In today’s modern healthcare system, patients don’t just entrust their care providers with their health — but an abundance of sensitive personal data as well. This data can include anything from contact details to payment information and medical records, which in the hands of bad actors, can lead to identity theft and fraud. 

One of the central goals of the Health Insurance Portability and Accountability Act (HIPAA) is to improve the security and confidentiality of patient health records.

HIPAA regulations require covered entities and business associates to maintain the security and privacy of patient data, which includes tracking information system activity and monitoring who accesses patient records, when, and how. This tracking is done through audit logs, which act as system records and are required for HIPAA compliance.

Learn what to include in a HIPAA audit log, why they’re important for your security and privacy programs, tips to help you get started, and other nitty-gritty compliance details below.

What is a HIPAA audit log? Why audit trails matter for security and compliance

The HIPAA Security and Privacy Rules specify that all covered entities and business associates must implement physical, technical, and administrative safeguards to secure protected health information (PHI) and electronic protected health information (ePHI). Part of those safeguards includes maintaining audit logs that record how and when either type of PHI is created, processed, accessed, and/or shared. 

HIPAA audit logs are records of system activities: who accessed the network, when, what they did, and what documents or patient data they viewed.

Why would a giant laundry list of system activities be useful for stronger security and privacy? IT administrators and cybersecurity experts can review them to spot trends and anomalies and more effectively manage risks. Proper audit logs help organizations prevent security incidents, detect data breaches quickly, and understand how and why they occurred. 

Audit logs also help organizations maintain compliance with HIPAA’s Minimum Necessary Rule, which requires healthcare providers to only access PHI for a specific purpose within their job function. Audit logs establish and track normal access patterns for each employee and business associate. These patterns and trends make it easier to notice anomalies that could indicate when a user is abusing access rights or if an unauthorized user is attempting to access a system, application, or file. 

Audit logs are typically used for: 

• Forensics: After a security incident or data breach, an organization needs to understand when and how it occurred to contain it and reduce its impact. Audit logs allow organizations to pinpoint what happened and the events leading up to it. 
• Proof of compliance: Audit logs are required for compliance with many security frameworks, including HIPAA. They prove that an organization is capable of investigating any data breaches or unauthorized access that may occur and also provide evidence of compliance in the event of an external audit. 
• Disaster Recovery: In case of data loss or system inoperability, audit logs can be used to aid recovery efforts and prevent the issue from happening again. 

HIPAA requirements: What to include in a HIPAA audit log

Audit logs should cover all electronic devices and applications within your healthcare organization’s network. This includes computers, mobile devices, databases, internal servers, and cloud applications such as email and fire sharing.

HIPAA compliance requires three types of audit logs: 

• Application audit logs monitor user activity across applications, including workstation and cloud applications. Logs monitor how files are created, viewed, shared, and deleted. 
• System-level audit logs record system-wide events, such as shutdowns and reboots, user authorization and authentication, and data access by specific users. 
• User audit logs track user activity, such as accessing PHI, and any operating system commands executed by the user. 

Covered entities and business associates are also required to log specific activities within their audit trails. These include: 

• Login attempts (both successful and unsuccessful)
• Any changes to databases that store ePHI
• Adding or removing users 
• Adding, removing, or changing user access permissions
• User access to files, databases, or directories
• Firewall logs showing attempts to connect into or out of the system’s security perimeter
• Anti-malware logs

Organizations must also keep separate audit logs to record access to paper records and files. 

How long do HIPAA audit logs need to be retained?

All HIPAA compliance documentation, including audit logs, should be retained for at least six years. However, some states have their own retention requirements that are longer than six years. Healthcare organizations must comply with whichever requirement is stricter. 

According to the US Department of Health and Human Services (HHS), logs should be stored in raw format for at least 6-12 months, after which they can be stored in a compressed format.

Getting started with HIPAA audit logs

To help healthcare organizations navigate the safeguards specified in the HIPAA Security Rule, including audit log requirements, the National Institute of Standards and Technology (NIST) released Special Publication 800-66. 

NIST 800-66 includes a series of questions organizations can use to guide their approach to creating and maintaining HIPAA-compliant audit logs:

• Where is ePHI stored within information systems, and where do vulnerabilities exist?
• What activities, processes, or applications make ePHI more vulnerable? 
• Who is responsible for establishing an audit log process?
• How will logs be reviewed, by whom, and how often?
• How often will takeaways be reported to stakeholders, and by whom?
• How will any suspicious activity or confirmed security incidents be reported? 
• How will security investigations proceed, and how will audit logs be used in those investigations?
• How can system administrators best protect audit log integrity? 
• Where will audit logs be stored, for how long, and how will they be disposed of securely?

To help you get started, we’ve created a sample audit log populated with key fields to track. The sample also includes a list of HIPAA compliance documentation you may want to store with your audit logs for quick reference, including risk assessments, business associate agreements, and key policies such as an information security policy and privacy policy.

How Secureframe can help with HIPAA compliance

Our security and privacy automation platform makes it easy to determine what ePHI you handle and how it flows through your organization, which is crucial for a strong security and privacy program and continuous HIPAA compliance. 

We can also help you evaluate your security safeguards and audit controls, complete a risk analysis, and identify weaknesses to provide a clear picture of your security and privacy posture. 

For more information on how Secureframe can help you achieve and maintain HIPAA compliance, request a demo today.