Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 13 - Audit Controls

 

Title: Audit Controls Policy: SEC-13.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.312(b)
Standard: Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify mechanisms that record and examine activity in information systems that contain or use ePHI.

Policy

OSU will implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.  §164.312(b)

Activity in information systems may be audited using the following procedures.
Procedure
  1. Network services
    • Review firewall logs
  2. Servers
    • Review various server logs
    • EMR server shows administrator logins and log-in attempts.
    • Vulnerability testing done annually and as needed periodically
  3. Software
    • Practice Management
    • Electronic Medical Record
    • Document Imaging System
  4. Any screen where a user can change data in Practice Management, EHR or Document Imaging may be audited by the HIPAA Compliance Office or IT or other designee. This audit displays what the previous data was, what it was changed to, when it was changed, and the user id of who changed the data.  The data may also show who has accessed, viewed, searched, added, updated, and deleted any records.
    • Random Audits will be conducted on no less than a monthly basis, or as the need requires, whichever is of greatest frequency.
      • Part of the audit will include verifying terminated employees access has been correctly removed from the various systems; and
      • Current users are not accessing records outside of the scope of their respective job duties; and
      • Checking to see if users have a high frequency of invalid login attempts
    • If an audit trail outside of the scope listed above is needed, this may be requested of the Vendor.
  5. Equipment (computers)
    • The IT department can perform periodic spot check audit/scans on local drives to verify that storage of data files containing ePHI does not exist on the local drives of workstations.
  6. Sanctions – Any use other than the intended that is found while auditing may leave the user responsible subject to OSU Sanctions and/or reporting to Law Enforcement or other governing bodies dependent on the findings of the audit(s).

top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube