Unit 6 – Information Activity Review Audit Trail Assignment Introduction According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a covered entity must implement polici

Unit 6 – Information Activity Review Audit Trail 

Assignment Introduction 

According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a covered entity  must implement policies and procedure to regularly review records of information system activity such as  audit logs, access reports, and security incident tracking reports (45 CFR 164.308(a)(1)(ii)(D)). Find out  more information regarding the requirement here: 

∙ HIPAA Security Series - 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es

∙ HIPAA Regulation – https://www.law.cornell.edu/cfr/text/45/164.308 

In addition, covered entities must implement hardware, software, and/or procedural mechanisms that  record and examine activity in information systems that contain or use protected health information (45  CFR 164.312(b)). Find out more information regarding the requirement here: 

∙ HIPAA Security Series, Technical Safeguards – 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf?language=es

∙ HIPAA Regulation Text – https://www.law.cornell.edu/cfr/text/45/164.312 

Other resources: 

∙ https://www.health.state.mn.us/facilities/ehealth/privacy/index.html#11

∙ www.hipaacow.org 

∙ http://library.ahima.org/doc?oid=300276 

∙ http://bok.ahima.org/doc?oid=300244#.V_6UnfkrJhE 

∙ http://library.ahima.org/doc?oid=300262#.V_6UufkrJhE 

For this assignment, you will use the information above to create an audit form report template with the  appropriate fields that are needed to successfully review activity within information systems containing  protected health information.  

Assignment Scenario 

You just accepted a position at Scholastica Hospital as the Director of Data Integrity and Health  Information Management. One of your main responsibilities is the oversight of the HIPAA Privacy and  Security Regulations. You are currently evaluating the process for reviewing activity with your electronic  health record. You discover the electronic health record vendor produces an audit report that provides the  following information regarding access into the records: 

∙ User Name (Workforce Member) 

∙ Patient’s Name (Who they are looking at) 

∙ Date/Time of Access 

∙ Workstation ID 

When reviewing these reports, you determine that there is not enough information to understand what the  user is doing within the information system. You only know if an employee was in a patient’s chart and the date/time of the access. There is no information or indication to inform you on what the user is doing  within the chart, what the user is looking at, and how long the user was in the chart. Because of this,  audits into the electronic health record are not going well as there is not enough information on access and  reason for access.  

Assignment Instructions 

1. Research the regulation and best practices for implementation of information system activity  review based on the HIPAA regulations 

2. Write a synopsis of the findings from the research, including best practices when designing an  information activity review program for Scholastica Hospital (1 – 2 Pages) 

3. Create a template, with the appropriate fields, for an audit log 

a. Think about what information you would need to have in order to properly evaluation  access into the electronic health record 

b. This may be in Microsoft Word or Excel 

4. Create a findings report for the outcomes of the information activity reviews that you conduct 

a. Think about what information you would want to report out to leadership regarding the

    audits 

Assignment Deliverables 

25 Points Possible 

1. A 1-2 page synopsis of the HIPAA regulations regarding information system activity, including  best practices when designing an information activity review process (10 Points) 

2. A template for an audit report, with the appropriate fields that are needed to properly conduct an  audit. Think about what information you would need on an audit trail from your electronic  system to be able to properly conduct audits (10 Points) 

a. This can be in Microsoft Word of Microsoft Excel 

3. A report template for documenting the outcomes of the information activity reviews that you will  conduct (5 Points) 

Format: Follow correct APA Style and include all required components. 7th edition