The Personal Health Information Protection Act (PHIPA) requires that access to health information be restricted on a need-to-know basis. To meet this requirement, Health Service Providers are required to have controls in place that regulate accesses, in the mean time, log all privacy related events/activities. Health Service Provider must establish processes to regularly review the privacy related events/activities. Audit logs also play an important role during breach investigations.
Different HSPs will have logs of varying technology and complexity, and the privacy officer should identify which logs may be useful when identifying a privacy breach, and develop a plan to review those logs. The privacy officer is accountable for ensuring that the log review is performed. If required, the privacy officer may choose to involve IT support or other staff to help perform this review in order to adhere to Health Service Providers internal operation requirements and procedures.