Institutionally Hosted ePHI Policy
NYIT shall review logs of access and activity of electronic protected health information (ePHI) applications, systems, and networks and address standards set forth by the HIPAA Security Rule to ensure compliance to safeguarding the privacy and security of ePHI. The Security Rule requires healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. It does not describe in detail the data that should be gathered in system logs or the length of time these must be kept. Review activities may be limited by application, system, and/or network reviewing capabilities and resources. NYIT shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to reviewing of logs which is consistent with available resources.
Responsible for Implementation:
- Information Technology Services (ITS)
- NYITCOM Academic Technologies Group (ATG)
- Privacy Officer
- NYITCOM HIPAA Compliance Officer
- All NYIT staff, faculty and students
- NYIT's Business Associates
Violation of this policy and its procedures by NYIT users may result in corrective disciplinary action, up to and including termination of employment or in the case of students, dismissal from the Institution. Violation of this policy and procedures by others, including providers, providers' offices, business associates and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.
It is the policy of NYIT to safeguard the confidentiality, integrity, and availability of patient health information applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, NYIT shall periodically review logs of access and activity to detect, report, and guard against:
- Network vulnerabilities and intrusions.
- Breaches in confidentiality and security of patient protected health information.
- Performance problems and flaws in applications.
- Improper alteration or destruction of ePHI (information integrity).
This policy applies to organizational information applications, systems, networks, and any computing devices, regardless of ownership [e.g., owned, leased, contracted, and/or stand-alone).
This policy has been developed to address the organization-wide approach to information system log review processes. Departments and business units shall work with the ITI and ATG to develop specific procedures based on applications and systems for review processes.
The internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). A review may be done as a periodic event, as a result of a patient complaint, or suspicion of employee wrongdoing. Review activities shall also respond to NYIT risk assessments.
Records of activity maintained by the system which may include:
- date and time of activity
- origin of activity
- identification of user performing activity
- description of attempted or completed activity; or other activity deemed relevant to the application or platform
A means to monitor information operations to determine if a security violation occurred by providing a chronological series of logged computer events (review logs) that relate to an operating system, an application, or user activities. Review trails provide:
- Individual accountability for activities such as an unauthorized access of ePHI;
- Reconstruction of an unusual occurrence of events such as an intrusion into the system to alter information;
- Problem analysis such as an investigation into a slowdown in a system's performance, and
- Other data as needed based on NYIT objectives
A review trail identifies who (login) did what (create, read, modify, delete, add, etc.) to what (data) and when (date, time).
Electronic Protected Health Information (ePHI):
Electronic protected health information means individually identifiable health information as defined by the Health Insurance Portability and Accountability Act of 1996 as amended that is: transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
Activities that may be indicative of a security breach that require further investigation (See Appendix).
A. Responsibility for reviewing information system access and activity is assigned to NYITCOM's HIPAA Compliance Officer or designee as determined by NYIT's ITI and NYITCOM departments. The responsible individual shall:
- Assign the task of generating reports for review activities to the individual responsible for the application, system, or network.
- Assign the task of reviewing the logs to the individual responsible for the application, system, or network, or any other individual determined to be appropriate for the task.
- Organize and provide oversight to a team structure charged with review compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.).
B. NYIT's reviewing processes shall address access and activity at the following levels listed below. Reviewing processes may address date and time of each log-on attempt, date and time of each log-off attempt, devices used, functions performed, etc.
- User: User-level review trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and files, patients, and resources accessed.
- Application: Application-level review trails generally monitor and log user activities, including data files opened and closed, patients accessed, specific actions, and printing reports.
- System: System-level review trails generally monitor and log user activities, applications accessed, and other system defined specific actions.
- Network: Network-level review trails generally monitor information on current operations, penetrations, and vulnerabilities.
C. NYIT shall determine the systems or activities that will be tracked or reviewed by:
- Focusing efforts on areas of greatest risk and vulnerability as identified in the information systems risk analysis and ongoing risk management processes.
- Maintaining confidentiality, integrity, and availability of ePHI applications and systems.
- Assessing the appropriate scope of system reviews based on the size and needs of NYIT by determining:
- information/ePHI at risk,
- systems, applications or processes which are vulnerable to unauthorized or inappropriate access,
- activities that should be monitored (create, read, update, delete = CRUD),
- information to be included in the review record.
- Assessing available organizational resources.
