The purpose of the Information System Activity Review Policy is:
- To determine if any electronic confidential information is being used or disclosed in an inappropriate manner.
- To develop policies to monitor and control access to the business’ electronic systems.
Procedure: The management team or its designated representative has the right to audit all methods and tools used to handle information or communication within or with outside persons. At the same time, all employees, agents and contractors have the right to report improper behavior to any member of the management team.
- The Security Manager or its designated representative shall implement and maintain a tracking mechanism to assess the confidentiality of information and ensure compliance with Security policies.
- Security Manager will perform a random quarterly audit of patient care/employee information users in designated areas.
- The selection of the area to be audited will primarily be high risk, high volume and/or problem areas. However, all areas will be subject to audit at least annually.
- Security Manager’s audit reports will be reported to Office Manager/Administrator.
- Reports of suspected or confirmed breach of confidentiality shall follow the procedures dictated by the Risk Management and Sanction Policies.
- The Security Manager shall track the following events during the audit:
- Logins and logouts, successful and unsuccessful.
- Number of files and sessions opened per Individuals.
- Files opened, actions taken and authorization of Individuals.
- Terminals used to access files and type of files.
