Auditing file access for HIPAA?

Posts: 24

Auditing file access for HIPAA?

Anyone on here using tools to monitor access to SAS files with PHI in them so you can track who has accessed what PHI? Or even just who accessed the file at all?

Our IT folks are doing a log aggregation project where they are trying to pull together records of who accessed PHI when. I can't think of an easy way to track file access. Below is what tech support sent me, plus some other stuff about how certain data management things will actually break the audit trail.

Since it doesn't log read-only access and the trail can be broken pretty easily, not really what we need.

[pre]There is an Audit Trail feature for SAS data sets
but I am not sure this is going to provide you with the
type of data set access information you are looking
for. The SAS Audit Trail cannot track information on
data sets that are opened for read-only access. The
Audit Trail is only for data sets that have been
modified and with the Audit Trail you have to use
certain methods in the DATA step or certain procedures
to preserve the audit trail and prevent it from being
The Audit Trail feature in SAS builds a SAS data set which is maintained by
SAS. Audit trail data sets contain information about modifications to a SAS data
set. Each time an observation, is added, deleted, or updated, information is
written to the audit trail data set about who made the modification, what was
modified, and when the modification took place.[/pre]

Anyone have any thoughts?

Running Base + a few other packages, but no BI tools.... Message was edited by: JenHarper
Valued Guide
Posts: 2,106

Re: Auditing file access for HIPAA?


You can identify file access with OS tools in most OS's (Windows and *NIX do, probably the rest too); that is how we do it for SAS data. These tools do not address record level access (which is what the SAS tool does for changes). To me, that audit log is not very as useful we have few SAS data sets that are modified in place; your mileage may vary.

OS file access is about as good as anyone can reasonably do for read-only activities (and the HIPAA standard is "reasonable"). Even the databases that can record read access at the record level usually have it turned off because the data volume is overwhelming (e.g. Oracle queries that search through millions of records to get a few hundred. It doesn't take long for the audit log to get bigger than the original database.).

You could manually write the code to create the audit logs, but that is not a reasonable solution for most SAS programs.

Doc Muhlbaier
(Research Compliance Privacy Officer)
Posts: 24

Re: Auditing file access for HIPAA?

Thanks Doc. I wanted to make sure I wasn't overlooking an obvious SAS tool, but it sounds like the OS is the way to go. Appreciate the input. I'm meeting with our log aggregation guy on Wednesday so the timing is perfect.
Post a Question
Discussion Stats
  • 2 replies
  • 2 in conversation