Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 46 ADMINISTRATIVE MANUAL APPROVED BY:

POLICY # 46
AUDIT CONTROLS
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that contain or use
EPHI.”
Policy Summary:
Sindecuse Health Center (SHC) must be able to record and examine
significant activity on its information systems that contain or use EPHI.
Appropriate hardware, software, or procedural auditing mechanisms must
be implemented on SHC information systems that contain or use EPHI.
The level and type of auditing mechanisms that must be implemented on
SHC information systems that contain or use EPHI must be determined
by SHC’s risk analysis. Logs created by audit mechanisms implemented
on SHC information systems must be reviewed regularly. SHC must
develop and implement a formal process for audit log review.
Purpose:
This policy reflects SHC’s commitment to use appropriate audit controls
on its information systems that contain or use EPHI.
Policy:
1. SHC must be able to record and examine significant activity on its
information systems that contain or use EPHI. SHC must conduct a risk
analysis to identify and define what constitutes “significant activity” on a
specific information system.
2. Appropriate hardware, software, or procedural auditing mechanisms
must be implemented on SHC information systems that contain or use
EPHI. At a minimum, such mechanisms must provide the following
information:




Date and time of significant activity
Origin of significant activity
Identification of user performing significant activity
Description of attempted or completed significant activity
3. The level and type of auditing mechanisms that must be implemented
on SHC information systems that contain or use EPHI must be
determined by SHC’s risk analysis process. Events that should be
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUDIT CONTROLS
audited can include but are not limited to:





Access of certain data (e.g. sensitive EPHI like HIV or mental
health records)
Use of certain software programs or utilities
Use of a privileged account
Information system start-up or stop
Failed authentication attempts
4. Logs created by audit mechanisms implemented on SHC information
systems must be reviewed regularly. The frequency of such review must
be determined by SHC’s risk analysis process. At a minimum, the risk
analysis must consider the following factors:



The importance of the applications running on the information
system
The value or sensitivity of the data on the information system
The extent to which the information system is connected to other
information systems
5. SHC must develop and implement a formal process for audit log
review. At a minimum, the review process must include:



Definition of which workforce members will review logs
Procedure for defining how significant log events will be
identified and reported
Definition of audit record retention criteria
6. When possible, SHC workforce members should not review audit logs
that pertain to their own system activity. .
7. When possible, SHC information systems’ real-time clocks must be
set to an agreed upon standard, military time so that audit events are
synchronized. SHC must have a formal procedure for monitoring and
correcting any significant discrepancies in information real-time clocks.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Regulatory Type:
Standard
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUDIT CONTROLS
Regulatory
Reference:
45 CFR 164.312(b)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Security Incident Procedures
Response and Reporting
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUDIT CONTROLS
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
POLICY # 44 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 44 ADMINISTRATIVE MANUAL APPROVED BY:
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
P5-ISAREV
P5-ISAREV
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
Download