Information System Activity Review Clause Samples

Information System Activity Review. 1. ISU shall provide HHS with documentation of implementation of its policies and procedures regarding information system activity review across all of its covered health care component clinics. ISU shall provide the documentation to HHS within 60 days of the Effective Date for review and approval. 2. Upon receiving any required changes to such implementation from HHS, ISU shall have 30 days to revise its implementation strategy and provide it to HHS for review and approval. ISU shall provide documentation of implementation, including any applicable training, within 30 days of receipt of HHS’ approval.

Information System Activity Review. The Company will appropriately review activity in ePHI-containing applications and/or systems in order to limit ePHI access to authorized purposes, including auditing and oversight tools permitting review of suspicious or unusual activity and vulnerabilities and adequate and prompt notice to the Security Officer.

Information System Activity Review. GCHD will implement procedures to regularly review records of information system activity. a. Audit Logs. GCHD will create audit logs which will record activities related to access of the GCHD system by its users. Audit logs will be reviewed on an on- going basis by the Security Officer or designee.

Information System Activity Review. Section 164.308(a)(1)(ii)(D) of the rule states: “Covered entities will implement procedures to regularly review records of the information systems activity, such as audit logs, access reports, and security incident tracking reports”. MCC has implemented the following procedures to address these requirements: The IS Director will ensure that information system activity logs are implemented and maintained for all applications that process ePHI on MCC computers. The IS Director will assign a person(s) to conduct quarterly reviews of the MCC information systems’ ac- tivity logs, this activity may entail the use of an outside entity if desired. Selected reviewer(s) must have the appropriate technical skills and authorized access to enable them to interpret the audit logs correct- ly. The designated reviewer(s) will prepare reports to summarize their reviews. The report will include the reviewer’s name, date and time of the review, application or process reviewed, and any significant find- ings, and describing any events that require additional action (incident reporting). Reviewers will look at system/application logs to identify events such as multiple failed login attempts, patient file accesses, and unauthorized access attempts. Based on the periodic reviews, the IS Director may implement new procedures or technologies to im- prove the security management process. As necessary, the Security Officer, in conjunction with the IS Director, will make modifications or addi- tions to the policies implemented to protect ePHI on MCC computer systems. Effective Date: January 1, 2005 45 CFR §164.308(a)(3) of the Security standards states “a covered entity must implement policies and proce- dures to ensure that all members of its workforce have appropriate access to electronic protected health infor- mation, as provided under paragraph (a)(4) of this section [Information Access Management], and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.” To establish the Medical Center Clinic’s (MCC) Workforce Security policies, including the required subordinate implementation specifications of authorization and/or supervision, workforce clearance procedures, and termina- tion procedures. MCC is committed to maintaining formal procedures to ensure that all workforce members whose jobs require access to electronic protected health information (ePHI) have the appropria...