Audit logs are sometimes called access logs. They are located in a variety of places, depending on the type of system you use.
If you have a server configured as a domain controller, you may be able to request access logs from your IT vendor. These reports will show who signed in to which area of the system, along with a date/time. Some reports also include IP addresses which are helpful in determining if access was from outside the organization.
All EHRs (electronic health records software) provide some type of access logs as well. Most systems offer a variety of reports and you will need to review them to better understand which one best suits your needs.
What is required under HIPAA is that you understand what an employee typically does during the course of their work day so you can monitor for abnormal behavior. You are also required to watch for intrusions from outside your organization. This is a very time consuming task and we recommend outsourcing this. See Step 7 - Resource Partners.
If you choose to review in house, forms for documentation are located under Step 4. Information System Activity Review. Then you may document your processes by going to your Profile page, Uploads tab, add your documents under Misc. HIPAA Documentation.
Look for as many of the following items as possible:
- User ID.
- IP address.
- What function are they performing, are they permitted to do these functions based on their job description?
- Is there level of access to protected health information (PHI) based on their job function?
- How many patient records are accessed?
- Are they working outside of normal business hours, if so are they permitted to do so?
Based on your business model, these items may differ slightly.