What are audit logs and why do I need them?

Audit logs are sometimes called access logs. They are located in a variety of places, depending on the type of system you use.

If you have a server configured as a domain controller, you may be able to request access logs from your IT vendor. These reports will show who signed in to which area of the system, along with a date/time. Some reports also include IP addresses which are helpful in determining if access was from outside the organization.

All EHRs (electronic health records software) provide some type of access logs as well. Most systems offer a variety of reports and you will need to review them to better understand which one best suits your needs.

What is required under HIPAA is that you understand what an employee typically does during the course of their work day so you can monitor for abnormal behavior. You are also required to watch for intrusions from outside your organization. This is a very time consuming task and we recommend outsourcing this. See Step 7 - Resource Partners. 

If you choose to review in house, forms for documentation are located under Step 4. Information System Activity Review. Then you may document your processes by going to your Profile page, Uploads tab, add your documents under Misc. HIPAA Documentation.

Look for as many of the following items as possible:

  • User ID.
  • Date/time.
  • IP address.
  • What function are they performing, are they permitted to do these functions based on their job description?
  • Is there level of access to protected health information (PHI) based on their job function?
  • How many patient records are accessed?
  • Are they working outside of normal business hours, if so are they permitted to do so?

Based on your business model, these items may differ slightly.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to add to the Uploads Tab?

This is where you may upload reports you receive from your IT vendors, OIG (Office of Inspector...

What is a risk analysis and risk management plan and why do I need them?

The HIPAA Security Rule requires organizations to conduct a system wide risk analysis and then...

What type of reports do I need from my IT vendor?

Monthly reports from your IT company will depend on the system they use. Here are some examples...

How to access the HIPAA compliance system?

Instructions on log-in and profile Each time you log-in, you will be taken to the billing side...

How to add the inventory list?

Inventory tab is located on your Profile page. You will have a choice of entering the...