HIPA-21

Does the application log record access including specific user, date/time of access, and originating IP or device?

Explanation

This question is asking whether your application maintains detailed access logs that capture who accessed the system, when they accessed it, and from where. Specifically, it wants to know if your logs record: 1. The specific user identity (who accessed the system) 2. Date and time of access (when they accessed it) 3. The originating IP address or device information (where they accessed it from) This question is being asked because HIPAA (Health Insurance Portability and Accountability Act) requires covered entities and business associates to implement technical safeguards that record and examine activity in systems that contain electronic protected health information (ePHI). These audit controls are mandated by the HIPAA Security Rule (45 CFR ยง 164.312(b)). Detailed access logging serves several critical security purposes: - It creates accountability by tracking who accessed what information and when - It helps detect unauthorized access attempts or suspicious patterns - It provides an audit trail for investigating security incidents - It helps demonstrate compliance during audits or investigations To best answer this question, you should: 1. Confirm whether your application logs all three required elements (user identity, date/time, and originating IP/device) 2. Briefly describe how these logs are captured, stored, and protected 3. Mention any log retention policies that align with HIPAA requirements (typically 6 years) 4. Note any additional relevant logging features like immutability or centralized log management If your application doesn't fully meet these requirements, be honest about the gaps and describe any compensating controls or plans to address the deficiencies.

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our application maintains comprehensive access logs that capture all required elements Each time a user accesses the system, we record the authenticated username, precise timestamp (date and time to the second in UTC format), and the originating IP address Additionally, we capture the device type, browser information, and session identifiers These logs are stored in a separate, secured database with write-only access during normal operations, and they cannot be modified by regular users or administrators All logs are retained for a minimum of 6 years in compliance with HIPAA retention requirements Our logging system also generates alerts for suspicious access patterns, such as access from unusual locations or outside normal business hours.

Example Response 2

Yes, our application implements robust access logging as required by HIPAA Our logging system captures the unique user ID of the authenticated user, timestamp information (including date, time, and timezone), and the originating IP address and device fingerprint These logs are centrally collected using our SIEM (Security Information and Event Management) platform, which provides real-time monitoring and alerting capabilities The logs are stored in an encrypted format and are retained for 7 years to exceed HIPAA's 6-year retention requirement We also maintain a chain of custody for all logs, and any access to the logs themselves is also logged to prevent tampering Regular log reviews are conducted as part of our security operations procedures.

Example Response 3

No, our application currently has partial logging capabilities that don't fully meet HIPAA requirements While we do record the date and time of access, our system only logs generic user roles (e.g., 'administrator', 'physician') rather than specific user identities Additionally, we don't consistently capture originating IP addresses or device information We recognize this as a compliance gap and have scheduled development work to enhance our logging capabilities in the next quarter In the interim, we have implemented compensating controls including enhanced network-level logging through our firewall and VPN solutions, which do capture IP addresses and can be correlated with application access We're also conducting more frequent manual access reviews until the automated logging is fully implemented.

Context

Tab
Case-Specific
Category
HIPAA Compliance

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron