Manual Audit Log Review Checklist
If you have read our previous posts on the five categories of healthcare privacy breaches and how to review audit logs, you understand the problem and the tool. What you need now is a process you can follow every time — a structured, repeatable checklist that takes you from raw audit data to confirmed findings.
That is what this post delivers.
Below is a four-step checklist for detecting privacy breaches in your EHR audit logs using Excel. Each step includes specific actions, Excel formulas, filter rules, and decision criteria. The checklist is designed to be printed, shared with your privacy team, and used as a working document during every review cycle.
How to use this checklist: Work through the four steps in order. Steps 1 and 2 (export and preparation) set up your data. Step 3 (analysis) walks through specific detection rules for each of the five breach categories. Step 4 (verification) tells you how to confirm or rule out each flagged event. Each item can be checked off as you complete it.
Key Facts at a Glance
- This checklist covers all five privacy breach categories: curiosity snooping, personal relationship access, financially motivated breaches, malicious disclosure, and systemic/process failures.
- Each detection rule includes the specific Excel operation (sort, filter, pivot table, or formula) needed to surface the indicator.
- HIPAA requires audit log retention for six years with tamper-proof storage (Source: 45 CFR § 164.312(b)).
- Proactive audit review detects breaches weeks or months earlier than complaint-driven review (Source: Journal of AHIMA).
- The proposed 2025 HIPAA Security Rule update calls for measures that detect “suspicious activity or unusual patterns of data access” (Source: Federal Register, 2025-01-06).
- A mid-sized hospital generates millions of audit log events per month — targeted exports and structured analysis are essential (Source: Journal of AHIMA).
Step 1
Export Audit Logs in CSV or Excel Format
Before you can analyze anything, you need the data out of your EHR and into a format you can work with. This step produces the raw material for every detection rule that follows.
- Define the review scope. Decide what this review cycle covers: a specific date range, a specific department, a specific set of patients, or a specific set of users. Do not attempt a full unrestricted dump.
- Access your EHR’s audit reporting tool. In Epic, use Reporting Workbench to run an Access Log report. In Cerner, use Audit Vault or CCL audit queries. In MEDITECH, use the Audit Trail Report.
- Apply export filters. Set the date range, department, patient list, or user list you defined.
- Export as CSV. Select CSV (comma-separated values) as the output format.
- Verify the export includes required fields. User ID, User Role/Department, Patient ID, Action Type, Timestamp, Workstation/Device identifier, and Data Elements Accessed.
- Save the file securely. Store the export on an encrypted, access-controlled drive — not a shared desktop, personal device, or email attachment.
Tip: Create a dedicated folder structure for your reviews — e.g.,
Privacy_Audits/2026-04/ — with subfolders for raw exports, working files, and final documentation.
Step 2
Open the Audit Logs in Excel and Prepare for Analysis
Raw CSV data is not analysis-ready. This step transforms it into a structured, filterable table with the helper columns you need for the detection rules in Step 3.
- Open the CSV in Excel. Format as a table (
Ctrl+T) to activate filter arrows. - Freeze the header row. View > Freeze Panes > Freeze Top Row.
- Add a “Date” helper column. Formula:
=INT([@Timestamp]). - Add a “Time of Day” helper column. Formula:
=TEXT([@Timestamp],"HH:MM"). - Add an “After Hours?” flag column. Formula:
=IF(OR(HOUR([@Timestamp])<6, HOUR([@Timestamp])>=21),"YES",""). Adjust thresholds to match your organization. - Add a “Weekend?” flag column. Formula:
=IF(OR(WEEKDAY([@Timestamp],2)=6, WEEKDAY([@Timestamp],2)=7),"YES",""). - Add a “High-Risk Action?” flag column. Formula:
=IF(OR([@Action]="Print", [@Action]="Export", [@Action]="Download", [@Action]="Copy"),"YES",""). - Add an “On Care Team? (Y/N)” column. Leave this blank for now — you will populate it during Step 4.
- Add a “Flag / Notes” column. A free-text column for documenting observations.
Step 3
Analyze Audit Logs to Detect the Five Categories of Privacy Breaches
This is the core of the checklist. Each subsection targets one breach category with specific rules, Excel operations, and criteria for flagging suspicious events.
