§164.312(b) high Severity HIPAA US Federal

HIPAA Security Rule — Audit Controls

Enforced by: HHS OCR (US)
Current as of March 26, 2013
Plain Language Summary
Must log and monitor access to ePHI systems. Audit logs must be reviewed regularly — not just collected. Many OCR settlements involve lack of access auditing.

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Audit logs must be maintained, reviewed on a regular basis, and retained for a period of time sufficient to support the organization's business and security requirements.

Related Enforcement Cases

Advocate Aurora Health — Tracking Pixel HIPAA Settlement ($3M) $3.0M
Banner Health — Network Segmentation Failure HIPAA Settlement ($1.25M) $1.25M