How to meet requirements of HIPAA compliance as a part of a SQL Server audit

What is HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a security act that sets national standards for security of electronic protected health information and protects the privacy of patient health information. In simple words, HIPAA ensures confidentiality, integrity, and availability of all electronic Protected Health Information (PHI)

Technical HIPAA safeguards address access control, audit control, information integrity, user authentication and transmission security. It’s necessary to implement hardware, software, or other mechanisms that audit and record activity in information systems that contain or use electronic PHI. The integrity of electronic PHI must be provided – meaning that electronic PHI must be protected from unauthorized access, modification, and deletion

Who has to comply with HIPAA

Compliance with HIPAA is necessary for health plans, healthcare providers that engage in electronic transactions (hospitals, physicians, home health organizations, and long-term care facilities), and healthcare clearinghouses. HIPAA compliance is checked by auditors who perform periodic audits

To be able to comply with HIPAA, the entity must monitor and report events and access to the databases and objects that contain sensitive patient records

How to audit a SQL Server instance

ApexSQL Audit is a SQL Server auditing tool, built to comply with auditing regulations. It provides a wide range of possibilities for auditing access, changes, and security on SQL Server instances, databases, and objects. It also audits executed queries and warnings encountered on tables, stored procedures, functions, and views. Captured information is saved in a centralized auditing repository, and used to create comprehensive reports

ApexSQL Audit can help with HIPAA compliance as it:

  • Automatically monitors events to make sure the compliance rules are met
  • Provides accurate and relevant reports for compliance reviews
  • Provides reports that discover risks and vulnerabilities

The reports provided for HIPAA compliance auditing

ApexSQL Audit reports can be used to provide auditing data for the following:

  • HIPAA Standard 164.308(a)(1) Security Management Process

    “Implement policies and procedures to prevent, detect, contain and correct security violations.”*

    ApexSQL Audit reports that cover this requirement:

    • The Audit settings history report shows all changes to the auditing settings. Once you set up auditing properly, no changes should be made without justification. Any unexpected changes should be investigated, as they can lead to security and compliance violation

    • The Security configuration history report shows security changes on all security entities -logins, users, roles. When the users’ permissions are set, changes must be monitored as they can lead to unauthorized access and sensitive data leak

    • HIPAA standard 164.308(a)(1)(ii)(D) – Information system activity review

      “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” *

      ApexSQL Audit reports that cover this requirement:

    • The Complete audit trail report shows all events that happened on all audited SQL Server instances

    • The Access history report – shows who accessed what and when.

    • The Unauthorized access report shows failed login attempts, due to wrong passwords and non-existing logins used. The report should be used for reporting security incidents

  • HIPAA Standard 164.308 (a)(3) Workforce security

    “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.” *

    ApexSQL Audit reports that cover this requirement:

    • The Logon activity history report shows the time, SQL Server instance, login and machine name for every, or only a specific login, thus helping you supervise user activity

  • HIPAA standard 164.308(a)(4) Information Access Management
    • Access Authorization 164.308(a)(4)(ii)(B)

      “Implement policies and procedures for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism.” *

      Once the permissions for your users are set, use the Security configuration history report to make sure no changes are made and permissions initially set are still valid. The report shows security changes on all security entities -logins, users, roles

    • Access Establishment and Modification 164.308(a)(4)(ii)(C)

      “Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.” *

      The Permission changes report shows who, when and how changed the user’s permissions

  • HIPAA standard 164.308(a)(5) Security awareness and training
    • Log-in monitoring 164.308(a)(5)(ii)(C)

      “Implement procedures for monitoring log-in attempts and reporting discrepancies.” *

      The Logon activity history report shows all logons – successful and unsuccessful – to a specific SQL Server instance

  • HIPAA standard 164.308(a)(7) Contingency Plan
    • Backup Plan 164.308(a)(7)(ii)(A)

      “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” *

      The Backup and DBCC activities report shows when database backups were created and when and what DBCC statement (such as DBCC CHECKALLOC, DBCC CHECKDB, etc.) was executed

Compliance with HIPAA is complex and challenging. Use ApexSQL Audit to comply with technical HIPAA safeguards and audit your SQL Server instances and databases. ApexSQL Audit provides built-in most common auditing reports. If these reports don’t provide the information you need, you can quickly create custom ones

* U.S. Department of Health & Human Services, HIPAA Administrative Simplification


September 13, 2013