Statutes, codes, and regulations
Maryland Administrative code
Title 10 - MARYLAND DEPARTMENT OF HEALTHPart 4Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.06 - [Effective 7/7/2024] Auditing Requirements

Md. Code Regs. 10.25.18.06

Download
PDF
Current through Register Vol. 51, No. 12, June 14, 2024
Section 10.25.18.06 - [Effective 7/7/2024] Auditing Requirements
A. In order to ensure that only an authorized user who is appropriately authenticated is granted access to HIE information, an HIE shall:
(1) Develop and implement protocols, methodologies, and a monitoring approach designed to discover any unusual finding, which may be identified within an audit of the user access logs, including conducting ongoing electronic monitoring of user access logs and investigate any unusual findings in accordance with this chapter;
(2) Conduct each audit under this regulation in accordance with best practices using industry accepted standards and methodologies;
(3) Conduct random audits of the user access logs to identify any unusual finding; and, if the HIE has been notified about an unusual finding or has reason to believe that inappropriate access has occurred, conduct random audits at least every other week until the unusual finding or inappropriate access has been mitigated;
(4) At least quarterly, conduct random audits of security measures and any other forms of data security in place to determine if they are still sufficient and compliant with applicable standards;
(5) Investigate each unusual finding identified in the access log audit to determine if there has been a violation of Regulation .05 of this chapter;
(6) Resolve an unusual finding by:
(a) Taking actions necessary to correct each identified technical control deficiency; or
(b) Taking remedial action under Regulation .07 of this chapter;
(7) Report any unusual finding to each participating organization involved in the unusual finding, as follows:
(a) If the unusual finding involves fewer than 10 patients, within 5 business days after the unusual finding is discovered;
(b) If the unusual finding involves between 10 and 50 patients, within 2 business days after the unusual finding is discovered; and
(c) If the unusual finding involves more than 50 patients, within 1 business day after the unusual finding is discovered; and
(8) Maintain an audit trail of user access logs in a retrievable storage medium, as follows:
(a) The HIE shall perform periodic testing to ensure that the storage medium being used will allow the data to be recovered.
(b) The HIE shall perform periodic testing and implement upgrades and updates to ensure that the storage medium is secure and has not been improperly accessed.
(c) The data shall be kept for the longest duration of time identified in applicable State and federal requirements.
B. When an HIE has identified a potential breach or non-HIPAA violation, the HIE shall conduct an unscheduled audit within 30 days that:
(1) Gathers relevant information to determine if there is a violation;
(2) Reflects the size and scope of the potential violation; and
(3) Complies with Regulation .08 of this chapter.
C. An HIE shall at least annually enlist a qualified independent auditing firm to audit its privacy, security, and legal compliance in accordance with the following provisions:
(1) The audit shall:
(a) Assess potential risks to protect the confidentiality, integrity, and security of PHI;
(b) Assess operational compliance with State and federal law, including the requirements of this chapter;
(c) Be designed to determine the adequacy of business and technology-related controls, policies, and procedures and other safeguards employed by third-party service organizations based on industry standards and best practices; and
(d) Include an assessment of cybersecurity posture and compliance with this chapter, applicable provisions in HIPAA and HITECH, and recognized security practices by way of accreditation or certification from a nationally recognized entity.
(2) An HIE shall develop auditing policies and procedures for the independent auditor to conduct such an audit, which shall include, at a minimum:
(a) The scope of the audit;
(b) A description of all third-party organizations and processes to review and assess related privacy and security controls and audit reports;
(c) Interviews with relevant staff, including those from third-party service organizations, as appropriate;
(d) Names and contact information of all persons responsible for reviewing and maintaining privacy and security to include the implementation of corrective actions to address apparent gaps; and
(e) Time frames for completing audits and related activities.
(3) An HIE shall provide the audit findings to the Commission in accordance with Regulation .09 of this chapter.
(4) If an audit detects unusual findings, an HIE shall investigate and resolve the matter in accordance with this regulation.
D. Upon the request of the Commission and consistent with the specifications in such request, an HIE shall:
(1) Provide a summary of the results of any audit that is required by this chapter, and any corrective action plans identified by the audit, to the Commission; and
(2) Conduct an additional unscheduled audit within 180 days of the request and provide the results of such an audit to the Commission within the time frame specified by the Commission.
E. If an HIE's audit reveals information that demonstrates a pattern of inappropriate access, use, maintenance, or disclosure of information that constitutes a breach or non-HIPAA violation, or if the health information of more than ten patients was improperly used, accessed, maintained, or disclosed during the 12 months prior to the audit, then:
(1) The HIE shall use the findings from the audit to:
(a) Educate and train all impacted persons, which may include its workforce, participating organizations, and authorized users on proper access, use, and disclosure of information through or from the HIE; and
(b) Evaluate and implement new control measures, including policies, procedures, or technology, to ensure proper use and access of the HIE; and
(2) The HIE shall take the appropriate measures specified in Regulation .07 of this chapter.
F. If an HIE's audit reveals information that demonstrates a pattern of noncompliance with State and federal law, then:
(1) The HIE shall use the findings from the audit to:
(a) Educate and train all impacted persons, which may include its workforce, participating organizations, and authorized users on proper access, use, and disclosure of information through or from the HIE; and
(b) Evaluate and implement new control measures, including policies, procedures, or technology, to ensure compliance; and
(2) The HIE shall take the appropriate measures specified in the Regulation. 07 of this chapter.
G. An HIE and its participating organizations shall adopt an access and auditing plan that requires the HIE and each participating organization, as applicable, to conduct a random audit of the HIE access logs on a monthly basis.
(1) The random audit included in the plan shall be assigned to the HIE or the participating organizations according to their respective system's technological capabilities.
(2) The access and auditing plan shall include:
(a) The manner used to identify a non-HIPAA violation of this chapter or a breach;
(b) The method to be used to report a non-HIPAA violation of this chapter or a breach;
(c) The reasonable steps that will be taken to promptly mitigate a non-HIPAA violation of this chapter or a breach; and
(d) A review of access logs to ensure that only an authorized user who is appropriately authenticated is granted access to HIE information through a participating organization's third party system.
(3) If a participating organization does not conduct its own audit, it shall review the HIE access logs relating to the participating organization within 10 days of receipt from the HIE. An HIE shall send HIE access logs to each participating organization no less than quarterly.
(a) The purpose of the review is to:
(i) Detect patterns of inappropriate access, use, maintenance, or disclosure; and
(ii) Compare the PHI accessed by the authorized user with the health care provided to assure that the authorized user's use of the HIE is appropriate.
(b) In order to conduct the quarterly review, the HIE shall provide a participating organization with audit record information concerning the participating organization's authorized users' access of the HIE that shall include:
(i) The name and access level of each user;
(ii) The name of the patient whose PHI was accessed;
(iii) The date and time of access; and
(iv) The type of PHI that was accessed.

Md. Code Regs. 10.25.18.06

Regulation .06 amended effective 41:5 Md. R. 344, eff. 3/17/2014; amended effective 43:12 Md. R. 666, eff. 6/20/2016; amended effective 51:3 Md. R. 152, eff. 1/9/2024, exp. 7/7/2024(Emergency); amended effective 51:9 Md. R. 440, eff. 5/13/2024.