The HIPAA Security Officer (HR, Nurse, IT, etc) will oversee the names of current authorized users. They will review reports to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.
164.308(a)(1)(ii)(D): Security Management Process – “ Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
Policy: We will clearly identify all critical systems that process ePHI. We will implement security procedures to regularly review the records of information system activity on all such critical systems that process ePHI.
The information that will be maintained in audit logs and access reports including security incident tracking reports must include as much as possible of the following, as reasonable and appropriate:
- User IDs
- Dates and times of log-on and log-off
- Terminal identity, IP address and/or location, if possible
- Records of successful and rejected system access attempts
Safeguards must be deployed to protect against unauthorized changes and operational problems including:
- The logging facility being deactivated
- Alterations to the message types that are recorded
- Log files being edited or deleted
- Log file media becoming exhausted, and either failing to record events or overwriting itself
Procedure: Our HIPAA Security Officer will oversee the names of current authorized users- Review reports to identify users that may still have access to ePHI but are either no longer with the organization or have a business relationship requiring access. Determine if generic accounts are used which do not support logging individual’s access to ePHI.
Review the Active Directory User List with HR to validate that all users are still employed. Check access to other systems requiring authentication, including the EHR system, PACS, online systems with partners, labs, and any device or entity that stores ePHI. Verify that any vendors or subcontractors still need access.