The Health Insurance Portability and Accountability Act is a federal law that extends far beyond what you would expect given the name. It involves a lot more than just health insurers, and it covers much more than simple portability and accountability.
Overall, HIPAA is the complete set of rules that dictates how anyone tied to healthcare handles protected information. While protected information usually includes personal and health information of patients, the term is deliberately general and can apply to virtually any record kept by a healthcare provider. This is especially true when state regulations expand on the purview of HIPAA. More than that, it can apply to businesses and personnel only adjacently connected to healthcare.
Insurers, administrators and even IT staff that work in a healthcare vertical can all be subject to the rules of HIPAA. Even people who don’t see themselves as healthcare providers may be under this jurisdiction, and it is prudent to understand the regulations and ensure compliance. Failure to do so can be absolutely devastating to a company, even if they never experience a data breach.
Among that long list of rules is a concept known as log requirements and audit logs, which require you to carefully track all of the data kept by your computer systems that interact with patient information. This is a large umbrella, and it is better understood when broken into smaller, more concise pieces.
Log compliance is a large, complicated issue. Healthcare regulations force you to collect very specific information and handle it in closely regulated ways. Aside from how you collect actual health and patient data, you’re required to look at system-level information to assert that the data is stored, transmitted and otherwise treated in a way that complies with regulations.
One of the backbones of adhering to these rules can be found in log compliance. Logs must be compiled, stored and assessed to ensure that protected information is being properly handled. The logs have to be audited, and even the audit logs have to be properly compiled, stored and assessed. The entire protocol is several layers deep, but gaining a cursory understanding of it all can help you find a reasonable way to follow the law and protect sensitive information.
Just take a look at a few explicit requirements and covered entities to get a feel for how deep this rabbit hole goes.
Encryption of Data at Rest
When most people think of data breaches, they tend to envision some nebulous idea of a data heist. They figure that information is at the greatest risk when it is being transmitted. That’s when it is on accessible networks (if not the world wide web), and that’s the best time for an information thief to strike.
In reality, data at rest is just as vulnerable and needs just as much protection. That’s why HIPAA outlines the handling of data at rest. While a specific encryption protocol is not required, HIPAA does hold healthcare providers accountable for information that is accessed, leaked or stolen from at-rest storage. Encryption is typically one of the standard defenses deployed against this risk.
Log Monitoring and Alerting
Most healthcare providers understand that they have to collect and store logs. That’s something you’ll see in great detail further down. But, a lot of providers overlook the requirements for active monitoring and alerting.
Specifically, you are required to monitor every single log-in attempt that involves a system that houses protected information. Even if a user is logging in for purposes that don’t involve protected data, the system is linked to that data, and that activity has to be recorded.
Additionally, your system has to regularly check all of the logs and reports and identify problematic behavior or occurrences. This is not an easy task. It involves combing through system activity, access reports, and security reports. Fail on any one level, and you are out of HIPAA compliance.
Vulnerability Scans and Penetration Tests
HIPAA requires a risk analysis of all systems tied to protected data. This is one of the areas where the requirements are less clearly defined. As long as you can provide an analysis, you are compliant.
That said, successfully analyzing risk is neither simple nor easy. In most practices, the actions taken to complete a risk assessment include vulnerability scans and penetration tests. So, while neither of those terms is listed in a section of the regulations, they are effectively required.
Vulnerability scans and penetration tests are designed to explore exactly how an external threat could attack a system. The penetration test, in particular, outlines how successful attacks stand to be. That’s the core of a risk assessment, and without these tests, you could be found liable for HIPAA compliance failure in the case of a data breach.
Security Rule 164.312(b)
This HIPAA security rule explicitly defines regulations regarding HIPAA logging. The regulation applies to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
In simpler terms, this applies to any technology you use that can or does access protected information. It’s not just computers or servers with patient files. The routers connected to the servers, personal devices that access information, and every other piece of technology in the system is subject to this rule. More importantly, the “activity in information systems” has to be carefully monitored and recorded.
What does the rule say? It says that you have to have HIPAA audit logs of protected information. That involves quite a few different components, and each is mandatory in order to stay HIPAA compliant.
Log Retention Requirements
One of the first things to learn about HIPAA audit logs is that you have to hang on to them. Gathering and storing the required information is one thing, but if you dump your logs too soon, you’re in as much trouble as if you never collected the information in the first place.
HIPAA regulations are a mix of federal and state requirements. Navigating them all can prove quite challenging. When it comes to log retention requirements in general, an overview can give you a clear idea of what you need. While you read, try to remember that state and local regulations can vary. You always need to double-check your own state requirements in addition to federal mandates.
Minimum Retention Time
It’s not enough to have HIPAA audit controls. You also have to hang onto the audits. More specifically, you have to hang on to them for a significant period of time. The federal minimum requires you to keep each individual audit log for at least six years, but that’s not the end of the story. States have the authority to extend that minimum if they deem it necessary. As an example, Connecticut extends the regulation to seven years. They also expand what falls under protected information.
Audit logs are about accountability. They track every single access to protected information. Keep in mind that this includes failed attempts to access the information. In the case of a breach, the audit logs can show exactly who or what was involved in the breach in order to hold the right parties accountable.
In addition to accountability, the logs help experts identify what went wrong in order to shore up security and keep patient information as safe as it is supposed to be.
All of this does not come freely or easily. HIPAA guidelines clearly dictate how the logs should be handled and what should be in them. A detailed list of the required information can show you just how robust your system needs to be to follow the rules. It is an exhaustive list of software and or procedural obligations.
Naturally, the regulations also define what information has to be contained in the audit logs. The shortlist includes user logins, changes to the databases, the addition of new users, new user access levels, files accessed, operating system logs, firewall logs, and anti-malware logs.
That’s an extensive list. In more general terms, you must have audit logs that show every single use that accesses the information, and you must record their access level and the exact information that they access.
Additionally, you must track system-level information. The inclusion of operating system logs, firewall data and anti-malware information allows your audit logs to record instances of external intrusion, or attempted intrusion. This is a complete accountability map that can show exactly who, how and why confidential information might have ended up in the wrong hands.
Overall, this is not a simple list to complete. You need expert help in setting up your audit logs to make sure they track everything that is required and safely store the logs so that they can be kept for the required period of time.
HIPAA compliance requires more than just these logs. It’s a large regulatory set and oversees much of any given healthcare interaction or process. If you’re going to keep up, you need more than audit logs and a system to manage them. You need a culture of HIPAA compliance.
In general, you can achieve that culture by focusing on three things. First, you need the policies and procedures in place. It’s a lot of work, but they have to be detailed. Employees can’t be expected to follow every HIPAA security rule if those rules aren’t properly explained.
Second, you need regular education for staff. Any given HIPAA security rule can be updated with regularity, and change is constant. Consistent continuing education will keep staff ahead of the curve and playing by all of the rules.
Finally, you need some expertise. Healthcare providers have plenty to worry about without mastering the technological requirements baked into HIPAA. Outsourcing the technical aspects of HIPAA compliance can save you time, money and sanity. Take a look at Compliance Services and see how you could benefit from a little outside help. If you find any of the regulations you just read to be at all intimidating, it’s probably a good idea to involve additional expertise.