- UW–Madison, the units of the UW HCC, and each individual or unit within UW–Madison that is a business associate of a covered entity (hereafter collectively referred to as “units”) will audit access and activity of electronic protected health information applications, systems, and networks and address standards set forth by the HIPAA Security Rule to ensure compliance to safeguarding the privacy and security of such information.
- The Security Rule requires covered entities to implement reasonable hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Audit activities may be limited by application, system, or network auditing capabilities and resources. UW–Madison and each unit will make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.
- Responsibility for auditing information system access and activity is assigned at two levels:
- The UW–Madison HIPAA security officer is responsible for:
- Auditing resources and facilities that are managed at the campus level. This includes, but is not limited to, the campus-level security awareness and training program. See section VI. below.
- Security controls and backup for audit logs of resources and facilities the UW–Madison HIPAA security officer is responsible for auditing. See section V. below.
- Arranging for or coordinating external audits and other external resources to assist in audits at all levels. See section VII. below regarding external audits.
- Advising the HIPAA security coordinator of each unit, and arranging for additional auditing support for the unit as warranted.
- The HIPAA security coordinator of a unit is responsible for:
- Auditing resources and facilities that are managed by the HIPAA security coordinator’s unit, including any unit-level security awareness and training.
- Security controls and backup for audit logs of resources and facilities the HIPAA security coordinator is responsible for auditing. See section V. below.
- Assisting the UW–Madison HIPAA security officer in campus-level audits on matters related to the HIPAA security coordinator’s unit.
- Jointly auditing resources and facilities that are shared by multiple units and are jointly managed by the participants, with the HIPAA security coordinator of one unit selected to lead the audit-related activities and the HIPAA security coordinators of other participating units assisting the selected leader. The selected leader will also coordinate security controls and backup for audit logs of such resources and facilities. See section V. below.
- The UW–Madison HIPAA privacy officer, UW–Madison chief information officer (CIO), and other UW–Madison campus leaders provide leadership support for the UW–Madison HIPAA security officer so that resources can be identified and audits can be accomplished. The CIO or IT director of the unit or other unit leaders provide the corresponding leadership support for the HIPAA security coordinator of their unit.
- The auditing procedures at both the campus level and the unit level are the same, with the exception of the general differences described in I.1 and I.2 above, and any specific language included below.
- The responsible individual, as defined in I.1 above, needs to:
- Assign the task of generating reports for audit activities to the person responsible for the application, system, or network.
- Assign the task of reviewing the audit reports to the person responsible for the application, system, or network, or to any other person determined to be appropriate for the task.
- Organize and provide oversight to a team structure charged with audit compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.)
- The auditing processes need to address access and activity at the following levels:
- User: User-level audit trails generally monitor and log commands directly initiated by the user, identification and authentication attempts, and files and resources accessed.
- Application: Application-level audit trails generally monitor and log user activities, including data files opened and closed, specific actions, and printing reports.
- System: System-level audit trails generally monitor and log user activities, applications accessed, and other system-defined specific actions.
- Network: Network-level audit trails generally monitor information on what is operating, penetrations, and vulnerabilities.
- The responsible individual, as defined in section I.1 above, and their supporting leadership need to determine the systems or activities that will be tracked or audited by:
- Focusing efforts on areas of greatest risk and vulnerability as identified in the information systems risk assessment and ongoing risk management processes.
- Maintaining confidentiality, integrity, and availability of electronic protected health information applications and systems.
- Assessing the appropriate scope of system audits based on the size of the resource or facility and the needs of the campus or unit by asking:
- What information/electronic protected health information is at risk?
- What systems, applications, or processes are vulnerable to unauthorized or inappropriate access?
- What activities should be monitored (create, read, update, delete)?
- What information should be included in the audit record?
- Assessing available organizational resources.
- The responsible individual, as defined in section I.1 above, and their supporting leadership need to identify “trigger events” or criteria that raise awareness of questionable conditions of viewing of confidential information. At a minimum, trigger events will include:
- Patient complaints.
- Employee complaints.
- Suspected breaches of patient confidentiality.
- High-risk or problem-prone events (e.g., VIP admissions).
- The responsible individual, as defined in section I.1. above, and their supporting leadership need to determine auditing frequency by reviewing past experience, current and projected future needs, and industry trends and events. The UW–Madison HIPAA security officer will provide advice on the suitable range of audit frequency by unit. The unit will determine its ability to generate, review, and respond to audit reports using internal resources, and may request additional resources or assistance. The units and UW–Madison recognize that failure to address automatically generated audit logs, trails, and reports through a systematic review process may be more detrimental to the organization than not auditing at all (e.g., state/federal licensing and accrediting agencies).
- The UW–Madison HIPAA security officer, UW-Madison IT security staff, the HIPAA security coordinator of a unit, the unit’s IT security staff, or their designees are authorized to select and use auditing tools that are designed to detect network vulnerabilities and intrusions. Such tools are explicitly prohibited by others without the explicit authorization of the UW–Madison HIPAA security officer. These tools may include, but are not limited to:
- Scanning tools and devices.
- War dialing software.
- Password cracking utilities.
- Network “sniffers.”
- Passive and active intrusion detection systems.
- Audit documentation/reporting tools need to address, at a minimum, the following data elements:
- Application, system, network, department, or user audited
- Audit type
- Individual/department responsible for audit
- Date(s) of audit
- Reporting responsibility/structure for review audit results
- The process for review of audit logs, trails, and reports needs to include:
- A description of the activity as well as the rationale for performing the audit.
