This entry is part 28 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

Tell Me More:

The Log-In Monitoring implementation specification requires covered entities to implement procedures for monitoring log-in attempts and to report discrepancies.  Log-in Monitoring can be done on an exception / alert basis and should be part of an overall Information System Activity Review program.

Individuals who have not been granted access to sensitive PHI and other information, e-mail, critical systems and applications, may try to gain access by using software to discover user identification and passwords. Additionally, persons may attempt to guess passwords for particular individuals and thus gain unauthorized entry to restricted applications, PHI and e-mail accounts.

To identify potential unauthorized access, intrusion attempts or policy violations, you should monitor user access and prepare periodic reports for use in making security program adjustments. At minimum, unsuccessful attempts to log into the network, applications with PHI and other sensitive information or other password-protected documents should be documented and reported.

Questions to consider:

  • Does the organization track all system and application log-ins? Such tracking will allow the organization to know who is accessing ePHI as well as who is attempting to access ePHI.
  • Does the organization review the login reports (manually or using an automated system) to identify potential security problems? Are potential problems addressed? Incidents should be identified and corrective action taken as appropriate.


Series Navigation<< 164.308(a)(4)(ii)(C) Standard: Information access management – Access establishment and modification164.308(a)(7)(ii)(D) Standard: Contingency plan – Testing and revision procedures >>