Audit Log Monitoring: Tiresome But Oh-So-Necessary


Audit log monitoring is probably one of the most unsexy, uninteresting activities a healthcare organization or business associate has to do.  But neglect it at the risk of your solid bottom line and reputation. Last time we talked about how you can get into legal (and costly) hot water with badly aligned policies and procedures or by having a weak security incident response plan. Audit log monitoring is another hot potato.

Say a patient thinks someone on staff is poking around their medical record, reports it, but you don’t have anything that documents you pre-emptively monitor for nosiness as part of protecting patient privacy. Even worse, say you do have a policy and procedure for audit log monitoring, but again, can’t prove you’re doing it. A prime target for a lawsuit.

I’ve been an expert witness in far too many lawsuits where healthcare organizations or their business associates couldn’t prove they keep watch on audit logs. And while being able to demonstrate monitoring may not prevent the lawsuit from being filed, it can go a long way toward helping you prevail (i.e., not cost you a fortune in money and reputation).

You simply can’t wait until an incident occurs to examine audit logs.

The 2013 HIPAA Omnibus Rule specifically states that if you create audit logs, then you need to look at them. Didn’t do it regularly? Willful neglect. What patient’s attorney won’t use that to their advantage?

If it gets to that point, expect them to point to laws that penalize physical or emotional harm to the patient, claim gross negligence, and so forth. They will, and it won’t look good for you. All because of the lack of audit log monitoring.

We recognize that you may think the strictures around data privacy and security in the time of a pandemic are a bit more forgiving. The reality is, you’re still expected to toe the line when it comes to protecting PHI, access control, and monitoring. Yes, there’s more telework. That means being more cautious, not less. More check-ins, not fewer. (Try these tips to address virtual workplace risk.)

Just because COVID19 makes it harder to hold court in-person doesn’t mean that the legal system has taken a vacation in the healthcare data privacy and security arena. And neither can anyone responsible for protecting patient information.

Do you have a process to check that the process(es) are getting done? If not, or if you’d like to review what you have in place, give us a call [503-384-2538].