The Health Insurance Portability and Accountability (HIPAA) regulation impacts health care organizations that exchange and store patient information. HIPAA regulations were established to protect the integrity of patient information and compliance is intended to secure health information against unauthorized use, theft or disclosure of the information.
As part of the requirements, HIPAA states that a security management process must exist in order to protect against “attempted or successful unauthorized access, use, disclosure, modification, or interference with system operations”. Further an organization must be able to monitor, report and alert on attempted or successful access to systems and applications that contain sensitive patient information.
Gartner analysis of data from the U.S. Centers for Medicare and Medicaid Services’ (CMS’s) Office for Civil Rights (OCR) shows that almost two-thirds of organizations regulated by HIPAA do not have complete or accurate risk assessment capabilities.
Sample Pre-defined HIPAA Audit-ready Reports
- User Logon report – HIPAA requirements (164.308 (a) (5) – log-in/log-out monitoring) state that user accesses to the system be recorded and monitored for possible abuse.
- User Logoff report – HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
- Logon Failure report – The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
- Audit Logs access report – HIPAA requirements (164.308 (a) (3) – review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.