What is "Information System Activity Review" Under the HIPAA Security Rule?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HIPAA Security Rule administrative safeguards are set forth at 45 CFR 164.308. The safeguards consist of specific standards to be followed by covered entities and business associates.

The first of these standards is the "security management process" standard. Per the security management process standard, covered entities and business associates must implement policies and procedures to prevent, detect, contain, and correct security violations.

The four required components of the security management process are:

1. Conducting a risk analysis
2. Implementing risk management measures
3. Applying appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

4. Information system activity review

What is Required to Conduct "Information System Activity Review"?
To satisfy the "information system activity review" requirement, covered entities and business associates must "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."

Put more simply, covered entities and business associates must establish procedures. These procedures must call for regular review of records. Records of what? Information system activity.

What are records of information system activity? Records of information system activity include (among other things):

1. Audit logs
2. Access reports
3. Security incident tracking reports

Regular review of these records allows for detection of security violations.