Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Audit Controls
Policy Number: IS-14 (Technical Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To describe the internal security controls or records system activity that Drexel University (DU) will utilize for routine reviews of activity of information systems which contain or use electronic protected health information (e-PHI).
DU maintains a comprehensive internal security control program coordinated by DU IT. The audit trail process is an operational process that serves to consolidate all audit mechanisms. It provides a means to detect security breaches and intentional alterations as well as a method to identify errors or duplicate information.
The audit trail component of this program serves to complement DU's ability to insure data integrity (that data is consistent with its source) by allowing for continual monitoring of user access.
DU has defined its level of audit trail monitoring by carefully considering the level of electronic information to be recorded and the capability of the automated information system.
- Audit Trail Definition
The data selected for audit trail may be captured by system, application and/or user activity or by full logs, or only on certain users with access to certain information. It is created immediately concurrently (real time) as the user conducts the action of access. It includes initial access to completion of action.
- Audit Trail Mechanisms
The mechanisms used by DU to capture audit trail information include, but are not limited to, failed log-in reports and account activity reports.
- Audit Trail Documentation and Retention
DU has a process to retain audit trails, logs and file access reports in exact and retrievable form in a secure manner for at least six (6) years for system-wide applications that contain or use e-PHI (viz IDX and Allscripts).
- Security Incident Reports
DU has implemented a mechanism to capture and track Security Incident reports.
45 CFR §164.312(b)
Back to Top