How Long Should I Keep HIPAA Audit Logs? | Schellman (2024)

Table of Contents
HIPAA Log Requirements Additional Information Regarding HIPAA Logs Should You Retain All HIPAA Audit Logs for 6 Years? Next Steps for Your HIPAA Compliance FAQs

“Do I really need to retain all my HIPAA audit logs for 6 years?”

We hear this question a lot from organizations, and as you may already understand, the answer isn’t straightforward. Some might tell you that yes, all audit logs in your ePHI environment need to be retained for at least 6 years, but things are a bit more complicated than that—especially for business associates.

As practiced HIPAA assessors who understand how complicated and high stakes this type of compliance is, we want to provide some insight. In this article, we’ll break down the actual specific HIPAA requirements in the law that reference logs, other frameworks with helpful information, and finally, our recommended course(s) of action.

See Also
Retention of Documentation in ISO StandardsHIPAA Record Retention RequirementsSecurity Log Collection, Analysis, and Retention | Office of the VPIT-CIOYour Guide to Drafting a Data Retention Policy

Let us decrypt a complex topic so that you get the clarity you need to ensure you stay in compliance with HIPAA.

HIPAA Log Requirements

How Long Should I Keep HIPAA Audit Logs? | Schellman (1)

When you try to find the crux of these and how they fit together, you must ask whether all actions/activities logged in an ePHI environment that end up in audit logs are considered an “action, activity, or assessment” as defined by HIPAA?

  • If they are, then you have a clear-cut case of the 6-year requirement applying to audit logs for systems in your ePHI environment.
  • But if they aren’t, or maybe only certain types of audit actions/activities are, things get complicated.

That’s because the HHS has not actually defined if all details captured in audit logs are considered an “action, activity, or assessment,” nor has it defined what technically falls under these categories. For instance, operational logs don’t have stated retention requirements, but then HIPAA hasn’t defined what operational logs are either.

See Also
Guidance on NIST 800-171 log retention

Additional Information Regarding HIPAA Logs

More than that though, other documents that reference HIPAA log retention might better inform your understanding.

  • HHS “Understanding the Importance of Audit Controls” Newsletter
    • To their credit, the HHS did put out this bulletin in January 2017 that stated, “audit trails’ main purpose is to maintain a record of systemactivityby application processes and by useractivitywithin systems and applications.”
    • “Activity” is one of those three magic words referenced in the aforementioned §164.316(b)(1), so you could interpret this to mean items in audit logs fit the definition of “activity;” therefore, the audit logs that include the details of these activities need to be retained at least 6 years.

However:

  • This publication didn’t mention 6-year audit log retention specifically (it didn’t mention any required retention, for that matter). It also reiterated that the HIPAA Security Rule does not identify what information should be collected from an audit log nor even how often those logs should be reviewed—rather, your risk analysis and other organizational factors should determine that.
  • The HIPAA Security Rule was not architected in a prescriptive way by design, and so it seems reasonable then that the decision of how long to retain audit files falls to you, assuming you factor in your risk analysis. Still, the level of risk that some Business Associates might have regarding logs can be very different than that of a Covered Entity.
  • NIST SP 800-92 (Guide to Computer Security Log Management) also refers to HIPAA audit log retention:
    • It also mentions NIST SP 800-66 (An Introductory Resource Guide for Implementing the HIPAA Security Rule)—Section 4.22 says “documentation of actions and activities need to be retained for at least six years.”
    • In this context, it appears NIST’s interpretation of “actions and activities” in HIPAA would include all audit logs. And while NIST doesn’t determine HIPAA compliance, the Office of Civil Rights (OCR) refers to NIST in HIPAA guidance as solid advice.
    • So, you could take all that to mean if NIST SP 800-92 confirms audit logs in this category of action and activities when referring to NIST SP 800-66, they need to be retained for at least 6 years per the HIPAA requirement.

Should You Retain All HIPAA Audit Logs for 6 Years?

That’s all the documented considerations, but the question remains: how long do you keep your logs?

As an assessor, here’s our perspective. Save all audit logs for at least 6 years if:

  • It’s not cost-prohibitive to your organization; and
  • The logs contain information that is related to actions on systems containing ePHI.

