As a covered entity or business associate, the Health Insurance Portability and Accountability Act (HIPAA) requires your organization establish procedures and controls to secure electronic protected health information (ePHI).
HIPAA’s Security Rule dictates that if you handle ePHI, your organization must implement administrative safeguards to establish and maintain ePHI security. HIPAA 45 C.F.R. §164.308(a)(1)(ii)(D), for example, requires information system activity reviews to routinely analyze information system activity records including (but not limited to):
- Audit logs
- Access reports
- Security incident tracking reports