By Iseman Cunningham Riester & Hyde LLP
Under the final HIPAA Security Rule, Covered Entities must implement procedures to regularly review records of information system activity. This is a required standard and must be implemented by all covered entities.
This rule dovetails with other security standards, such as the requirement for audit controls, the requirement for monitoring log-in attempts, and the requirement for tracking and reporting security incidents. The information system activity review standard controls how and how often these reporting documents and information are reviewed.
There is, unfortunately, no universal recommendation for the scope and frequency of information system activity review. Logs and reports concerning applications with higher risk and/or higher criticality should be reviewed more often. Unusual failed login attempts, for example, should be detected and followed up on in a period of days, not weeks. Lower risk applications, such as web browsing where firewalls and antivirus software are both present, may warrant a less frequent review. As a general rule, no process which merits logging should be reviewed less frequently than at 90 day intervals. Above all, ensure that the reviewers of the logs are different than the individuals whose activity is tracked by the logs. Otherwise, the review process is rendered ineffective.
Determining how long logs should be retained also raises some interesting questions. Some consultants will say that HIPAA requires retention of all logs for at least six years. That probably overstates the rule’s requirement. It is true that the final Security Rule includes a documentation retention requirement of six years. A careful reading, however, demonstrates that where a specific activity or assessment is required, only a record of the activity or assessment need be retained for six years. It is not necessary to retain all supporting documentation for the full period. If, for example, internet server logs are reviewed monthly, a contemporaneous record of the review (a checksheet, for example, initialed and dated upon review of the log) would suffice to be maintained for the six year period, not necessarily the entire log itself.
How long the actual log should be maintained depends again on the criticality of the data tracked by the log, the organization’s overall risk analysis, and other factors such as redundancy, the robustness of other security measures, and the reasonableness of a shorter versus a longer retention period. On that last point, note that continuously falling prices for long term data storage make cost a shrinking factor even for small and mid-size organizations.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.
