What does Information System Activity Review mean?

It is required under the HIPAA Security Rule that you monitor user activity that accesses ePHI. Depending on the type of “Information System” you use will determine how you review the activity.

The Office for Civil Rights (the agency that enforces HIPAA) requires organizations to make the best efforts to secure their data. This means you must monitor users to ensure data is not being accessed improperly, altered, or compromised.

If you utilize a server based EHR or have ePHI located on a local server, your MSP (Managed Service Provider) may be able to provide you with “connection logs”. Although this is not the BEST report, it shows the normal routine of an employee, and it demonstrates the "login monitoring". When using this report someone must LOOK at it, and review for abnormal activity. Such as too many failed logins or logins outside of normal business hours. Aris recommends highlighting the abnormalities and make a note at the bottom of the spreadsheet.

Example: Sally worked late, or Betty's failed logins were verified. Small practices can manage this, larger ones should hire an outside company. Some MSPs may offer this service.

Then you may upload this report under the “Uploads” tab, and file under “IT reports”.

When naming your files, we suggest starting with the year, the month, and a brief description. This will keep your reports in chronological order.

Example: 2022 05 Connection log.


The best system to review is where your ePHI is stored, such as your EHR or PM software. This is where you can monitor when a person logs in, what a user does when they are in the system, and their level of access that has been granted to ePHI (authorization/supervision). This is the ideal "monitoring" method. The area to locate these reports vary by each EHR. They may be located under Reports, User Activity, or Access logs, to name a few. Most MSPs do not have this capability. This will be up to the HIPAA Compliance Officer to review. This can be very time consuming!


Aris works with a company that has created an interface with many EHRs to automatically monitor user activity. It is designed to alert the HIPAA Compliance Officer when abnormal behavior has been detected. It is amazing, but there is a cost to using it. If you are interested in learning more, you may contact support@arismedicalsolutions.com.


  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

What is a Business Associate?

A Business Associate is a person or entity that performs certain functions or activities that...

What is a Security Risk Analysis?

All medical practices and business associates must conduct a HIPAA Security Risk Analysis under...

What is PHI and ePHI?

PHI stands for Protected Health Information. There are 18 identifiers and includes patient...

What is the HIPAA Security Rule?

The National Institute of Standards and Technology (NIST) wrote the Security Rule. The...

What is the OIG exclusions list?

OIG (Office of Inspector General) Exclusions list: It is very important to make sure you do not...