In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required.
What to Do
Implement procedures to regularly review records of information of system activity, such as audit logs, access reports, and security incident tracking reports.
How to Do It
Size of the covered entity and complexity of the business operation will be key considerations in the risk analysis and in fulfilling the requirements of this implementation specification.
First, regularly review information system activity for inappropriate use or security incidents, such as unauthorized disclosure. Many computer systems now have built-in reporting functionality that will facilitate the review requirement. If the covered entity has a business associate vendor that provides a practice management system software solution, the covered entity should ask the vendor for help in utilizing automatic reporting functionality, establishing audit logs and access reports, and identifying and tracking security violations. As part of the risk analysis, and in preparing security policies and procedures, the covered entity should identify information and reporting requirements for:
» Creating audit log entries.
» Safeguarding all written documentation, including policies and procedures.
» Establishing safe storage requirements for maintaining written documentation and for backup of electronic documentation for at least six years.
The requirement to report, review, and document is the same for all covered entities, irrespective of size or business complexity.