publications full of ideas

Tracking the Data Bandits


In the iconic western, Butch Cassidy and the Sundance Kid, Butch and Sundance are hard pressed to evade a posse led by the semi-mythical lawman, Joe Lefors, who is so adept that he manages to track them across solid rock. The latest newsletter from the DHHS Office of Civil Rights highlights the use of critical tools that can track, much like Joe Lefors, malicious or unauthorized access to protected health information.

The January OCR newsletter spotlights the Technical Safeguards provision in the Security Rule, found at 45 C.F.R. § 164.312, where a number of mandatory and addressable safeguards to maintain the confidentiality, integrity and availability of Protected Health Information are set forth. One of the Technical Safeguards is the use of Audit Controls, which the rule defines as: “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Without these measures in place, it will be difficult to identify a threat early on, to limit the damage, or to prove an incident had no impact on PHI. 

Audit Control Features

The terms audit controls, audit logs, or audit trails are often used interchangeably to refer to a record of events or activity on an information system, and in keeping with our western theme, we’ll stick with audit trails as a term to denote any compilation of the records of usage of an information system. OCR’s January 2017 edition of its Cyber Awareness Newsletter illustrates the importance of audit trails in identifying incipient or ongoing threats to PHI, and it provides several examples of how electronic footprints detected in audit trails can be used to protect electronic PHI:

  • Application audit trails – Monitor and log user activities in a particular application. This includes the opening and closing of application data files and the creating, reading, editing, and deleting of application records associated with ePHI.
  • System-level audit trails – Capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, identify devices used to log-on to a system, and the application that the user successfully (or unsuccessfully) accessed. 
  • User audit trails – Monitor and log user activity in an ePHI system or application by recording events initiated by the user, such as the commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files.

So the idea is to record individual events on a computer system and compile the record of those events for review and future reference. 

Covered Entities and Business Associates should review audit trail data to detect suspicious patterns or levels of activity. The Administrative Safeguards provision of the HIPAA Security Rule, found at 45 C.F.R. § 164.308, requires regular reviews of information system activity.

Audit trails are also important in assessing whether a hacking attempt was successful. Under HIPAA, there is no breach to report if an organization can conclusively demonstrate that even though there was a security incident, data was not accessed, viewed, downloaded or altered. The only way to demonstrate that, although the burden of proof is high, is having strong data audit trails in place to document exactly what happened during an the event, and to demonstrate that PHI was not accessed. Having an audit trail capability in place could save thousands or even millions of dollars in investigation, remediation, compliance, and public relations expenses after an event.

Audit trails also reinforce individual user accountability throughout the workforce. A user’s awareness that a record of the access and use of data is being maintained will enhance compliance with system protocols, and many of the cases of unauthorized access to PHI by members of a workforce have been uncovered through Audit Trails.

Implementing Audit Controls

OCR’s January newsletter emphasizes the HIPAA Security Rule leaves decisions about what data should be collected, and how often it should be analyzed, to each organization, based on its risk analysis: “When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities.” So an organization’s data auditing procedures will be a natural outgrowth of the individualized risk analysis required under the Administrative Safeguards provision of the HIPAA Security Rule.

The OCR newsletter outlines a framework of key questions covered entities and business associates should consider in implementing audit controls:

  • What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
  • What are the audit control capabilities of information systems with ePHI?
  • Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
  • Are changes or upgrades of an information system’s audit capabilities necessary?

OCR’s January Newsletter also cautions about the need to secure Audit Controls from malicious access: “Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associates to not only recover from breaches, but to prevent them before they happen.”


Audit trails are a critical tool in detecting unauthorized access and use of systems and software that contain ePHI, enforcing workforce compliance, and in being able to show that a malicious attempt to access, alter, or export PHI was unsuccessful, or that it only had a limited impact. The OCR newsletter is a reminder of how important these measures can be in securing ePHI and provides links to these other resources: 

Additional Resources:

National Institute of Standardization and Technology (NIST)  - (NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook)

Department of Health and Human Services, Office for Civil Rights (OCR) - (Technical Safeguards)

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

Captive Insurers Seminar

what's new at the firm

Mayo named Client Choice Award winner in North Carolina


RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield


How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update


Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning


RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list


RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.