From: HealthITSecurity.com
Author Name: Patrick Ouellette
One of the under-the-radar prongs of the HIPAA Omnibus Rule may be the portion that calls for healthcare organizations to invest time and resources into user activity monitoring. Section §164.308(a)(1)(ii)(D) of HIPAA mandates covered entities to implement procedures and regularly review records of information system activity, such as audit logs, access reports and security incidents.
Covered entities must “…inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports.”
With HIPAA and Stage 1 Meaningful Use privacy and security requirements in mind, All Medical Solutions (AMS) launched the SPHER breach detection product back on Jan. 1, 2013 that helps solo, small group, and clinic health care providers in those efforts. AMS had been working with local practices and HITEC-LA, L.A. County’s regional extension center (REC), for more than a year before the launch. Knowing the HIPAA omnibus effective date is less than a week away, SPHER’s products may have been handy for small providers looking to comply with HIPAA regulations during the past year or so and for those looking to review their compliance going forward.
After the Office for Civil Rights (OCR) audited 150 covered entities (via KPMG) in 2012 to determine their levels of HIPAA compliance, Andrew Kan, President and Founder of AMS, said that one of the major hurdles was breach detection, or user activity monitoring.
When healthcare organizations run audit log history reports, generating about 3,500 lines per log per day per physician, large hospitals with more than 200 physicians can call for millions of lines each day. And for solo physicians who are already working a lot of hours, running the report may mean dealing with a lot of confusing technical content.
Vearlean Hudson, Office Manager and Compliance Officer at A Diop Family Medical Group, which sees about 40-50 patients per day, explained that she has to generate audit logs on a daily basis. The audit logs are long and had been a lot of work, but using AMS SPHER, she pulls the audit logs every day, submits it to them to AMS and then receives an AMS report where they say the incident may be a breach, showing any sort of discrepancies in the days and times in the system. Whatever they send back, Hudson has to investigate within the office.
Leave a Reply