The IT department/vendor should be sending the HIPAA Compliance Officer monthly reports regarding the status of your network or the services they are providing. These do not need to be printed and may be stored digitally. If your IT department does not send any reports, the HIPAA Compliance Officer must know where these reports are located.
The names of the monthly reports will depend on the system they use. Some reports include IP address, username, time stamp, and/or which part of the system they accessed. This is usually created from a server, although some may be generated from a firewall device. Unless the firewall is locked down to specific sites only, this can be difficult to manage. Most of our clients monitor logs from their EHR - or whatever program you use to store your patient data.
Here are some examples of reports to request:
Access or Connection logs
Asset management summary
Device health report
Network audit report
Software list
Monthly IT reports will help you to document your “recognized security practices”. These reports can be added under Uploads on your Profile page. Click “Add New”, using the drop-down menu, select IT Reports. When naming your files be sure to start with the year, then month and date. This will ensure your reports are in chronological order.
For example: 23 0601 Access logs
23 0601 Network audit report
