P7

This document recommends an initial set of logging and audit practices for a National Health Information Network (NHIN). Effective logging and audit practices are essential safeguards as electronic protected health information (ePHI) is shared at the regional and national levels, and can assure participating institutions that there is compliance with legal requirements for technical, physical, and administrative safeguards. At least as importantly, publicly announced audit and logging practices can foster trust among individual patients and the general public that their data is being used only in appropriate ways.

Logging and Audit Controls under HIPAA explains the logging and other audit requirements under HIPAA. These legal requirements form the baseline for auditing in any eventual system for sharing ePHI.

Logging and Audit Controls in a National Health Information Network sets forth the general conclusions concerning logging and auditing at the level of covered entities, of each sub-network organization (SNO)¹ and for the Record Locator Service (RLS). The principle conclusion is that HIPAA should form the baseline for individual covered entities, but that logging and auditing practices, which may go beyond HIPAA requirements, should be in place for SNOs and the RLS.

Specific Logging and Audit Recommendations implements those general conclusions by setting forth a checklist for auditing and accountability for each SNO and the RLS. It supplements the checklist with a list of recommended additional measures, including independent third-party auditing for the RLS.

I. Logging and Audit Controls under HIPAA

It is useful to understand current law before deciding what new logging and audit control requirements, if any, should be used when handling ePHI. The HIPAA Privacy Rule does not specifically mention logging or audits. It does provide that “a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” 45 CFR § 164.530 (c)(1). An effective audit and logging system will often be part of the overall set of safeguards expected under the Privacy Rule.

The HIPAA Security Rule is more specific. Section 164.312(b) requires audit controls as a standard: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” The United States Department of Health & Human Services explained that the nature of the audit controls will depend on the context: “We believe that it is appropriate to specify audit controls as a type of technical safeguard. Entities have flexibility to implement the standard in a manner appropriate to their needs as deemed necessary by their own risk analyses.” 68 Fed. Reg. at 8355 (Feb. 20, 2003).

The HIPAA Security Rule also mandates “information system activity review” as an element of administrative safeguards: “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” 45 CFR § 164.308(a)(1)(ii)(D). Once again, the sophistication of the required safeguard depends on the setting: “Our intent for this requirement was to promote the periodic review of an entity’s internal security controls, for example, logs, access reports, and incident tracking. The extent, frequency, and nature of the reviews would be determined by the covered entity’s security environment.” 68 Fed. Reg. at 8347.

One additional relevant provision in the HIPAA Security Rule is Section 164.308(a)(5)(ii)(C), which concerns log-in monitoring. The Rule sets forth an addressable implementation specification (i.e., good practice but not necessarily required), which covers “[p]rocedures for monitoring log-in attempts and reporting discrepancies.”

Beyond these federal requirements, there may be state and local laws that create requirements in the areas of logging and audit controls that will need to be assessed by individual SNOs and their participants.

II. Logging and Audit Controls in a National Health Information Network

With these HIPAA requirements as a baseline, audit and logging practices will differ in important respects among the various actors in a National Health Information Network. This section will provide a general analysis of the level of logging and audit controls to be expected among covered entities within each SNO, at each SNO itself, and for inter-SNO sharing. The next section will recommend specific logging and audit practices to apply at the SNO and inter-SNO levels.

For covered entities within each SNO, the baseline will be the requirements of the HIPAA Security Rule, discussed briefly in the prior section. The Security Rule contemplates that the level of audit controls required varies with the security environment. Throughout HIPAA, requirements are “scalable,” which means that large and sophisticated entities are expected to establish more rigorous safeguards than small entities. For audit, scalability means that small entities often have less thorough safeguards than large entities.

In setting policy for logging and audit control practices for covered entities within each SNO, it is important to recognize the small scale of many covered entities. Even for many large covered entities, current logging and audit control systems likely do not match the rigor and complexity of the best practices of large institutions. Given these current practices, it would likely be difficult to insist on heightened logging and audit control standards for each covered entity within SNOs. Any attempt to require such standards would quite possibly discourage participation in the overall system and further delay participation. Our recommendation at this time is thus not to require heightened logging and audit control standards for each covered entity or other participant within a SNO.

The analysis shifts, however, for logging and audit control practices at the level of each SNO in order to best safeguard ePHI. Each SNO is expected to be a sophisticated entity, operating at a scale that is consistent with rigorous audit and other security practices. Compared with individual providers, who often depend largely on paper records, SNOs are likely to rely more heavily on electronic health records, which are typically more suitable than paper records for enhanced and automated logging and audit control approaches. In order to promote trust among patients and participating institutions, we therefore recommend excellent logging and audit control practices at the SNO level, as described in the next section.

The case for strong logging and audit control standards is even stronger for inter-SNO sharing through the RLS. As discussed in previous documents of Markle Connecting for Health, the RLS will provide a means for locating records of an individual patient that are held by different data providers, including in different SNOs. It will be crucial to build public confidence in the good data handling practices of the RLS. A transparent and effective method for logging and audit controls is one important component of the case that the public deserves to trust the RLS. The next section recommends specific practices, notably including an independent, third-party audit on a regular basis.

