OCR newsletter emphasizes audit controls

Blog Post
The Department of Health and Human Services Office for Civil Rights (OCR) issued its January 2017 Cyber Awareness Newsletter today advising HIPAA covered entities and business associates to use proper audit control tools and also secure and regularly review audit trails. 

The HIPAA Security Rule audit control provision requires covered entities and business associates to implement hardware, software and procedural mechanisms that record and examine activity in information systems containing or using electronic protected health information (ePHI). OCR expects covered entities and business associates to consider their risk analysis results and organizational factors when determining reasonable and appropriate audit controls for the organization’s information systems. This provides another reminder of the importance of risk analysis, which has been a focus of OCR’s HIPAA settlements. 

OCR views it as “imperative” for covered entities and business associates to review their audit trails regularly, not only after security incidents and breaches, but also during real-time operations. The Newsletter also states that “access to audit trails should be “strictly restricted” and limited to authorized personnel.

This OCR Cyber Awareness Newsletter is available here.
Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.