A new requirement (one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009) will have business associates of covered entities required to comply with the Security Rule safeguard standards, beginning February 17, 2010.
from the article:
Covered entities are required to have in place audit controls to(emphasis added)
monitor activity on their electronic systems that contain or use electronic protected health information. In addition, they have to have a policy in place for regularly monitoring and reviewing of audit records to ensure that activity on those electronic systems is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits, and any security incidents.
Monitoring and review of audit trails must be as close to real time as possible to be useful. There is no benefit in discovering a problem days or weeks after it has occurred. How a covered entity sets its policies and procedures will be based on outcomes of the covered entity’s risk analysis. If a security incident occurs, failure to exercise this audit control standard may be proof in an inquiry that a covered entity had the capability of knowing what was occurring, but failed to exercise timely corrective action.
Interesting. I need to track down the source docs to see what's real and what is interpretation.