In establishing these strict logging and audit practices at the SNO and inter-SNO levels, it is important to clarify what types of records are likely to move through such information systems. As contemplated in the Markle Connecting for Health Common Framework, the RLS itself will not contain clinical data. Instead, the RLS will contain demographic data, in order to identify and provide contact information for the actual holders of clinical records. Transfer of clinical records will be “point to point.” That is, an entity seeking the records of a particular patient may learn about other record holders through the RLS. That entity then will directly contact the other record holders in order to receive the clinical records. For purposes of logging and audit controls, this structure means that the flows of demographic information will be carefully tracked at the RLS level.

Transfers of clinical records, however, will not take place through the RLS itself, and will thus be subject to the logging and audit practices at the level of each entity. As a related point, SNOs may operate in a similar way. Whatever demographic (or other) information moves through the SNO would be subject to audit under the strict logging and audit standards contemplated here for SNOs. Transfers of clinical records, however, may take place through paths that do not include a SNO.

III. Specific Logging and Audit Recommendations

In preparing this paper on logging and audit practices, it has been helpful to review the actual audit documents of some large, cutting-edge health care organizations. The discussion here draws on those documents, as well as some publicly available materials.²

A. Audit and Accountability Checklist

We first put forward a recommended audit and accountability checklist. This checklist is intended to apply at least to SNOs and the RLS, and it represents good practice for a broader range of covered entities.

Audit and Accountability. Audit is the practice of recording the occurrence of selected system events; management uses reports/alerts generated from audit records to monitor the appropriateness of activities. Accountability results when activities are attributable to individuals.

B. Categories of Logging and Audit Controls

In addition to the checklist, there are additional logging and audit control functions that are generally recommended at the SNO and RLS level. Some of these functions are included in other papers of the Markle Connecting for Health Policy Subcommittee, such as tracking of authentication or responses to security breaches, but the list here errs on the side of inclusion:³

1. Audit of VIP records.
2. Procedures for follow-up on suspicious activity, such as indications of possible privacy or security breaches.
3. Review of network intrusion detection system activity logs.
4. Review of system administrator authorizations and activity.
5. Review of physical access to data centers.
6. Other review of technical, physical, and administrative safeguards as established by the policies of the organization.

Beyond these sorts of compliance efforts, it is recommended that SNOs and the RLS have random audits of demographic and clinical records, based on the level of risk for that portion of the system. SNOs may wish to provide for some level of random audits (sampling) of the participants in the SNOs. Random audits should be done for records held at the SNO level and within the RLS. For the RLS (and where appropriate for each SNO), an independent third-party should perform such random audits, with public reporting of at least the principal results.

Conclusion

This paper provides a general template for assessing where excellent logging and audit practices are especially essential, at the SNO and RLS levels. It then recommends a checklist for audits, as well as a supplementary list of measures to be taken at the SNO and RLS levels to ensure an overall high quality of audit and accountability.

Under the HIPAA Privacy and Security Rules, a legal argument can be made that the high-quality practices set forth in the Specific Logging and Audit Recommendations section of this paper are approximately what is required by the scalable requirements of those rules. Whether or not this legal position is correct, the practices set forth in this paper provide significant detail to assist organizations in developing their own logging and audit practices. A transparent and effective logging and audit control approach can help assure trust in the expanded use of electronic health records by patients and the general public.

__________

1. A sub-network organization (SNO) operates as a health information data exchange organization (whether regional or affinity-based) that operates as a part of the National Health Information Network (NHIN), a nationwide environment for the electronic exchange of health information made up of a “network of networks.”

2. One helpful, published source of information on audits is “Security and Privacy Auditing in Health Care Information Technology.” This paper was published in 2001 by the Joint Security and Privacy Committee of three organizations, the National Electrical Manufacturers Association, the European Coordination Committee of the Radiological and Electromedical Industry, and the Japan Industries Association of Radiological Systems, available at: http://www.nema.org/medical. The paper provides a useful synopsis, in six pages, of the elements of an audit for health care information technology.

   For additional background, there is a recent paper on “Immutable Audit Logs” by Jeff Jonas and Peter Swire for the Markle Task Force on National Security in the Information Age. See http://www.markle.org. The paper analyzes the heightened auditing procedures that can be used to increase public confidence about systems that are not transparent to the public.

   For more information on industry best practices in healthcare security auditing, see RFC 3881 (http://www.faqs.org/rfcs/rfc3881.html), Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications.

3. See Markle Connecting for Health, “Authentication of System Users,” and “Breaches of Confidential Health Information.”

Markle Connecting for Health thanks Peter Swire, C. William O’Neill Professor of Law, Moritz College of Law, Ohio State University, for drafting this paper.