HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Information system review audits

Email This Post Print This Post

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements—other than to perform audits—that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?

A: There are no specific HIPAA Privacy Rule requirements related to privacy audits. The rule does require organizations to implement administrative, physical, and technical safeguards to protect PHI no matter the form. The Privacy Rule does not give specifics, so it’s a good idea to implement similar safeguards as the HIPAA Security Rule requires. This would include monitoring logs of access to PHI such as logs generated by ­EHRs and picture archiving and communication systems.

Information system activity review audits are just one of the four audit activities that covered entities (CE) should undertake to comply with the HIPAA Security Rule and, by default, the HIPAA Privacy Rule. Information systems activity review audits focus on firewall activity, patches applied to applications, data loss prevention report reviews, and so forth. Generally, these audits do not involve determining whether patient records are being accessed appropriately.

CEs and business associates should also review user login audit logs to check for repeated failed login attempts and to verify employees are not accessing systems or data at times when they are off work and have no valid reason to access systems.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Leave a Reply