The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. It was one of the first sectoral security and privacy legislations in the United States. According to the Act, compliance guidelines had to be developed and regulated by the Secretary of the U.S. Department of Health and Human Services (HHS) and enforced by its Office for Civil Rights (OCR) with voluntary compliance activities and civil money penalties.
Commonly known as HIPAA, the regulation itself is a series of documents (rules) published later by HSS, which includes privacy, security, breach notification, and enforcement rules. The first two must be mentioned here. The Privacy Rule protects the privacy of individually identifiable health information, called PHI (Protected Health Information). The Security Rule protects a subset of data covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule calls this information e-PHI (electronic protected health information), and the rule does not apply to PHI transmitted orally or in text.
In January 2013, HHS released the final Omnibus Rule that updated HIPAA rules and implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen the privacy and security protections for health information established under HIPAA. The most significant changes were to include business associates, where only covered entities had originally been held to uphold the regulation.
Who needs to be HIPAA compliant?
Entities handling healthcare information are required to comply with HIPAA, including those handling data on behalf of another entity. HIPAA identifies two types of such entities:
-
Covered Entities - They collect, create, or transmit PHI electronically. For instance, health care providers, health care clearinghouses, and health insurance providers.
-
Business Associates - They encounter PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. This is a broader category with examples including IT providers (cloud, MSSP, hosting, hardware maintenance services, etc.), business accounting services, third-party consultants, etc.
There is no formal HIPAA compliance certification from the federal government or subsidiary regulatory agencies. A HIPAA compliance assessment is an on-going process performed by a third party to assess an organization’s compliance with the HIPAA Privacy, Security, and Breach Notification rules.
What are the penalties?
The Omnibus rule introduced a penalty scheme with four tiers, ranging from $100 to $50,000 per each violation:
It’s worth mentioning that the HIPAA regulation affects organizations regardless of its size and the amount of PHI handled or involved in a breach incident. In 2013, HHS announced the first HIPAA breach settlement involving less than 500 patients. The Hospice of Northern Idaho (HONI) has agreed to pay the Office for Civil Rights $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
One of the key facets of the HIPAA regulation is timely response to incidents, including proper notification. In 2017, HSS announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information. Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and agreeing to implement a corrective action plan.
The penalties are of a cumulative nature. Back in July 2022, OCR’s investigation opened on Oklahoma State University Center for Health Services found potential violations of the HIPAA Rules, including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation; failure to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS. With 279,865 e-PHI records affected, all these violations accumulated to $875,000 penalty.
Over 700 healthcare breaches have been reported to the Office for Civil Rights in 2022 alone, affecting more than 50 million healthcare records. Hundreds of investigations can be found at the OCR breach portal opened against organizations for non-compliance with HIPAA as well.
What are the requirements for log collection?
Security monitoring and observability are crucial for HIPAA compliance as organizations must be able to audit access to e-PHI, track changes to systems that store e-PHI, and detect and investigate potential security breaches in a timely fashion.
Within the Security Rule (text of the final regulation can be found at 45 CFR Part 160 and Part 164, subparts A and C), three types of safeguards are mentioned: Technical (§164.312), Administrative (§164.308), and Physical (§164.310).
Log collection and management demands, as encompassed by §164.312(b), require Covered Entities and Business Associates to implement mechanisms that record and examine activity in information systems, while §164.308(a)(1)(ii)(D) requires to review collected data regularly.
Also, there are policies and procedures requirements sections, like §164.316(b)(2)(i), which establishes a general baseline of 6 years retention period for related information.
| Section | Requirement |
|---|---|
"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." |
|
"Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of." |
| Section | Requirement |
|---|---|
"Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." |
|
"Implement procedures for monitoring log-in attempts and reporting discrepancies." |
|
(i) "Implement policies and procedures to address security incidents." (ii) "Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes." |
| Section | Requirement |
|---|---|
(i) "Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form;" (ii) "If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment." |
|
"Retain the documentation required by paragraph §164.316(b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later." |
What are the logs to be collected?
The Security Rule is non-prescriptive as it does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed. That makes sense as the entities range from small and medium business to large corporations with different security strategies, resources, and budgets. Even so, the requirements seem to be a subject to a very broad interpretation.
In January 2017, a newsletter, "Understanding the Importance of Audit Controls", was issued by HSS as a guideline for Security Rule obligations. It stressed that Covered Entities and Business Associates must ensure they appropriately review and secure audit trails and use the proper tools to collect, monitor, and review audit trails. The bulletin also directly requests to protect audit logs and audit trails from being tampered by intruders (integrity control).
