HIPAA has many regulations, and many of them are surprisingly simple and inexpensive to implement, such as Business Associate Agreements. All you need to do is have your contractors and service providers fill out a well-written, compliant BAA and the task is complete. But some of HIPAA’s requirements are far more complicated and expensive to implement, such as system and audit logging. So should you even consider skipping the implementation of HIPAA compliant logging?
Absolutely not, and here’s why...
What is HIPAA-Compliant Logging?
HIPAA regulations not only require that you keep electronic protected health information (ePHI) secure, but it also requires that you thoroughly monitor how such data is accessed. The regulations want you to know…
- Which user
- Running which application
- At what time
- Accessed which fields
- From which records
- And what type of access that was
So in other words, not only are you supposed to store the proper diagnosis data for the patient’s most recent visit, you also must store data about the data you just stored! And in addition to that, you need to store every user’s complete history on your system, which includes (but is not limited to)...
- The user’s account being created on day 1
- The user being granted access to certain data
- The user logging in to a program
- The user changing to a specific database or screen
- The user making searches or looking up one or more records
- The user viewing the data
- The user choosing to update the data
- The user saving the data
- The user navigating to some other screen or record
- ...and far more.
This level of logging is for the application, but similar logging must happen at the operating system and database levels as well. In short, every interaction anyone has with any piece of your ePHI must be logged on every level.
It’s complicated, difficult, and requires a tremendous amount of data storage to do properly.
So you must be asking yourself, "Why is HIPAA-compliant logging necessary? How is logging going to benefit me and my company or medical office?"
Why you need HIPAA Logging
This logging, combined with proper alert policies, allows you to identify an actual attack in progress or maybe even lock down access to the system before any real breach has occurred.
And even if an actual breach occurs, proper logging helps you to control the damage to your company.
Let’s say that you run a medical clinic with a database of 5,000 patient records. If your medical clinic’s network was compromised. Proper HIPAA-compliant logging would allow you to know exactly which records were breached, and how much of each record was accessed.
According to the HIPAA Regulations, which you can find at HHS.gov:
"Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary (of HHS), and, in certain circumstances, to the media."
What are those circumstances that require notifying the media? The rule says that:
"Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction."
And, your state can impose further reporting requirements. For example, in California:
"Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General."
So let’s get back to the breach of your Clinic’s network: It’s possible that only a few hundred, or perhaps a few dozen records were actually breached, in which case you would need to notify HHS and the individuals.
Without logging, you would be forced to assume that every one of your 5,000 records was breached, and you would be forced to also notify the California Attorney General (for possible prosecution) and issue an embarrassing and reputation-damaging press release to notify the world of your problem.
The Costs of a HIPAA Breach
When ePHI data is breached, the costs are high. HIPAA Journal reports that a recent IBM study puts the cost of a HIPAA data breach at approximately $380 per record. If your breach was only a dozen records, that’s a cost of $4,560. Not cheap. But if you didn’t have HIPAA-compliant logging in order to identify the breach was confined to those dozen records, the cost to you and your clinic would be about $1.9 million.
If you are a medical-related business -- medical office, clinic, hospital, lab, attorney, insurance, staffing agency -- and you are not fully HIPAA compliant, your business is at risk every day. A big and critically important part of your compliance is your HIPAA-compliant logging.
Good logging can be the difference between a bad month and a bankrupt company.
Protect Yourself From HIPAA Violations Today
Don’t let this happen to you. Digital Uppercut provides HIPAA compliant services designed to help companies of almost any size get and stay HIPAA compliant. It all begins with a low-cost HIPAA Risk Assessment, a painless process where we evaluate your business and your current security measures. Contact us today or call us at 818-913-1335 for a brief consultation and to set up your Risk Assessment.