Mapping guides

How FairWarning Fulfills on HIPAA

Issue link: https://www.fairwarning.com/insights/i/1104112

Contents of this Issue

Navigation

Page 0 of 6

Section Established Performance Criteria Key Activity Audit Procedures FairWarning® Solution §164.308 §164.308(a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Develop and Deploy the Information System Activity Review Process Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices Determine if the covered entity policy and procedures have been approved and updated on a periodic basis. FairWarning® Analytics and Reports enable reviewing of information system activity such as audit logs and access reports. FairWarning® Investigations centralize management and tracking of security incidents. §164.312 §164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Determine the Activities that Will be Tracked or Audited Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI. FairWarning® Analytics record and examine activity in systems with ePHI. These Analytics are then automated as Enforced Policies to proactively alert users of any activity that is being tracked or audited. Mapping to HIPAA Audit Protocols In June 2011, KPMG was awarded the contract to conduct HIPAA audits and develop an audit protocol on behalf of Health and Human Services (HHS) Office for Civil Rights (OCR). During the initial test phase, from November 2011 through March 2012, 20 covered entities were audited. As a result of these initial audits, in June 2012, OCR published on its website the HIPAA Audit Protocol, which contains the requirements which will be assessed through the OCR HIPAA Audit program. The protocol covers the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements, as well as audit procedures and what will be expected of covered entities. User activity monitoring was found to be the #1 deficiency in the first twenty audits, accounting for nearly one quarter of the issues identified for non-compliance with the HIPAA Security Rule. FairWarning®'s solutions for patient privacy monitoring map directly to thirteen key requirements of the recently announced OCR HIPAA Audit Protocol requirements and influence many others, which are focused on both the management process and audit controls for applications containing PHI. Many of the protocols are problematic if not impossible to address without FairWarning®. The entire protocol can be accessed at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.

Articles in this issue

Links on this page

view archives of Mapping guides - How FairWarning Fulfills on HIPAA