The Importance of HIPAA Audit Controls



A graph depicting the growth in the number of Resolutions Agreements from the HHS Office for Civil Rights from 2008 to the first quarter of 2017.

In February of 2017, a new precedent was set by the federal government with the announcement of $5.5 million paid to the U.S. Department of Health and Human Services (HHS) to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The violations led to a first of its kind Resolution Agreement from the HHS Office for Civil Rights (OCR), which highlighted the importance of HIPAA audit controls for care providers.

What does the HHS, OCR announcement mean to you?

The HHS OCR announcement points to how vital to it is for healthcare organizations to meet HIPAA audit requirements. This urgency began with the HIPAA Enforcement Rule, which implemented civil money penalties for HIPAA violations, and detailed provisions on compliance and investigations conducted by the HHS OCR. HIPAA compliance rules include best practices to avoid the kind of PHI data breaches that result in heavy fines and penalties. These requirements include the systematic review of systems which access PHI through the examination of audit trails and related information.

In June of 2016, FairWarning (now Imprivata) held an executive webinar in which the Director of OCR Enforcement announced the intention to increase emphasis on HIPAA audit controls. Since 2008, we have seen the number of Resolution Agreements rise, with a record thirteen Resolution Agreements issued in 2016 alone, and four by mid-February 2017. The graph above depicts the growth in the number of HHS OCR Resolution Agreements between 2008 and the first quarter of 2017.

In order to satisfy HIPAA compliance rules and attest for Meaningful Use (MU), you need solutions that automatically and accurately monitor enterprise applications to flag suspicious behavior and create a clear audit trail. Quickly detecting risky behavior helps prevent data breaches, and having a clear record helps investigate anomalous behavior. Increasingly frequent HIPAA audits and increasingly punitive Resolution Agreements from the OCR have raised the stakes for care provider security strategies.

How do you satisfy OCR HIPAA audit controls?

The HHS offers additional guidance on HIPAA audit requirements and outlines four questions that covered entities and business associates should consider:

  • What are the audit control capabilities of information systems with ePHI?
  • Do your HIPAA audit controls allow your organization to adhere to audit control policies and procedures?
  • Are changes or upgrades of your HIPAA audit protocol necessary?
  • What reasonable and appropriate audit control mechanisms can be implemented to better record and examine activity that involves ePHI?

Imprivata FairWarning Patient Privacy Intelligence offers three critical capabilities that meet the business and technical demands for compliance and security faced by modern care providers:

  • High availability and scale
  • Data integrity and governance
  • Open architecture

Imprivata FairWarning Patient Privacy Intelligence is the industry’s next-generation compliance and information security platform. To examine the critical capabilities delivered by Imprivata FairWarning, download our whitepaper, Patient Privacy Intelligence: The Intersection of Compliance, Legal and Information Security.