|
audit
controls (HIPAA)
Covered entities
must implement audit controls as a part of their technical
safeguards. The Security
Rule defines this requirement as "implement[ations]
of hardware, software, and/or procedural mechanisms that record
and examine activity in information systems that contain or
use electronic
protected health information
[PHI]." (Note:
There is no separate implementation
specification.)
"Entities
have flexibility to implement the standard in a manner appropriate
to their needs as deemed necessary by their own risk analyses"
[required as part of the security
management process]. (Final Rule, p.132) But, since the
standard is required rather than addressable, it would appear
that such flexibility does not extend to having no audit trail
mechanisms at all.
See also:
|
