Why should EHRs be audited? 

Regular audits help identify vulnerabilities in electronic health records (EHRs), allowing organizations to pinpoint improvement areas. Auditing EHR access logs, for instance, allows organizations to monitor who accessed information to determine if there are any irregularities in the system. 

Compliance auditing and HIPAA

Compliance audits under HIPAA are mainly driven by the requirements outlined in the Privacy Rule and Security Rule. The goal is to examine documentation, training records, and access logs related to electronic protected health information (ePHI) to identify areas of noncompliance. 

This concept is put simply in the International Journal of Computer Applications, which notes an “audit is well positioned through its role as an assurance function to help management and the board identify and consider the key risks…[It] can help the business determine whether those risks are being appropriately mitigated.”

The following areas should be accessed to effectively audit compliance with the Privacy Rule: 

• The policies and procedures for the security of PHI. 
• How PHI is used and disclosed, including minimum necessary standards. 
• Adherence to patient rights like access to their records and obtaining an accounting of disclosures.
• Workforce training on privacy practices. 
• Designation of a Privacy Officer. 

Section 164.308 (a)(8) is a part of the Security Rule that requires that covered entities and business associates “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” These audits verify that ePHI remains confidential and has the appropriate safeguards.

Why EHRs need to be audited 

EHRs must be audited to maintain accountability and security as audit trails provide a chronological record of all access and modifications to patient records. This helps identify unauthorized access and ensures that providers are following established protocols for data handling. These audits also create a culture of accountability amongst staff as the knowledge that access to EHRs will consistently be tracked deters inappropriate behavior due to the chance of being discovered. 

The threats of unaudited systems in healthcare

Health data is a prime target for cyberattacks because of its value on the black market. When healthcare organizations fail to audit, the following risks can emerge: 

• Without audits security gaps, outdated configurations, and vulnerabilities in software and hardware remain undetected leaving systems exposed to threats like malware and ransomware. 
• There is a risk of privilege misuse among staff members which can result in unauthorized access and insider threats.
• Failure to conduct audits can result in noncompliance with HIPAA, specifically the Privacy Rule and Security Rule. 
• Threats can propagate across the network from outer routers to the LAN or VLANs, Without network auditing network configurations and access controls, a small breach can escalate into a systemic failure. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

How are role-based access controls implemented? 

Role-based access controls limit access to systems or data based on an individual's job responsibilities. 

When does the Breach Notification Rule apply?

It applies when unsecured PHI is accessed, used, or disclosed in a way that compromises its security or privacy.