Health Information Management

HIPAA Q&A: You’ve got questions. We’ve got answers!

HIM-HIPAA Insider, December 8, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!


Submit your HIPAA questions to Editor Jaclyn Fitzgerald at and we will work with our experts to provide you with the information you need.
Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements—other than to perform audits—that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?
A: The HIPAA Privacy Rule includes no specific requirements related to privacy audits. The rule does require organizations to implement administrative, physical, and technical safeguards to protect PHI no matter the form. The Privacy Rule does not give specifics, so it's a good idea to implement safeguards similar to what the HIPAA Security Rule requires. This would include monitoring logs of access to PHI, such as logs generated by ­EHRs and picture archiving and communication systems.
Information system activity review audits are just one of the four audit activities that covered entities (CE) should undertake to comply with the HIPAA Security Rule and, by default, the HIPAA Privacy Rule. Information systems activity review audits focus on firewall activity, patches applied to applications, data loss prevention report reviews, and so forth. Generally, these audits do not involve determining whether patient records are being accessed appropriately.
CEs and business associates should also review user login audit logs to check for repeated failed login attempts and to verify employees are not accessing systems or data at times when they are off work and have no valid reason to access systems.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro's Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular