Workflow

Making EMR Audit Log Review a Routine

Set a fixed monthly slot, review a defined set of high-signal reports — break-glass access, VIP and employee-record access, after-hours activity, records accessed by users with no care relationship, and failed logins — and write down that you did it and what you found. Audit logs that are collected but never examined satisfy nothing: recording activity and reviewing activity are two separate obligations under the HIPAA Security Rule, and practices routinely meet the first while quietly failing the second.

The short answer

The purpose of a log review routine is not to catch a villain. It is to make inappropriate access discoverable, and to make staff aware that it is discoverable — which is most of the deterrent. A small practice does not need a security operations center. It needs one person, ninety minutes a month, a short list of reports, and a habit.

These are two requirements, not one

45 CFR 164.312(b) — Audit controls. A standard requiring you to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." This is the logging capability. Any modern EMR provides it; confirm it is switched on and retaining data for a useful period.

45 CFR 164.308(a)(1)(ii)(D) — Information system activity review. A required implementation specification — not addressable — to "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."

Read them together and the position is clear. Turning on logging is not the control. Regularly reviewing what it produces is the control — required, and the one nobody does. When practices are surprised in an audit, this is very often the finding.

What to actually look at

Do not attempt to read the log. Nobody reads the log. Run a small number of targeted reports where a hit is meaningful.

ReportWhat it surfacesCadence
Break-glass / emergency access eventsEvery override of normal access controls. Each one should be explainable.Monthly, all events
Employee and family-member records accessedStaff looking at their own chart, a colleague's, or a relative's. The most common real finding.Monthly
High-profile or flagged patientsLocal notables, staff, anyone flagged. Curiosity-driven access clusters here.Monthly
Access with no care relationshipUsers who opened a chart with no appointment, order, or assignment connecting them to it.Monthly, sampled
After-hours and weekend activityLegitimate in many practices — baseline it first, then look at outliers.Monthly
Failed login attemptsCredential stuffing, a stale shared password, a locked-out user nobody helped.Monthly
Bulk exports, prints, and downloadsLarge extracts of patient data. Rare, always worth a question.Monthly, all events
Permission changes and new admin accountsWho granted whom elevated rights, and why.Monthly

A monthly routine that survives contact with a clinic

  1. Fix the date. Same day every month, on a calendar, with a named owner and a named backup. A routine without an owner is an intention.
  2. Pull the standing reports. If your EMR can schedule and email them, schedule them — report-generation friction is the most common reason a review quietly stops happening.
  3. Triage into two buckets: explained and unexplained. Most rows are explained within seconds by someone who knows the clinic. That local knowledge is the scarce resource, which is why the reviewer should not be a pure outsider.
  4. Chase the unexplained ones. Ask the user, neutrally: "I'm doing the monthly access review, can you tell me about this one?" Most have a good answer.
  5. Escalate what remains to whoever owns security, under your incident procedure.
  6. Write it down. Date, reviewer, reports run, items examined, findings, actions. One page.
Baseline before you judge. Your first reviews will surface activity that looks alarming and is entirely normal — a physician charting at 11pm, an MA opening charts for tomorrow's schedule. Learn the shape of normal first. A routine that cries wolf for three months is abandoned in the fourth.

Reviewing break-glass access

Emergency access deserves specific attention because it is the one control designed to be bypassed. The Security Rule requires an emergency access procedure at 45 CFR 164.312(a)(2)(ii) — a required specification — obliging you to establish, and implement as needed, procedures for obtaining necessary electronic protected health information during an emergency. Most EMRs implement this as break-glass: a user asserts an emergency, gets access outside their normal permissions, and the system records it loudly.

The design intent is that break-glass is easy to use and impossible to hide. Make it hard to invoke and clinicians will work around it in an emergency, which is worse than the risk it was protecting against. Make it easy to invoke and never review the events, and you have built an unmonitored bypass of every access control in the system.

