Under the HIPAA and HITECH Regulations (US) is it required for a system to record an audit trail for every time a user accesses any PHI(Protected Health Information)?
As I understand it, an audit trail of user logins is required, as well as any time a user adds, edits, or deletes PHI. Does simply viewing / accessing PHI need to be logged as well?
Simply viewing must be logged.
45 CFR 170.210(b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded.
