates the patient whose records are being accessed.
– Date/Time of Access: Records when the access occurred.
– Workstation ID: Identifies the workstation or device used for accessing the EHR.
In addition to these basic fields, it may be beneficial to include additional fields to capture more detailed information about the user’s actions within the EHR, such as the specific sections or documents accessed, the duration of access, and the purpose/reason for access.
4. Create a findings report template to document the outcomes of the information activity reviews conducted. This report should include information that would be relevant and useful to leadership, such as:
– Summary of audit findings: Provide an overview of the audit results, including any identified security incidents or breaches.
– Trends and patterns: Analyze the audit data to identify trends or patterns in access behavior that may indicate potential risks or unauthorized activities.
– Recommendations: Offer recommendations to address any identified issues or improve the overall security and privacy of PHI.
By following these steps and implementing a comprehensive information activity review program, Scholastica Hospital can ensure compliance with HIPAA regulations, mitigate potential risks to PHI, and maintain the privacy and security of patient information.
