Information System Activity Review Policy

5. Procedures

1. AUDIT LOG CONFIGURATION

1.1 Ensure all systems containing ePHI are configured to generate audit logs that capture at minimum: user identification, date and time of activity, type of action (create, read, update, delete, print, export), the specific records or data accessed, and success or failure of the action.

1.2 Audit logs shall be protected from unauthorized modification or deletion. Logs shall be stored in a separate, secured location or system where feasible.

1.3 As a matter of [PRACTICE NAME] policy, audit logs shall be retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later. (45 CFR § 164.316(b)(2)(i) requires this six-year retention period for required Security Rule documentation — including the records of these reviews and findings; [PRACTICE NAME] applies the same period to the underlying audit logs.)

2. REVIEW SCHEDULE

2.1 The [SECURITY OFFICER/IT MANAGER] shall conduct a review of system activity records no less frequently than [WEEKLY/MONTHLY].

2.2 The following activities shall be reviewed during each cycle: - Failed login attempts (look for patterns indicating brute-force attacks or unauthorized access attempts) - After-hours access to ePHI systems - Access to records outside the user's assigned patients or job function - Bulk record access, exports, or downloads - Changes to user permissions or system configurations - Any access flagged by the EHR's built-in anomaly detection (if available)

2.3 Additional ad-hoc reviews shall be conducted following any security incident, breach report, or workforce complaint.

3. ANOMALY INVESTIGATION

3.1 When an anomaly is detected during review, the reviewer shall document the finding and initiate an investigation within [NUMBER] business days.

3.2 The investigation shall determine: the identity of the user involved, the nature and extent of the activity, whether the activity was authorized, whether ePHI was compromised, and what corrective action is needed.

3.3 If the investigation reveals a potential breach of unsecured PHI, the Breach Notification Policy shall be activated.

3.4 If the investigation reveals a workforce policy violation, the Sanction Policy shall be applied.

4. DOCUMENTATION

4.1 Each review cycle shall be documented with: the date of the review, the systems reviewed, the reviewer's name, a summary of findings (including "no anomalies detected" if applicable), and any follow-up actions taken.

4.2 Review documentation shall be maintained for a minimum of six (6) years.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Establishes the review schedule and procedures. Conducts or oversees system activity reviews. Investigates anomalies and documents findings. Reports findings to practice leadership. Ensures review documentation is retained.

IT Manager/Vendor ([IT CONTACT NAME]): Configures audit logging on all ePHI systems. Provides audit log data and access reports to the Security Officer. Assists with anomaly investigation. Ensures log integrity and retention.

Practice Administrator ([ADMINISTRATOR NAME]): Reviews summary reports from the Security Officer. Allocates resources for investigation and remediation. Supports enforcement actions when violations are identified.

All Workforce Members: Use systems only within their authorized scope. Report suspicious activity or potential security concerns to the Security Officer.

7. Review Schedule

This policy shall be reviewed at least annually and updated to reflect changes in information systems, logging capabilities, or regulatory guidance. The review schedule for system activity (e.g., weekly or monthly cycle) shall also be evaluated during the annual policy review to confirm it is adequate for the practice's risk profile.

8. Regulatory References

45 CFR § 164.308(a)(1)(ii)(D) — Information system activity review (Required) 45 CFR § 164.312(b) — Audit controls (Required) 45 CFR § 164.308(a)(6)(ii) — Security incident response and reporting 45 CFR § 164.316(b)(2)(i) — Security Rule documentation retention (6 years) NIST SP 800-92 — Guide to Computer Security Log Management