D. NYIT shall identify "trigger events" or criteria that raise awareness of questionable conditions of viewing of confidential information. The "events" may be applied to the entire organization or may be specific to a department, unit, or application (See Appendix – Listing of Potential Trigger Events). At a minimum, NYIT may initiate immediate review in response to:
- Patient complaint
- Employee complaint
- Suspected breach of patient confidentiality
- High risk or problem prone event (e.g., high profile patient admission)
- External report, such as from credit bureau or law enforcement
E. NYIT shall determine review criteria with a risk based approach. This may include but is not limited to reviewing security risk analysis findings, past experience, current and projected future needs, and industry trends and events. NYIT will determine its ability to generate, review, and respond to review reports using internal resources. NYIT may determine that external resources are also appropriate. NYIT recognizes that failure to address automatically generated review logs, trails, and reports through a systematic review process may be more detrimental to the organization than not reviewing at all.
F. NYIT shall designate the employees or contractors who are authorized to use security testing and monitoring tools. Such tools may not be used by anyone not specifically authorized. These tools may include, but are not limited to:
- Scanning tools and devices
- War driving software.
- Password cracking utilities
- Network or wireless packet capture utilities
- Passive and active intrusion detection systems
- Other devices as determined by NYIT
G. Review documentation/reporting tools shall address, at a minimum, the following data elements:
- Authorizing official or policy application, system, network, department, and/or user reviewed
- Review Type
- Individual/Department Responsible for Review
- Date(s) of Review
- Reporting Responsibility/Structure for Review Results
H. The process for review of logs, trails, and reports shall include:
- Description of the activity as well as rationale for performing review.
- Identification of which users or department/unit will be responsible for review (users should not review logs which pertain to their own system activity unless there is no alternative or an inherent conflict of interest).
- Frequency of the review process.
- Determination of significant events requiring further review and follow-up (refer also to NYIT's security incident response policy).
- Identification of appropriate reporting channels for review of results and required follow-up.
I. Vulnerability testing software may be used to probe the network. This may be to identify what is running (e.g., operating system or product versions in place). Any publicly-known vulnerabilities should be corrected. Re-evaluate whether the system can withstand attacks aimed at circumventing security controls.
- Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third party reviewing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be reviewing their own services – separation of duties).
- Testing shall be done on a routine basis.
Review Requests for Specific Cause
- A request may be made for review for a specific cause. The request may come from a variety of sources including, but not limited to, a patient, Human Resources, General Counsel, Internal Audit, ITI and/or a member of NYIT's administration.
- A request for a review for specific cause must include time frame and nature of the request. The request must be reviewed and approved by NYIT's General Counsel.
- A request for a review as a result of a patient concern shall be initiated by NYIT's HIPAA Compliance Officer. Detailed review may be shared with patient. If this is done, a careful explanation must be given to the patient concerning the need for many individuals to have access to records.
- Should the review disclose that a user has accessed a patient's ePHI inappropriately, the information shall be shared with the user's supervisor, Office of Student Affairs and or Human Resources Department to determine appropriate sanction/corrective disciplinary action.
- NYIT may, but is not obligated to share details of the logs with the patient. Prior to communicating with the patient, contact the General Counsel.
Evaluation and Reporting of Review Findings
- System logs that are routinely gathered must be reviewed in a timely manner.
- Report of review of results shall be limited on a minimum necessary/need to know basis. Review of results may be disclosed as deemed necessary. The Privacy Officer may need to be consulted.
- There is no legal requirement to disclose the name of an individual who breached a patient's record. There is also no obligation to share the name of every individual that was involved in processing a patient record. NYIT may choose to disclose this information at its sole discretion.
- The reporting process shall allow for meaningful communication of the review findings to the appropriate departments/units.
- Significant findings shall be reported immediately to the HIPAA Compliance Officer and the Privacy Officer and NYIT's Director of Systems, Networks and Telecommunications in a written format. Applicable NYIT forms may be utilized to report a single event.
- Routine findings shall be reported to the HIPAA Compliance Officer in a written report format.
- Security reviews constitute an internal, confidential monitoring practice that may be included in NYIT's performance improvement activities and reporting. Care shall be taken when releasing the results of the reviews. Review information which may further expose organizational risk should be shared with extreme caution. Generic security review information may be included in organizational reports (PHI shall not be included in the reports).
- Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible and sponsoring departments/units.
- If criminal activity is discovered during a review, it may be reported to appropriate law enforcement.
Reviewing Business Associate and/or Vendor Access and Activity
- Periodic monitoring of business associate and vendor information system activity should be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between NYIT and the external agency.
- If it is determined that the business associate or vendor has exceeded the scope of access privileges, NYIT's leadership must reassess the business relationship (refer to NYIT's business associate agreement/policy).