The document explicitly refers to the National Institute of Standards and Technology (NIST) with terminology used, and gives a clue on audit trails and audit logs that have to be collected and monitored:
-
Application audit trails – Monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.
-
System-level audit trails – Capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed.
-
User audit trails – Monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files and resources.
It’s also noticed that only useful information has to be recorded and retained, while keeping everything may not be a good practice for every organization:
Covered Entities and Business Associates should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.
The following is a non-exhaustive list of examples of important security trails that have to be collected and processed across e-PHI environment.
-
Authentication events (e.g., logins, failed attempts)
-
User accounts events (e.g., new users added, password changes)
-
Access level changes (e.g., privilege escalations)
-
Access to protected information (e.g., to files and databases)
-
Security settings changes
-
Software changes (e.g., installation and uninstallation)
-
Anti-malware and firewall events
-
Operating system events
Monitoring these aspects helps healthcare organizations maintain a solid security posture and demonstrate a responsible approach to HIPAA regulations.
|
Note
|
When determining audit controls for information systems containing or using ePHI, you should consider individual HIPAA risk assessment results and organizational factors, such as current technical infrastructure, hardware, and software security capabilities. |
|
Note
|
You should avoid logging any PHI data as it increases security risks and could be considered a violation, especially when logs transferred to a third-party. In the case of logs centralization, consider appropriate data filtration for logs containing PHI and/or de-identification techniques as described in §164.154(a). |
How long should HIPAA audit logs be retained?
The regulation does not explicitly specify a retention period for audit trails, but section §164.316(b)(2)(i), in conjunction with §164.316(b)(1), stipulates that documented actions and activity have to be retained for at least six years. Still, it is a highly nuanced subject, and it’s always a question of what has to be retained for that amount of time and what can be omitted or retained for a significantly shorter period.
The Security Rule is non-prescriptive, and it’s up to organization to scope critical activities and actions based on its own risk analysis. Having a log retention strategy explicitly considered within organization’s risk management framework helps to demonstrate proper due diligence during a HIPAA assessment.
The safe way seems to be to keep everything for six years, but managing huge amounts of log data is costly. Systems storage capacity and budgets need to be considered to determine retention period individually for each type of the audit trails. It also pays to consult with legal experts - specific state laws or other side-regulations may impose extended retention periods.
How NXLog helps
With its powerful vendor-agnostic log collection capabilities and transformation and analytics features, NXLog becomes a core component of an organization’s log management and HIPAA compliance strategy.
Simplify the process with unified log collection infrastructure
NXLog allows an organization to build a unified log collection mechanism across an organization’s infrastructure. Unified log collection helps to create a comprehensive technical solution and simplify the routines and procedures that must be communicated to and implemented by staff members.
Enable audit logs centralization with nothing missed
NXLog supports all popular and advanced log collection methods. It seamlessly integrates with various data sources, including applications, databases, network appliances, IoT devices, as well as SIEM and APM systems to ensure that an entire HIPAA-covered environment fits into a compliant log management and security process.
Catch important security events faster
With its security observability capabilities, NXLog allows you to track critical HIPAA events both from a system and application level, even before they trigger incidents in security platforms. NXLog complements SIEM/SOAR-powered monitoring and becomes the true frontline of your Security Operations Center.
Save SIEM/APM cold storage costs with pre-forward noise reduction
With its best-on-market event processing engine, NXLog helps to filter out most of the noise from logs before forwarding data to security platforms (SIEM/APM). That speeds up both ingestion and ongoing security logs analysis in SIEM/APM solution while cutting costs for the latter, usually priced by EPS (events per second).
Enable cost-efficient audit logs retention
In accordance with the HIPAA Security Rule, audit trails must be retained for at least six years in general. NXLog provides both logs filtration and flexible retention and routing mechanisms. So, it’s always possible to design the most efficient retention process, including ongoing cool-off.
Ensure sensitive data does not leave HIPAA infrastructure
It’s a crucial capability, when data has to be ex-filtrated to other services, including those managed by third parties (like MSSP service providers).
Enforce audit logs & system files monitoring against unauthorized changes
NXLog provides a File Integrity Monitoring im_fim module that allows the detection of changes to the file system and triggers a security event promptly. That helps to protect both critical system files and retained logs from unauthorized tampering.
