HIPAA requires regular monitoring and review of user logins and activity in software and on networks. These reports are generally referred to as audit logs. They can help identify system performance issues as well as security incidents and breaches. You might think of them as a very detailed internet browser history report. All machines, networks, and software systems have an audit log.
Your IT Support should monitor complex system logs for things like network security. However, it is your responsibility to review user login and activity in the software systems containing PHI for which you manage user accounts. The main reason to review audit logs is to detect threats to PHI and prevent unauthorized access and breaches.
A user with administrator rights can typically access reporting features for auditing. Check with your software provider or user manual for specific instructions. This is a critical feature for all software that is required to comply with HIPAA.
Audit logs contain a very large amount of data and it can be difficult to figure out just what it is you need to review. In fact, there are entire software systems dedicated to analyzing audit logs from other systems. You do not have to review every single line of an audit log report. A visual overview can be acceptable. Look for trends or focus on specific issues in the same way one would review credit card or bank account statements looking for abnormal charges. Look for these red flags that indicate a problem.
- A log-in report from your EHR showing a high volume of unsuccessful log-in attempts by a user. This may indicate that a hacker is trying to guess a user’s password to gain unauthorized access to your system. Contact your IT Support for assistance.
- A log-in to an account of an employee who no longer works at your practice. Disable the account immediately, document the incident, and assess the potential for a breach.
- A report on the activity or history of a user. You should not see a user accessing a particular patient’s record more often than necessary or accessing records of patients they are not directly treating. This might be someone accessing the record of a friend or family member out of curiosity. This could be an indication of a workflow problem or possible identity theft.
If you find something wrong, contact your Privacy/Security Officer and follow your HIPAA security incident policies and procedures. This may include contacting your IT Support for further investigation.
HIPAA requires a patient to be notified of a breach within 60 days of its discovery, so it is a good idea to set a calendar reminder to review log-in and user activity at least every 30-45 days. It is not necessary or practical to retain entire audit logs due to their size. However, it is important to retain a record that documents the date of each review. Keep any portion of the log or report applicable to an incident or breach for 6 years to show compliance with HIPAA. A sample audit log tracker is available on the TMC Client Portal.