Audit Controls

§164.312(b): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Audit Inquiry

Does the entity have policies and procedures in place to implement hardware, software and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI?

Does the entity have hardware, software and/or procedural mechanism to record and examine activity in information systems that contain or use ePHI?

Obtain and review documentation relative to audit controls. Evaluate whether risk-based audit controls have been implemented over all electronic information systems that contain or use ePHI.
Elements to review may include but are not limited to:
• Identification of the risk-based audit controls over all information systems that contain or use ePHI
• How are systems and applications evaluated to determine if auditing controls should be implemented
• Identification of what applications and systems will be audited
• Procedures on how systems will be audited

Obtain and review documentation demonstrating the implementation of hardware, software and/or procedural mechanisms to record and examine activity. Evaluate and determine whether information systems that contain or use ePHI activities are being recorded and examined; activities being recorded and examined appropriately and in accordance with related policies and procedures.

Required/Addressable

Required