Okay,
let's clarify:
An
accounting of disclosures is *not* the same thing as an "audit log." An
accounting of disclosures is a type of document a CE is required to provide an
individual upon request, which includes information specified in the privacy
rule. See 164.528. Since this accounting is required to be made for all
disclosures up to six years before the request, it implies that a CE better
maintain documentation to support the accounting for at least six
years. (Also, the accounting document itself will have to be retained for
at least six years after it is provided.)
The security rule says nothing about "audit
logs." It does include a
standard (no additional specification) for "audit controls," which are
"hardware, software and/or procedural mechanisms that record and examine
activity in information systems." The
draft (1998) security rule proposed to require "audit trails," which also does
not transparently translate into "audit logs." Personally,
I'm familiar with the terms "log file," generally meaning a file recording
host access activities, and "audit trails," meaning an application which makes
a chronological record of system events. (My suspicion is that HHS
moved from "audit trails" to "audit controls" to allow for more flexibility in
the mix of administrative and technical safeguards which could be used to
provide a record of system events.) So I guess I would say a "log file" might be
a part of a set of audit controls; a really good "audit
trail" application might be most of a set of audit controls; and I don't
know how "audit logs" fit in, because neither the rules nor any of the
documentation published with them uses the
term.
[DIGRESSION: Why is this guy being such a pain about
language? Jeez, can't he lighten up? RESPONSE: Words used in
regulations are terms of art; they have specifiable legal meanings. Those
who would advise CEs about their legal obligations - and we won't get
into the interesting questions around the difference, or possible lack of
difference, between "regulatory compliance consulting" and "the practice of law"
just now - owe it to their clients to use such words correctly. If, in five
years, your client is defending the adequacy of its "audit controls" by
showing the HHS and/or CMS auditor and/or the plaintiffs' class action litigator
your memo talking about the adequacy of the "audit logs" you
recommended, at the very least the credibility of the recommendation is
undermined. I can put together any number of scenarios in which incorrect
"HIPAA language" in memos, letters, etc. may come back to haunt CEs on big white
boards in court. ("How can it have been an appropriate decision *when you
didn't even use the right terms?* Did you even *read the regulations, Mr.
Jones?*") So yes, I'm a stickler for language; in my profession "bad language"
all too quickly slides down the slope into malpractice. END OF
DIGRESSION]
To the extent a CEs "audit controls" include policies
and documentation procedures as an administrative component, I think
164.316(b)(1)(i) would require such polices and documentation to be in
writing subject to the 6 year rule of 164.316(b)(2)(i). For example, a database
system may not be set up to record activity with respect to any specific data
set. One way to manage this problem might be to use electronic sign-on
documentation - e.g. a click-through representation that the user will only
access data sets for patients who are under his care, only for purposes of TPO;
I've used this approach before and in the right environment it can be a
reasonable security control - and if that were to be done, I would consider it a
"procedure implemented to comply with the security rule," so that a record of
each click-through would be required to be documented subject to the six
year rule.
John R. Christiansen
Preston | Gates | Ellis LLP
(Direct: 206.370.8118
(Cell: 206.683.9125
Reader Advisory Notice:
Internet email is inherently insecure. Message content may be subject to
alteration, and email addresses may incorrectly identify the sender. If you wish
to confirm the content of this message and/or the identity of the sender please
contact me at one of the phone numbers given above. Secure messaging is available upon request and recommended for
confidential or other sensitive
communications.
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
