Blog Home Page Next article:

HIPAA Understood: Information System Activity Review

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.

Having the ability to review system activity is a key element in an effective security program, without being able to effectively see what happened you will be unlikely to determine the cause and implement effective solutions to prevent similar actions in the future. Not only is this a key element in any effective security program it is also required by HIPAA as stated in the following rule:

“164.308(a)(1)(ii)(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

So, what does this rule actual require of you? Well, it’s simple – you need to have a process in place to review the audit logs for all your systems that store, process, and/or transmit PHI/ePHI. Now ideally the review of these logs should be automated and performed by a solution of your choosing, however HIPAA does not require that an automated solution be in place, just that the logs are reviewed. I strongly recommend you make your life a lot easier and get an automated solution as they are more efficient than a manual review.

If a manual review is determined to be your method, ensure that there are at minimum two personnel involved in the review and that the logs are reviewed on a regular basis and documented.  The focus of these reviews is to determine if any inappropriate or unauthorized activity has occurred on your network where ePHI is processed, stored, and/or transmitted. While not specified in this rule, you should still be using the findings from the activity reviews to revise your security program in such a way that prevents further unauthorized or inappropriate activity.