That’s the safest move, but that may not work for many organizations, so here are the concession we’d offer to them, keeping in mind that HIPAA doesn’t specify what you need to log, how often you need to review logs, or what constitutes an “action, activity, or assessment” in the aforementioned requirement §164.316(b)(1)(i):

  • HIPAA is built in such a non-prescriptive way—as we mentioned before, organizations are meant to rely heavily on their individual risk analysis/risk management programs, so it would make sense that your log retention timeline too would require consideration of risk or specific impact to your organization—rather than the strict 6 years.
  • It seems to us then that organizations do have freedom in terms of what you determine to be the critical actions/activities you need to log and retain for at least 6 years:
    • If you categorized higher risk activities to be documented in audit logs to be retained for the 6 years, you could then judge retention for the operations-type logs based on your risk analysis—while these could be relevant to your ePHI environment, they may not meet that level of risk to require 6-year retention as clearly as those of higher risk.

Questions may still arise, but if you can clearly demonstrate you considered audit log retention as part of your risk analysis/risk management program based on the type of activities being logged, you should have a solid and supported explanation in terms of why you didn’t also retain your other audit logs for 6 years.

Next Steps for Your HIPAA Compliance

While it may be frustrating that the governing bodies haven’t been more specific around this subject, hopefully, these details and the inclusion of other resources have provided at least some clarity. Of course, you may still feel a bit hesitant, and it’s no wonder—HIPAA penalties are no small thing.

But remember that, historically, the OCR has been clear it’s your risk analysis and risk management program that should drive your HIPAA control selections. So, if you take a risk-based approach, you can find the audit log retention plan that best fits the nature of your organization and your services provided in the healthcare provider chain. You’ll also be in the best position to support your chosen approach should the OCR seek an explanation.

If you’re still seeking an explanation—on HIPAA audit logs or otherwise—we would encourage you to reach out to us so that we may put any further concerns to rest. In the meantime, be sure to check our other content, which can help you continue demystifying the details of compliance for those in healthcare:

  • HIPAA Violations and How to Avoid Them
  • Who Needs to be HIPAA Compliant?
  • The Differences Between HIPAA and HITRUST

How Long Should I Keep HIPAA Audit Logs? | Schellman (2024)

FAQs

How Long Should I Keep HIPAA Audit Logs? | Schellman? ›

Save all audit logs for at least 6 years if: It's not cost-prohibitive to your organization; and. The logs contain information that is related to actions on systems containing ePHI.

Read On
How long to keep HIPAA logs? ›

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

Discover More Details
How long should audit logs be kept? ›

For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years. This timeframe is the log retention period.

Continue Reading
How long must HIPAA records be kept? ›

Organizations must maintain these records for at least 6 years from the date of creation or 6 years after the “last effective date”, whichever is later. The “last effective date” is the last day the policies, procedures, or systems are still in use.

See Details
How long must the audit trail history be retained? ›

In particular, when striving for PCI compliance, audit logs, log management, and log retention become crucial components, as stipulated in PCI DSS requirement 10.7. This requirement mandates that audit logs must be retained for at least one year.

Find Out More
Do HIPAA records have to be retained for 6 years? ›

The Health Insurance Portability and Accountability Act (HIPAA) requires Covered Entities and Business Associates to maintain required documentation for a minimum of six (6) years from the date of its creation, or the date when it last was in effect, whichever is later.

Tell Me More
What is the 7 year retention rule? ›

The rule generally carries out a congressional mandate. The rule, in general, prohibits the destruction for seven years of certain records related to the audit or review of an issuer's or registered investment company's financial statements.

Show Me More
Should audit logs be maintained? ›

Audit logs create a historical record that's maintained independently of your system's current state. Administrators and compliance teams can use the audit logs to investigate user actions, spot suspicious activity and adhere to regulatory frameworks.

Explore More
What are the audit logs for HIPAA compliance? ›

The purpose of HIPAA audit logs is to record and monitor access to electronic protected health information (ePHI). Audit trails and logs record who accessed or modified protected health information (PHI) and when. Audit trails track actions like adding, deleting, or modifying PHI at a granular level.

Continue Reading
What is the best way to store audit logs? ›

As a general rule, storage of audit logs should include 90 days “hot” (meaning you can actively search/report on them with your tools) and 365 days “cold” (meaning log data you have backed up or archived for long-term storage). Store logs in an encrypted format. See our post on Encryption Policies for more information.

