The Health Insurance Portability and Accountability Act (HIPAA) was created to improve the way organizations handle healthcare data. Not only does it aim to improve the portability of health information, but also requires organizations to protect and secure it. Any entities handling healthcare data are required to comply with HIPAA, even those handling data on behalf of another entity. If you are a healthcare provider, or an entity providing services to healthcare organizations, you may have compliance obligations under HIPAA. We created this guide to help you understand your potential obligations under HIPAA, and how they may affect your logging strategy. Note that this is not a legal document, but a guide to help you understand your potential obligations. Always check with your legal team before making any changes to your logging procedures or infrastructure.Documentation Index
Fetch the complete documentation index at: https://mezmo-9a59581a-mintlify-926f893d.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
An Overview of HIPAA and HITECH
Title II of HIPAA, known as the Administrative Simplification provisions, sets standards for protecting and securing private health records (known as protected health information, or PHI). This includes patient records, medical records, and even insurance and billing records. Under HIPAA, any entities that handle this kind of data can be held legally accountable if the data is leaked, stolen, or misused. The Health Information Technology for Economic and Clinical Health Act (HITECH) expands on HIPAA by promoting the use of technology in managing PHI. It offered financial incentives to healthcare providers for adopting electronic health records, while adding tougher penalties for non-compliance. After HITECH was enacted in 2009, the use of electronic records in healthcare organizations jumped from 3.2% in 2008 to 14.2% in 2015.How Logs Fit Into HIPAA
Monitoring and observability play a significant role in HIPAA compliance. Organizations must be capable of:- Auditing employee access to ePHI
- Monitoring changes to systems storing ePHI
- Identifying and investigating potential security breaches
Requirements for Logging
The following HIPAA sections outline your requirements for logging. In the following section, we’ll explain how to satisfy these requirements using Mezmo. Before continuing, we need to explain some of the terms used in HIPAA. A covered entity is generally any healthcare provider, health plan, or healthcare clearinghouse that transmits PHI. A business associate is any individual, organization, or entity that processes PHI on behalf of a covered entity. If you are a covered entity sending your logs to Mezmo, then we are considered a business associate and have specific obligations for protecting your data. These obligations are described in a Business Associate Agreement (BAA), which must be signed by both the covered entity and business associate before the business associate can provide service.Section 164.312: Technical Safeguards
This section outlines policies and procedures for protecting and monitoring access to systems containing ePHI. § 164.312(b) specifically addresses auditing, requiring “mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” While this doesn’t specify which activities to log, consider the events that would be important to an audit. Authentication logs, software and hardware modification logs, process logs, and even network logs are all important for monitoring and auditing secured systems.Section 164.308: Administrative Safeguards
Covered entities are required to “implement policies and procedures to prevent, detect, contain, and correct security violations.” More specifically, § 164.308(a)(1)(ii)(D) requires regular reviews of information system activity “such as audit logs, access reports, and security incident tracking reports.” This section also includes specific monitoring procedures, including:- Malicious software activity (§ 164.308(a)(5)(ii)(B))
- Log-in attempts and discrepancies (§ 164.308(a)(5)(ii)(C))
- Suspected or known security incidents (§ 164.308(a)(6)(ii))
Section 164.316: Policies and Procedures and Documentation Requirements
§ 164.316(b)(2)(1) requires covered entities to retain documentation records for at least six years. However, there’s uncertainty as to whether audit logs are included in this requirement. § 164.316(b)(1)(ii) states that any action, activity, or assessment required to be documented must be recorded, and audit logs technically document activities performed by systems and users.Recommendations for HIPAA-Compliant Logging
Given these requirements, these are our recommendations for how you can structure your logging strategy to be HIPAA-compliant. Remember that these are recommendations and not legal advice. Always consult with your legal team before changing your logging strategy.Avoid Logging PHI
Audit logs should rarely if ever contain PHI. Storing PHI in logs increases the risk of a violation, especially if those logs are exported, copied, shared, or archived to a third-party service. If you do need to reference PHI in logs, avoid logging the PHI directly but instead log an abstract identifier that refers back to the PHI. For example, consider an audit log that records access to patient records. Instead of logging protected data such as the patient’s name or Social Security number, log the record number as it appears in the database. This ensures that a patient can’t be identified by logs alone, and can only be identified by accessing both the logs and the patient records. This process is known as de-identification (or pseudonymization) and is a standard under § 164.154(a).Log all Operational and Security Events
HIPAA requires strict oversight over systems containing PHI, as described in §§ 164.308(a) and 164.312(b). While there isn’t an exact definition of the types of activities you’re required to log under HIPAA, consider logging important system and security events such as:- Access to protected information and applications
- Logins, logouts, and failed attempts
- Password changes
- Changes to security systems (e.g. firewalls, antivirus software)
- Antivirus or antimalware events
- Network changes (e.g. new devices connecting to a secure network)
- Software installations, uninstallations, and updates
- Processes starting and stopping