So: every break-glass event gets looked at, every month, with no sampling. For each, ask whether the emergency was real, whether the user had an alternative, and whether the access was proportionate. A practice with break-glass events nobody can explain has a configuration problem, a training problem, or both — better found during a routine review than during an investigation.

What a real finding looks like

Set expectations correctly, because a review that never finds anything gets defunded. The recurring findings are mundane: a staff member looking at their own chart because it is faster than the portal; a nurse checking a family member's results with good intentions; a user whose role changed six months ago still holding old permissions; a service account with far more access than its integration needs; a break-glass invoked because the correct permission was never granted.

Almost none of this is malice. Most are process defects wearing a security costume — which is why the output of a review should usually be a fix to provisioning, training, or configuration rather than a sanction. Your sanction policy is required under 45 CFR 164.308(a)(1)(ii)(C) and must be applied consistently; but if every finding ends in discipline and none in a fixed process, you are treating symptoms.

Documenting the review

The documentation is the only durable evidence that the required review actually occurred. Keep it to one page a month, and keep every page: date, reviewer, and period covered; which reports were run; how many events were examined and how they were selected; findings, with what was asked and what was concluded; actions taken, with owners and dates; and anything escalated, and to whom.

Twelve of those pages is a year of demonstrated practice — and the fastest way for whoever inherits the job to learn what normal looks like in your clinic.

Configuring the logs before you need them

Three configuration questions to settle now rather than during an incident. Retention: how long does your EMR keep audit data, and is that long enough to investigate something discovered months later? Completeness: does it log views, or only edits? A log that records changes but not reads cannot answer the question you will actually be asked, which is "who looked at this chart?" Exportability: can you get the audit data out in a usable format, or only view it through a slow on-screen report?

Ask your vendor all three in writing. The answers determine whether a review routine is even possible, and they are far cheaper to discover today than on the day you must reconstruct who accessed one record over an eight-month window.

The takeaway

Recording activity is the easy half, and everyone has done it. Reviewing it is the required half that almost nobody does — and it is not hard: a calendar entry, a handful of reports, one page of notes a month. Start with break-glass and employee-record access, because that is where the real findings are. Then keep going, so that the first time you look at your audit logs is not the first time someone asks you to.

Common questions

Does HIPAA require us to review audit logs?

Yes. Beyond the audit controls standard at 45 CFR 164.312(b), the information system activity review at 45 CFR 164.308(a)(1)(ii)(D) is a required implementation specification obliging you to implement procedures to regularly review records of information system activity, such as audit logs and access reports.

How often should we review EMR audit logs?

The rule says "regularly" without setting a frequency, so you define it and then keep to it. Monthly is a workable cadence for most practices, with all break-glass events reviewed and other categories sampled.

What is break-glass access?

It is emergency access that lets a user obtain records outside their normal permissions, with the event conspicuously logged. It implements the emergency access procedure required at 45 CFR 164.312(a)(2)(ii), and every event should be reviewed afterward.

What is the most common finding in an EMR access review?

Workforce members viewing their own record or a family member's. It is usually well-intentioned rather than malicious, but it is still inappropriate access, and it is the reason a routine review catches things a policy alone never will.

Common questions

Does HIPAA require us to review audit logs?

Yes. Beyond the audit controls standard at 45 CFR 164.312(b), the information system activity review at 45 CFR 164.308(a)(1)(ii)(D) is a required implementation specification obliging you to implement procedures to regularly review records of information system activity, such as audit logs and access reports.

How often should we review EMR audit logs?

The rule says "regularly" without setting a frequency, so you define it and then keep to it. Monthly is a workable cadence for most practices, with all break-glass events reviewed and other categories sampled.

What is break-glass access?

It is emergency access that lets a user obtain records outside their normal permissions, with the event conspicuously logged. It implements the emergency access procedure required at 45 CFR 164.312(a)(2)(ii), and every event should be reviewed afterward.

What is the most common finding in an EMR access review?

Workforce members viewing their own record or a family member's. It is usually well-intentioned rather than malicious, but it is still inappropriate access, and it is the reason a routine review catches things a policy alone never will.