Eric Liederman of Kaiser Permanente gave an interesting talk at HIMSS11 on protecting privacy without harming patients. It is not uncommon for many audit trails to be full of non-essential information and not helpful in investigating security and privacy breaches. The HIPAA Security Rule requires, among other things, a security risk analysis and the implementation of policies to help prevent security breaches.
The HIPAA audit trail (or audit log) should be used as a tool in monitoring security incidents. It should contain few false positives. In addition, PHI should be encrypted, including with regard to mobile devices (such as USB thumb drives). In addition, warnings may be shown as appropriate on user’s screens to educate them on the proper use of patient’s records.
In the event of a security incident (breach), create a plan and an accountable team and understand state and federal breach reporting requirements.