Show Me More

How long do you have to keep emails for HIPAA? ›

The HIPAA email retention period for these communications is a minimum of six years. During this time, access controls and audit controls have to be implemented to safeguard the integrity of PHI and prevent improper modification or data deletion.

Read The Full Story
Does HIPAA ever expire? ›

While a HIPAA authorization must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure, the Privacy Rule does not otherwise prescribe the expiration date or event that must apply to the authorization, which may vary based on the circ*mstances.

See Details
What is the new audit trail rule? ›

With effect from 1 April 2023, the Ministry of Corporate Affairs (MCA) has made it mandatory for companies to maintain an audit trail throughout the year for transactions impacting books of accounts.

Get More Info Here
What is audit trail rule? ›

An audit trail is defined as a step-by-step sequential record which provides evidence of the documented history of financial transactions to its source. An auditor can trace the financial data of a particular transaction right from the general ledger to its source document with the help of the audit trail.

Continue Reading
Can audit trails be deleted? ›

To Delete Audit Trail Records

Select Setup > System > Processes > Delete Audit Trail Records. Click the File button and select the files containing the audit trail records you want to delete. The list includes all files that are available to audit.

View More
How long do you have to keep patient information? ›

CMS requires that providers submitting cost reports retain all patient records for at least five years after the closure of the cost report. And if you're a Medicare managed care program provider, CMS requires that you retain the patient records for 10 years. How should medical records be retained?

View Details
Are under HIPAA practices required to keep patients medical records for at least 10 years? ›

Does the HIPAA Privacy Rule require covered entities to keep patients' medical records for any period of time? No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained.

See More
What is the HIPAA standard for logging? ›

HIPAA requires you to keep logs for at least six years. These three HIPAA requirements apply to logging and log monitoring: § 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). [Implement procedures] for monitoring log-in attempts and reporting discrepancies.

Learn More
Top Articles
The Eye of Ra
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
WALB Locker Room Report Week 5 2024
Where To Go After Howling Pit Code Vein
neither of the twins was arrested,传说中的800句记7000词
Metra Union Pacific West Schedule
Craftsman M230 Lawn Mower Oil Change
Meer klaarheid bij toewijzing rechter
Www.craigslist Augusta Ga
The Best Classes in WoW War Within - Best Class in 11.0.2 | Dving Guides
Unraveling The Mystery: Does Breckie Hill Have A Boyfriend?
Visustella Battle Core
Lost Pizza Nutrition
shopping.drugsourceinc.com/imperial | Imperial Health TX AZ
Aita Autism
Bc Hyundai Tupelo Ms
Evil Dead Rise Showtimes Near Regal Columbiana Grande
Most McDonald's by Country 2024
9044906381
Pac Man Deviantart
Samantha Lyne Wikipedia
Hennens Chattanooga Dress Code
Evil Dead Rise - Everything You Need To Know
The Ultimate Guide to Extras Casting: Everything You Need to Know - MyCastingFile
Phoebus uses last-second touchdown to stun Salem for Class 4 football title
Winco Employee Handbook 2022
Company History - Horizon NJ Health
Directions To Cvs Pharmacy
Dewalt vs Milwaukee: Comparing Top Power Tool Brands - EXTOL
Bn9 Weather Radar
Cor Triatriatum: Background, Pathophysiology, Epidemiology
Scott Surratt Salary
Co10 Unr
Datingscout Wantmatures
Eero Optimize For Conferencing And Gaming
Everstart Jump Starter Manual Pdf
2015 Chevrolet Silverado 1500 for sale - Houston, TX - craigslist
Retire Early Wsbtv.com Free Book
Mistress Elizabeth Nyc
Gets Less Antsy Crossword Clue
About My Father Showtimes Near Amc Rockford 16
Shipping Container Storage Containers 40'HCs - general for sale - by dealer - craigslist
Content Page
How Big Is 776 000 Acres On A Map
Nu Carnival Scenes
Patricia And Aaron Toro
Rocket Lab hiring Integration & Test Engineer I/II in Long Beach, CA | LinkedIn
Yourcuteelena
Strange World Showtimes Near Marcus La Crosse Cinema
Myapps Tesla Ultipro Sign In
Jeep Forum Cj
French Linen krijtverf van Annie Sloan
Latest Posts
What Comes After Trillion? Names of Large Numbers
How to configure port-security on Cisco Switch
Article information

Author: Nathanial Hackett

Last Updated:

Views: 5847

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.