4.3.G HIPAA/Privacy - Information System Activity Review


    Lister Healthcare Corporation has a duty to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports, for information systems that LHCC maintains and operates in accordance with 45 C.F. R 164.308(a)(1)(ii)(D) (Information System Activity Review).

    This policy applies to LHCC, in its entirety, including all systems that process electronic protected health information (ePHI) that LHCC maintains and operates.


    LHCC will clearly identify all of its critical systems that process ePHI. LHCC will implement security procedures to regularly review the records of information system activity on all such critical systems that process ePHI.

    The information that will be maintained in audit logs and access reports including security incident tracking reports must include as much as possible, of the following, as reasonable and appropriate:

    • User IDs
    • Dates and times of log-on and log-off
    • Terminal identity, IP address and/or location, if possible
    • Records of successful and rejected system access attempts

    Safeguards must be deployed to protect against unauthorized changes and operational problems including:

    • The logging facility being deactivated
    • Alterations to the message types that are recorded
    • Log files being edited or deleted
    • Log file media becoming exhausted, and either failing to record events or overwriting itself

    The Privacy Officer will clearly identify:

    • The systems that must be reviewed
    • The information on these systems that must be reviewed
    • The types of access reports that are to be generated
    • The security incident tracking reports that are to be generated to analyze security violations
    • The individual(s) responsible for reviewing all logs and reports

    When determining the responsibility for information review, a separation of roles should be considered between the person(s) undertaking the review and those whose activities are being monitored.

    Revised 11/2016

  • MM slash DD slash YYYY