Revenue Cycle

Security Q&A: Audit logs, photographs, and video conferencing

Strategies for Health Care Compliance, April 1, 2015

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Strategies for Health Care Compliance.

Q: As part of the audit controls policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Strategies for Health Care Compliance.

Most Popular