Skip to Content

HIPAA - Information System Activity Review 164.308(a)(1)(ii)(D)

437  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.


Action Items:
1) Obtain and review policies and procedures related to reviewing records of information system activities. Evaluate and determine if reasonable and appropriate processes are in place to review records of information system activities, such as audit logs, access reports, and security incident tracking reports. Elements to review may include but are not limited to: How often a review is performed; how reviews are documented; workforce members' roles and responsibilities in the regular records of the information system activities; types of activities which may require further investigation.
2) Obtain and review documentation demonstrating the records of information system activities that were reviewed such as audit logs, access reports, and security incident tracking reports. Evaluate and determine if information system records were reviewed in a timely manner and that the review was conducted and certified by appropriate personnel.
3) Obtain and review documentation demonstrating the capabilities of the information system activity logs. Evaluate and determine whether key information systems have the capabilities to generate activity records; and, if so, are the capabilities turned on and records generated.


Related Documents:
1) Policies and procedures related to reviewing records of information system activities.
2) Documentation that outlines procedures in place to review records of information system activities, such as audit logs, access reports, and security incident tracking reports.
3) Documentation demonstrating the records of information system activities that were reviewed such as audit logs, access reports, and security incident tracking reports.
4) Documentation demonstrating the capabilities of the information system activity logs.

 

Additional Guidance:
The information system activity review enables covered entities to determine if any EPHI is used or disclosed in an inappropriate manner.


Information system activity review procedures may be different for each covered entity. The procedure should be customized to meet the covered entity’s risk management strategy and take into account the capabilities of all information systems with EPHI.


Sample questions for covered entities to consider:
- What are the audit and activity review functions of the current information systems?
- Are the information systems functions adequately used and monitored to promote continual awareness of information system activity?
- What logs or reports are generated by the information systems?
- Is there a policy that establishes what reviews will be conducted?
- Is there a procedure that describes specifics of the reviews?
Not Rated
Secure Code