Add to collection(s) Add to saved
  1. No category

Standard Security #0001d - Information System Review

East Carolina University
HIPAA Security Standards
Subject: Information System Activity
Review
Standard #: Security-0001d
Supersedes:
Effective Date: April 21, 2005
Coverage: ECU Health Care Components
Page: 1 of 2
Approved:
Revised: December 9, 2010,
March 30, 2012, May 30, 2013
Review Date: May 30, 2013
HIPAA Security
Rule Language:
“Implement procedures to regularly review records of information system
activity, such as audit logs, access reports, and security incident tracking
reports.”
Regulatory
Reference:
45 CFR 164.308(a)(1)(ii)(D)
I.
PURPOSE
This standard reflects East Carolina University’s commitment to regularly review records
of activity on information systems containing EPHI.
II.
AUTHORIZATION AND ENFORCEMENT
Health Care component management and/or administrator(s) are responsible for
monitoring and enforcing this policy, in consultation with the ECU IT Security Officer,
ECU HIPAA Security Officer, and ECU HIPAA Privacy Officer.
III. STANDARD
ECU Health Care Components must regularly review records of activity on information
systems containing EPHI. Appropriate hardware, software, or procedural auditing
mechanisms must be implemented on information systems that contain or use EPHI.
Records of activity created by audit mechanisms implemented on information systems
must be reviewed regularly.
IV. APPLICABILITY
This standard is applicable to all workforce members who are responsible for or
otherwise administer a healthcare computing system. A healthcare computing system is
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved
Page 1 of 2
HIPAA Security Standard # 0001d: Information System Activity Review
defined as a device or group of devices that store EPHI which is shared across the
network and accessed by healthcare workers.
V.
PROCEDURE
1. ECU Health Care Components must regularly review records of activity on
information systems containing EPHI. Records of activity may include but are not
limited to:
a.
b.
c.
Audit logs
Access reports
Security incident tracking reports
2. Appropriate hardware, software, or procedural auditing mechanisms must be
implemented on ECU information systems that contain or use EPHI. At a minimum,
such mechanisms must provide the following information if feasible:
a.
b.
c.
d.
Date and time of activity
Origin of activity
Identification of user performing activity
Description of attempted or completed activity
3. Such review must be via a formal documented process. At a minimum, the process
must include:
a.
b.
c.
d.
Definition of which workforce members will review records of activity
Definition of what activity is significant
Procedures defining how significant activity will be identified and reported
Procedures for preserving records of significant activity
4. ECU Healthcare Component must maintain the documentation of the review of such
systems for a minimum of six years.
5. Whenever possible, ECU workforce members should not monitor or review activity
related to their own user account.
VI. COORDINATING INSTRUCTIONS
1. All section policies, standards and procedures will be reviewed annually. Every
section policy, standards and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other East Carolina University, University of North Carolina
system, or state of North Carolina requirements may stipulate a longer retention.
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved
Page 2 of 2
Related documents
East Carolina University HIPAA Security Standards Subject:
East Carolina University HIPAA Security Standards Subject:
Policy Security #0012 - Audit Controls
Policy Security #0012 - Audit Controls
Standard Security #0005a - Security Reminders
Standard Security #0005a - Security Reminders
EAST CAROLINA UNIVERSITY HEALTH CARE COMPONENTS Request for Alternate Communication NOTICE TO PATIENT:
EAST CAROLINA UNIVERSITY HEALTH CARE COMPONENTS Request for Alternate Communication NOTICE TO PATIENT:
Policy Security #0001 - Security Management Process
Policy Security #0001 - Security Management Process
Standard Security #0007a - Data Backup Plan
Standard Security #0007a - Data Backup Plan
Standard Security #0006a - Response and Reporting
Standard Security #0006a - Response and Reporting
Document15457473 15457473
Document15457473 15457473
Student Financial Assistance Form
Student Financial Assistance Form
Standard Security #0008a - Contingency Operations
Standard Security #0008a - Contingency Operations
Standard Security #0008c - Access Control and Validation Procedure
Standard Security #0008c - Access Control and Validation Procedure
Standard Security #0007c - Emergency Mode Operation Plan
Standard Security #0007c - Emergency Mode Operation Plan
Standard Security #0005b - Protection From Malicious Software
Standard Security #0005b - Protection From Malicious Software
Standard Security #0003a - Authorization/Supervision
Standard Security #0003a - Authorization/Supervision
Download