must implement audit controls as a part of their technical
safeguards. The Security
Rule defines this requirement as "implement[ations]
of hardware, software, and/or procedural mechanisms that record
and examine activity in information systems that contain or
protected health information
There is no separate implementation
have flexibility to implement the standard in a manner appropriate
to their needs as deemed necessary by their own risk analyses"
[required as part of the security
management process]. (Final Rule, p.132) But, since the
standard is required rather than addressable, it would appear
that such flexibility does not extend to having no audit trail
mechanisms at all.