eLaws | eCases | State of Maryland |
 Code of Maryland Regulations (Last Updated: April 6, 2021)
 Title 10. Maryland Department of Health
 Part 4.
 Subtitle 25. MARYLAND HEALTH CARE COMMISSION
 Chapter 10.25.18. Health Information Exchanges: Privacy and Security of Protected Health Information

  Sec. 10.25.18.06. Auditing Requirements  

Latest version.

  • A. In order to ensure that only an authorized user who is appropriately authenticated is granted access to HIE information, an HIE shall:

    (1) Develop and implement protocols, methodologies, and a monitoring approach designed to discover any unusual finding, which may be identified within an audit of the user access logs, including conducting ongoing electronic monitoring of user access logs and investigate any unusual findings in accordance with this chapter.

    (2) Conduct each audit under this regulation in accordance with best practices using industry accepted standards and methodologies;

    (3) At least monthly, conduct random audits of the user access logs to identify any unusual finding; and, if the HIE has been notified about an unusual finding or has reason to believe that inappropriate access has occurred, more frequently than monthly.

    (4) Investigate each unusual finding identified in the access log audit to determine if there has been a violation of Regulation .05 of this chapter;

    (5) Resolve the matter surrounding an unusual finding by:

    (a) Taking actions necessary to correct each identified technical control deficiency; or

    (b) Taking remedial action under Regulation .07 of this chapter.

    (6) Report any unusual finding to each participating organization involved in the unusual finding as follows:

    (a) If the unusual finding involves fewer than 10 patients, in a timely manner;

    (b) If the unusual finding involves between 10 and 50 patients, within 2 business days; and

    (c) If the unusual finding involves more than 50 patients, within 1 business day; and

    (7) Maintain an audit trail of user access logs in a retrievable storage medium.

    (a) The HIE shall perform periodic testing to ensure that the storage medium being used will allow the data to be recovered.

    (b) The data shall be kept for the longest duration of time identified in applicable State and federal requirements.

    B. When an HIE has identified a potential violation of this chapter, the HIE shall conduct an unscheduled audit that shall:

    (1) Gather relevant information to determine if there is a violation;

    (2) Reflect the size and scope of the potential violation; and

    (3) Comply with Regulation .08 of this chapter.

    C. An HIE shall conduct an annual privacy and security audit in compliance with the following provisions.

    (1) The audit shall be aimed at detecting patterns of inappropriate access, use, maintenance, and disclosure of information that are in violation of this chapter;

    (2) An HIE shall provide the audit findings to the Commission in compliance with Regulation .09 of this chapter; and

    (3) At the request of the Commission, an HIE shall utilize a qualified third party to conduct an audit on the access, use, and disclosure of information through and the maintenance of information by the HIE.

    D. Upon the request of the Commission and consistent with the specifications in such request, an HIE shall:

    (1) Provide the results of any audit that is required by this chapter, and any supporting documentation; and

    (2) Conduct an additional unscheduled audit and provide the results of such an audit to the Commission within the time frame specified by the Commission.

    E. If an HIE’s audit reveals information that demonstrates a pattern of inappropriate access, use, maintenance, or disclosure of information that constitutes a breach or violation of this chapter, or if the health information of more than ten patients was improperly used, accessed, maintained, or disclosed during the 12 months prior to the audit, then:

    (1) The HIE shall use the findings from the audit to:

    (a) Educate and train a participating organization or an authorized user on proper access, use, and disclosure of information through or from the HIE, as appropriate; or

    (b) Evaluate and implement new control measures, including policies, procedures, or technology, to ensure proper use and access of the HIE, as appropriate.

    (2) The HIE shall take the appropriate measures specified in Regulation .07 of this chapter.

    (3) The HIE shall post a publicly available summary report of the audit on the home page of its website within 30 days after completion of the audit and the Commission shall also post the report on the home page of its website.

    F. An HIE and its participating organizations shall adopt an access and auditing plan that requires the HIE and each participating organization, as applicable, to conduct a random audit of the HIE access logs on a monthly basis.

    (1) The random audit included in the plan shall be assigned to the HIE or the participating organizations according to their respective system’s technological capabilities.

    (2) The access and auditing plan shall include:

    (a) The manner used to identify a non-HIPAA violation of this chapter or a breach;

    (b) The method to be used to report a non-HIPAA violation of this chapter or a breach;

    (c) The reasonable steps that will be taken to promptly mitigate a non-HIPAA violation of this chapter or a breach; and

    (d) A review of access logs to ensure that only an authorized user who is appropriately authenticated is granted access to HIE information through a participating organization’s third party system.

    (3) If a participating organization does not conduct its own audit, it shall review the HIE access logs relating to the participating organization within 10 days of receipt from the HIE. An HIE shall send HIE access logs to each participating organization no less than quarterly.

    (a) The purpose of the review is to:

    (i) Detect patterns of inappropriate access, use, maintenance, or disclosure; and

    (ii) Compare the PHI accessed by the authorized user with the health care provided to assure that the authorized user’s use of the HIE is appropriate.

    (b) In order to conduct the quarterly review, the HIE shall provide a participating organization with audit record information concerning the participating organization’s authorized users’ access of the HIE that shall include:

    (i) The name and access level of each user;

    (ii) The name of the patient whose PHI was accessed;

    (iii) The date and time of access; and

    (iv) The type of PHI that was accessed.