|HIPAA Security Rule
|45 CFR 160, 162, 164
||These rules created standards to address how health information may be used and protected
|45 CFR 164.308(a)(1)(ii)(C) 45 CFR 164.312(b)
||Requires regular monitoring of system activity, including audit logs and access reports, by IT personnel or compliance officers on at least a quarterly basis.
|45 C.F.R. 164.312
||Since an audit trail is created by automated monitoring software that contemporaneously records the manipulation of a patient’s EMR as it occurs, information is recorded every time a user views, edits, prints, deletes, downloads, exports, or otherwise manipulates any part of a patient’s EMR. Federal and state law require these audit controls.
|45 CFR 164.312(b)
||Requires every covered entity or business associate to use standard “audit controls” through implementation of “hardware, software, and/or procedural mechanisms to record and examine system activity in information systems that contain or use electronic protected health information.”
|45 CFR 164.312(c)(1) & (2)
||Requires entities to “implement policies and procedures to protect electronic protected health information from improper alteration or destruction” and implement “mechanisms to authenticate electronic protected health information… to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner.”
|45 CFR 164.312(d)
||Requires entities to implement procedures to authenticate the person or entity seeking record access
|45 C.F.R. 164.316
||Requires entities to document the policies and procedures for the required specifications.
|45 C.F.R. 170
||The subchapter of Health Information Technology’s Part named Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology was adopted to assist in understanding the standards