DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
As part of the "Security Management" process standard of the HIPAA Security Rule (this is the standard that also requires a security risk analysis, and risk management), covered entities and business associates must perform "Information System Activity Review." This article goes over what constitutes information system activity review.
What is the Security Management Process Standard?
The HIPAA Security Rule administrative safeguards are set forth at 45 CFR 164.308. The safeguards consist of specific standards to be followed by covered entities and business associates.
The first of these standards is the "security management process" standard. Per the security management process standard, covered entities and business associates must implement policies and procedures to prevent, detect, contain, and correct security violations.
The four required components of the security management process are:
1. Conducting a risk analysis
2. Implementing risk management measures
3. Applying appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
4. Information system activity review
What is Required to Conduct "Information System Activity Review"?
To satisfy the "information system activity review" requirement, covered entities and business associates must "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
HHS guidance provides that "The information system activity review enables [HIPAA-covered entities] to determine if any ePHI is used or disclosed in an inappropriate manner." The guidance continues, "Information system activity review procedures may be different for each covered entity [and business associate]. The procedure should be customized to meet the covered entity's risk management strategy and take into account the capabiities of all information systems with ePHI."
The guidance notes that covered entities and business associates should consider the following questions when implementing the information system activity review standard (a standard which, the guidance notes, should also promote continual awareness of any information system activity that could suggest a security incident):
1. Are the information system functions adequately used and monitored to promote continual awareness of information system activity?
2. What logs or reports are generated by the information systems?
3. Is there a policy that establishes what reviews will be conducted?
4. Is there a procedure that describes specifics of the review?
A best practice is to conduct a periodic review of all employees’ access to your information systems on a predetermined time frame. The time frame for conducting these audits depends a covered entity's or business associate's operations. If a covered entity or business associate has high employee turnover or frequently moves individuals to different roles with different access requirements, information system activity reviews should be performed frequently. If a covered entity or business associate has a very static workforce that remains in the same roles and has very little turnover, reviews might be performed less frequently as appropriate for the risk present in the entity's operations.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article