- If it is determined that a business associate has violated the terms of the HIPAA business associate agreement, NYIT must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship and/or legal remedies.
Review Log Security Controls and Backup
- Review logs shall be protected from unauthorized access or modification, so the information they contain will be available if needed to evaluate a security incident.
- Whenever possible, audit trail information shall be stored on a separate system. This is done to apply the security principle of "separation of duties" to protect audit trails from hackers. Audit trails maintained on a separate system would not be available to hackers who may break into the network and obtain system administrator privileges. A separate system would allow NYIT to detect hacking security incidents.
- Review logs maintained within an application shall be backed-up as part of the application's regular backup procedure.
- NYIT shall review internal backup, storage and data recovery processes to ensure that the information is readily available in the manner required.
Workforce Training, Education, Awareness and Responsibilities
NYIT users are provided training, education, and awareness on safeguarding the privacy and security of business and patient protected health information. NYIT's commitment to reviewing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies. Users are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the reviewing process detect a user's failure to comply with organizational policies (refer to NYIT's training and/or applicable policies).
External Reviews of Information Access and Activity
Information system review information and reports gathered from contracted external review firms, business associates and vendors shall be evaluated and appropriate corrective action steps taken as indicated. Prior to contracting with an external review firm, NYIT shall:
- Outline the review responsibility, authority, and accountability.
- Choose a review firm that is independent of other organizational operations.
- Ensure technical competence of the review firm staff.
- Require the review firm's adherence to applicable codes of professional ethics.
- Obtain a signed HIPAA-compliant business associate agreement.
- Assign organizational responsibility for supervision of the external review firm.
Retention of Review Information
- Review logs and audit trail report information shall be maintained based on organizational needs. There is no standard or law addressing the retention of review log/trail information. Retention of this information shall be based on:
- Organizational history and experience
- Available storage space
- Reports summarizing review activities shall be retained for a period of six years.
Applicable Standards/Regulations from HIPAA Security Rule:
- 45 CFR § 164.105(c)(2) – Implementation Specification: Retention Period.
- 45 CFR § 164.308(a)(1)(ii)(D) – Information System Activity Review
- 45 CFR § 164.308(a)(5)(ii)(B) & (C) – Protection from Malicious Software & Log-in Monitoring
- 45 CFR § 164.308(a)(2) – HIPAA Security Rule Periodic Evaluation
- 45 CFR § 164.312(b) –Review Controls
- 45 CFR § 164.312(c)(2) – Mechanism to Authenticate ePHI
- 45 CFR § 164.312(e)(2)(i) – Integrity Controls
Appendix: Trigger Events
A list of potential trigger events that may require further investigation/reviewing. Examples include:
- High risk or problem prone incidents or events
- Patient and/or employee complaints
- High profile patient/event (e.g., accident, homicide, assault, etc.
- Requests by law enforcement or other outside agency with proper subpoena if applicable
- Atypical patterns of activity
- Failed authentication attempts
- Users that have the same last name, address, or street name as in the patient file being viewed
- VIPs encounters (board members, celebrities, governmental or community figures, authority figures, physician providers, management staff, or other highly publicized individuals)
- Patient files with no activity for XX days
- Employees viewing other employee records
- Diagnosis related (e.g., STD, HIV, pregnancy, AODA, mental health, etc.).
- Remote access use and activity
- After-hours activity if applicable
- Activity post termination
- Department- or unit-specific circumstances – risk areas to be determined by individual departments/business units:
- Providers viewing files of patients on other units (e.g., medical and surgical nurses viewing files of patients treated only in emergency services or psychiatric services)
- Transcriptionists viewing files of services or patients for whom they did not transcribe reports
- Medicare billers viewing insurance categories they do not process
Policy Version History
CURRENT VERSION (July 10, 2017)
- Brian Maroldo
- Mihir Matalia
- Dr. Brian Harper (Associate Professor/Medical Director)
- Jordan Thompson (Associate General Counsel)
- Rachel Berthoumieux (Senior Director, Internal Audit)
- Dr. Jerry Balentine (Dean, College of Osteopathic Medicine, and Vice President, Health Sciences and Medical Affairs)
- Revised to reflect current rules, technologies, and standards.
** You may request a copy of the all the changes made in this current version by contacting administration at firstname.lastname@example.org.
ORIGINAL VERSION (September 14, 2015)
- HIPAA COW Administrative Workgroup
- HIPAA COW Technical Security Workgroup
- HIPAA COW Physical Security Workgroup