- Identification of which workforce members or department/unit will be responsible for review (workforce members should not review audit logs that pertain to their own system activity).
- The frequency of the auditing process.
- Determination of significant events requiring further review and follow-up.
- Identification of appropriate reporting channels for audit results and required follow-up. The procedures in UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information may be used to report a single event.
- Vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), if publicly-known vulnerabilities have been corrected, and whether the system can withstand attacks aimed at circumventing security controls.
- Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third-party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services; there should be a separation of duties).
- Testing is to be done on a routine basis (e.g., annually).
Audit Requests for Specific Cause
- A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Human Resources, Risk Management, the UW–Madison HIPAA privacy officer, the UW–Madison HIPAA security officer, or a member of either the UW–Madison administration or the unit’s administration.
- A request for an audit for a specific cause must include the time frame, frequency, and nature of the request. The request must be reviewed and approved by the UW–Madison HIPAA privacy officer or UW–Madison HIPAA security officer.
- A request for an audit as a result of a patient concern is to be initiated by the UW–Madison HIPAA privacy officer or UW–Madison HIPAA security officer. Under no circumstances and at no time should detailed audit information be shared with the patient. UW–Madison is not obligated to provide a detailed listing of those workforce members who use a patient’s protected health information for treatment, payment, or health care operations.
- Should the audit disclose that a workforce member has accessed a patient’s protected health information inappropriately, the minimum necessary/least privileged information should be shared with the HIPAA privacy coordinator of the unit and the workforce member’s supervisor or Human Resources Department to determine appropriate sanction/ corrective disciplinary action.
- Only de-identified information should be shared with the patient regarding the results of the investigative audit process. This information is to be communicated to the patient by the UW–Madison HIPAA privacy officer or designee, after seeking appropriate risk management or legal counsel.
Evaluation and Reporting of Audit Findings
- Audit information that is routinely gathered must be reviewed in a timely manner by the individual/department responsible for the activity/process (e.g., weekly, monthly, quarterly, etc.).
- The reporting process must allow for meaningful communication of the audit findings to those departments/units sponsoring the activity.
- Significant findings are to be reported immediately in a written format. The procedures in UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information may be used to report a single event.
- Routine findings are to be reported to the sponsoring leadership structure in a written report format.
- Reports of audit results must be limited to internal use on a minimum necessary/need-to-know basis. Audit results are not to be disclosed externally without the approval of legal counsel or the UW–Madison HIPAA privacy officer.
- Generic security audit information may be included in organizational reports. Individually-identifiable patient protected health information must not be included in the reports.
- Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions are to be documented and shared with the responsible and sponsoring departments/units.
Auditing Business Associate or Vendor Access and Activity
- Periodic monitoring of business-associate and vendor information system activity must be carried out to ensure that access and activity are appropriate for privileges granted and necessary to the arrangement between UW–Madison and the external agency.
- If it is determined that the business associate or vendor has exceeded the scope of access privileges, UW-Madison must reassess the business relationship. See UW-116 Managing Arrangements with Business Associates of the University of Wisconsin-Madison.
- If it is determined that a business associate has violated the terms of the HIPAA business associate agreement/addendum, UW–Madison must take immediate action to remediate the situation. Continued violations may result in the discontinuation of the business relationship.
Audit Log Security Controls and Backup
- Audit logs are to be protected from unauthorized access or modification, so the information they contain will be available to evaluate a security incident. Generally, system administrators should not have access to the audit trails or logs created on their systems.
- Whenever possible, audit trail information is to be stored on a separate system to minimize the impact auditing may have on the audited system and to prevent access to audit trails by those with system administrator privileges. This is done to apply the security principle of “separation of duties” to protect audit trails from hackers. Audit trails maintained on a separate system would not be available to hackers who may break into the network and obtain system administrator privileges. A separate system would allow UW–Madison to detect hacking security incidents.
- Audit logs maintained within an application are to be backed up as part of the application’s regular backup procedure.
- UW–Madison will audit internal backup, storage, and data recovery processes to ensure that the information is readily available in the manner required. Auditing of data backup processes will be carried out:
- On a periodic basis (recommend at least annually) for established practices and procedures.
- More often for newly developed practices and procedures (e.g., weekly, monthly, or until satisfactory assurance of reliability and integrity has been established).
Workforce Training, Education, Awareness, and Responsibilities
- Workforce members are provided training, education, and awareness on safeguarding the privacy and security of businesses' and patients' protected health information. UW–Madison’s commitment to auditing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies.
- Workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the auditing process detect a workforce member’s failure to comply with organizational policies. See UW-125 HIPAA Security Oversight; UW-137 HIPAA Privacy and Security Training; UW-138 Responding to Employee Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules and UW-139 Responding to Student Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules.
External Audits of Information Access and Activity
Information system audit information and reports gathered from contracted external audit firms, business associates, and vendors are to be evaluated, and appropriate corrective action steps taken as indicated. Prior to contracting with an external audit firm, UW–Madison will:
- Outline the audit responsibility, authority, and accountability.
- Choose an audit firm that is independent of other organizational operations.
- Ensure technical competence of the audit firm staff.
- Require the audit firm’s adherence to applicable codes of professional ethics.
- Obtain a signed HIPAA-compliant business associate agreement.
- Assign organizational responsibility for supervision of the external audit firm.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.