Reminder: Every rule below produces indicators, not conclusions. All flags must proceed to Step 4 (Verification) before a breach determination is made.
3A. Curiosity-Driven Snooping
| Rule | Excel Operation | What to Flag |
|---|---|---|
| 3A-1: Excess user count per patient | Filter by Patient ID. Create a pivot table: Rows = User Name, Values = Count. | Flag if the number of unique users exceeds the expected care team size significantly. |
| 3A-2: View-only access without documentation | Filter by Patient ID and a specific User. Check for “Edit” actions. | Flag users who only viewed the record without documenting a note, order, or clinical action. |
- Identify your VIP / high-profile patient list.
- Run Rule 3A-1 for each VIP patient.
- Run Rule 3A-2 — note view-only access.
- Record all flagged users with “3A — Curiosity snooping indicator.”
3B. Personal Relationship Access
| Rule | Excel Operation | What to Flag |
|---|---|---|
| 3B-1: Shared surname match | Use a formula to extract and compare last names, or use VLOOKUP against an employee list. |
Flag any access where the employee and patient share a surname. |
| 3B-2: Self-access | Filter for rows where User ID = Patient ID. | Flag all self-access events. |
- Run Rule 3B-1 across the full export.
- Run Rule 3B-2 — document every instance.
- Record all flagged users with “3B — Relationship access indicator.”
3C. Financially Motivated Breaches
| Rule | Excel Operation | What to Flag |
|---|---|---|
| 3C-1: High-risk actions (print/export) | Filter the “High-Risk Action?” column for “YES.” | Flag every print, export, download, or copy event lacking a clear administrative purpose. |
| 3C-2: Off-hours data extraction | Combine filters: “High-Risk Action?” = YES, AND “After Hours?” = YES. | Flag all print/export actions occurring outside business hours. |
- Run Rule 3C-1 — review every print/export/copy action.
- Run Rule 3C-2 — list all off-hours extraction events.
- Record all flagged users with “3C — Financial breach indicator.”
3D & 3E. Malicious Disclosure and Systemic Breaches
| Rule | Excel Operation | What to Flag |
|---|---|---|
| 3D-1: HR-correlated access | Cross-reference User IDs involved in HR disputes against the audit log. | Flag access by an employee to the record of a party they are in dispute with. |
| 3E-1: Former employee access | Use VLOOKUP to match departing employee User IDs. Filter for access events after the departure date. |
Flag any access by a user after their recorded departure date (de-provisioning failure). |
- Request HR conflict/grievance list — run Rule 3D-1.
- Request HR departure/transfer list — run Rule 3E-1 for post-departure access.
- Record all findings with “3D/3E Systemic/Malicious indicator.”
Step 4
Verify the Privacy Breaches
Step 3 produced a list of flagged access events. This step determines which flags are genuine breaches and which have legitimate explanations.
Verification Check 1: Care Team Assignment
- Was the employee assigned to the patient’s care team at the time of access? Check assignment records or consult the charge nurse.
- If yes: mark “On Care Team?” as Y, note the assignment type, and clear the flag.
Verification Check 2: Scheduling Confirmation
- Was the employee on shift and assigned to the relevant unit at the time of access? Cross-reference the timestamp against scheduling records.
Verification Check 3: The Documentation Test
- Did the employee document a clinical note, enter an order, or perform any charting for this patient within a reasonable timeframe?
- If the access was view-only with no corresponding documentation: this is the single strongest indicator of unauthorized access.
Verification Check 4: Breach Determination
- If Checks 1-3 did not establish a legitimate purpose, the event is a confirmed indicator requiring further action.
- Escalate to your organization’s formal investigation process (e.g., employee interview, HR involvement).
- Retain all documentation — the raw export, working spreadsheet, and verification notes — securely.
This Checklist Takes Hours. RiskIntelligence Privacy Monitor Runs It Continuously.
Every rule in this checklist — user count analysis, care team cross-referencing, volume outlier detection, after-hours flagging, former employee auditing — is something RiskIntelligence Privacy Monitor does automatically, continuously, across every department and every access event, in near real-time.
Move from monthly spreadsheets to continuous detection. See what Privacy Monitor can find in your audit logs.