PIEDMONT ACCESS TO HEALTH SERVICES, INC.
Policy Number:
SUBJECT:
01-01-035
Internal Audit
EFFECTIVE DATE:
09/16/2011
REVIEWED/REVISED:
______________________________________________________________________________
Introduction
PATHS has adopted this Internal Audit Policy to comply with the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”), the Department of Health and
Human Services (“DHHS”) security and privacy regulations as well as our duty to protect
the confidentiality and integrity of confidential medical information as required by law,
professional ethics, and accreditation requirements. This policy controls use of PATHS
health data, media, and computer assets wherever located. All personnel of PATHS must
comply with this policy. Familiarity with the personnel security policy and demonstrated
competence in the requirements of the policy are an important part of every employee’s
responsibilities.
Assumptions
This Internal Audit Policy is based on the following assumptions:







Data, media, and computer assets are the physical property of PATHS, wherever
located, although patients and others may have rights of access to the data.
Data users have no expectation of privacy in PATHS’s data, media, and computer or
other information assets, wherever located. PATHS may audit their use for
compliance.
A high level of accuracy and reliability of PATHS’s health and business data is
critical for providing quality patient care and other PATHS operations.
Individually identifiable health information is sensitive and confidential. Such
information is protected from improper use and disclosure by HIPAA, its
implementing regulations, other state and federal laws, professional ethics, and
accreditation requirements.
Loss, corruption, inaccuracy, or breach of confidentiality of such data may cause
severe harm to the subject of the information, to PATHS, and to its officers, agents,
and employees.
Use of personal equipment, such as palm pilots or personal laptop computers, to use,
record, or store information relating to PATHS, its patients, or business activities
subjects the user to the terms of this policy.
HIPAA, its implementing regulations, accreditation requirements, and good practice
require PATHS to audit data for integrity and system users for compliance with laws,
01-01-035: Internal Audit
Page 1 of 3
regulations, professional ethics, accreditation requirements, and PATHS’s policies
and procedures.
Policy
PATHS will institute internal audit of health and other critical information in its system
to ensure the integrity of such data and will audit data users’ activities to ensure
compliance with laws, regulations, professional ethics, accreditation requirements, and its
own policies and procedures.
With Regard to Data Quality:


Overall control of data quality is the responsibility of the director of information
systems. At a minimum, he or she will maintain an access or audit log of who
accessed which computer objects, when, and for what amount of time, including, but
not limited to, logins and logouts, accesses or attempted accesses to files or
directories, execution of programs, and uses of peripheral devices. (See discussion of
compliance audits, below). He or she will conduct performance audits to measure
whether the system meets the medical and/or business objectives for which it was
designed and to measure whether the system meets its design objectives in terms of
performance.
Department directors are responsible for advising the Director of Information
Technology of required data integrity standards for data that they maintain, use, and
transmit and any problems with data integrity.
With Regard to Data Users’ Compliance with Laws, Regulations, Professional
Ethics, and Accreditation Requirements:


Responsibility for auditing data users’ access to and use of PATHS’s information
assets rests with the Director of Information Technology.
The Director of Information Technology will take the following steps:
o Install intrusion detection software to detect unauthorized access.
o Develop audit criteria specifying what activities are to be audited.
o Perform audits of records of system activity, such as logon, logoff, file access,
attempted logon, failed logon, and so forth, and maintain the audit trails for
not less than six years from the date of the audit.
o Perform vulnerability tests to highlight weaknesses in the system.
o Maintain a log of security-relevant events that have occurred, listing each
event and the person responsible.
o Report security breaches detected during audit pursuant to the PATHS’s
Report Procedure.
o Investigate security breaches detected during audit pursuant to the PATHS’s
Response Procedure.
o Take appropriate remedial action to mitigate the harm of breaches and prevent
recurrence.
01-01-035: Internal Audit
Page 2 of 3


All supervisors, data users, and employees are responsible for reporting problems
with data integrity to their department directors, the director of health information
management (for medical information), and the director of information systems.
All supervisors, data users, and employees are responsible for reporting suspected or
actual breaches of security or of PATHS’s policies and procedures in accordance with
PATHS’s Report Procedure.
Enforcement
All officers, agents, and employees of PATHS must adhere to this policy, and all
supervisors are responsible for enforcing this policy. PATHS will not tolerate violations
of this policy. Violation of this policy is grounds for disciplinary action, up to and
including termination of employment and criminal or professional sanctions in
accordance with PATHS’s medical information sanction policy and personnel rules and
regulations.
_________________________________
Signature of Officer, Agent, or Employee
______________________________
Date
_________________________________
Title of Officer, Agent, or Employee
______________________________
Printed Name of Officer, Agent, or
Employee
_________________________________
Witness
______________________________
Printed Name of Witness
Signatures:
_________________________________
CEO
______________________________
Date
_________________________________
Security Officer
______________________________
Date
_________________________________
HIPAA Officer
______________________________
Date
01-01-035: Internal Audit
Page 3 of 3