How Long Should I Keep HIPAA Audit Logs? | Schellman (2024)

Table of Contents
HIPAA Log Requirements Additional Information Regarding HIPAA Logs Should You Retain All HIPAA Audit Logs for 6 Years? Next Steps for Your HIPAA Compliance FAQs

“Do I really need to retain all my HIPAA audit logs for 6 years?”

We hear this question a lot from organizations, and as you may already understand, the answer isn’t straightforward. Some might tell you that yes, all audit logs in your ePHI environment need to be retained for at least 6 years, but things are a bit more complicated than that—especially for business associates.

As practiced HIPAA assessors who understand how complicated and high stakes this type of compliance is, we want to provide some insight. In this article, we’ll break down the actual specific HIPAA requirements in the law that reference logs, other frameworks with helpful information, and finally, our recommended course(s) of action.

See Also
Retention of Documentation in ISO StandardsHIPAA Record Retention RequirementsSecurity Log Collection, Analysis, and Retention | Office of the VPIT-CIOYour Guide to Drafting a Data Retention Policy

Let us decrypt a complex topic so that you get the clarity you need to ensure you stay in compliance with HIPAA.

HIPAA Log Requirements

How Long Should I Keep HIPAA Audit Logs? | Schellman (1)

When you try to find the crux of these and how they fit together, you must ask whether all actions/activities logged in an ePHI environment that end up in audit logs are considered an “action, activity, or assessment” as defined by HIPAA?

  • If they are, then you have a clear-cut case of the 6-year requirement applying to audit logs for systems in your ePHI environment.
  • But if they aren’t, or maybe only certain types of audit actions/activities are, things get complicated.

That’s because the HHS has not actually defined if all details captured in audit logs are considered an “action, activity, or assessment,” nor has it defined what technically falls under these categories. For instance, operational logs don’t have stated retention requirements, but then HIPAA hasn’t defined what operational logs are either.

See Also
Guidance on NIST 800-171 log retention

Additional Information Regarding HIPAA Logs

More than that though, other documents that reference HIPAA log retention might better inform your understanding.

  • HHS “Understanding the Importance of Audit Controls” Newsletter
    • To their credit, the HHS did put out this bulletin in January 2017 that stated, “audit trails’ main purpose is to maintain a record of systemactivityby application processes and by useractivitywithin systems and applications.”
    • “Activity” is one of those three magic words referenced in the aforementioned §164.316(b)(1), so you could interpret this to mean items in audit logs fit the definition of “activity;” therefore, the audit logs that include the details of these activities need to be retained at least 6 years.

However:

  • This publication didn’t mention 6-year audit log retention specifically (it didn’t mention any required retention, for that matter). It also reiterated that the HIPAA Security Rule does not identify what information should be collected from an audit log nor even how often those logs should be reviewed—rather, your risk analysis and other organizational factors should determine that.
  • The HIPAA Security Rule was not architected in a prescriptive way by design, and so it seems reasonable then that the decision of how long to retain audit files falls to you, assuming you factor in your risk analysis. Still, the level of risk that some Business Associates might have regarding logs can be very different than that of a Covered Entity.
  • NIST SP 800-92 (Guide to Computer Security Log Management) also refers to HIPAA audit log retention:
    • It also mentions NIST SP 800-66 (An Introductory Resource Guide for Implementing the HIPAA Security Rule)—Section 4.22 says “documentation of actions and activities need to be retained for at least six years.”
    • In this context, it appears NIST’s interpretation of “actions and activities” in HIPAA would include all audit logs. And while NIST doesn’t determine HIPAA compliance, the Office of Civil Rights (OCR) refers to NIST in HIPAA guidance as solid advice.
    • So, you could take all that to mean if NIST SP 800-92 confirms audit logs in this category of action and activities when referring to NIST SP 800-66, they need to be retained for at least 6 years per the HIPAA requirement.

Should You Retain All HIPAA Audit Logs for 6 Years?

That’s all the documented considerations, but the question remains: how long do you keep your logs?

As an assessor, here’s our perspective. Save all audit logs for at least 6 years if:

  • It’s not cost-prohibitive to your organization; and
  • The logs contain information that is related to actions on systems containing ePHI.

That’s the safest move, but that may not work for many organizations, so here are the concession we’d offer to them, keeping in mind that HIPAA doesn’t specify what you need to log, how often you need to review logs, or what constitutes an “action, activity, or assessment” in the aforementioned requirement §164.316(b)(1)(i):

  • HIPAA is built in such a non-prescriptive way—as we mentioned before, organizations are meant to rely heavily on their individual risk analysis/risk management programs, so it would make sense that your log retention timeline too would require consideration of risk or specific impact to your organization—rather than the strict 6 years.
  • It seems to us then that organizations do have freedom in terms of what you determine to be the critical actions/activities you need to log and retain for at least 6 years:
    • If you categorized higher risk activities to be documented in audit logs to be retained for the 6 years, you could then judge retention for the operations-type logs based on your risk analysis—while these could be relevant to your ePHI environment, they may not meet that level of risk to require 6-year retention as clearly as those of higher risk.

Questions may still arise, but if you can clearly demonstrate you considered audit log retention as part of your risk analysis/risk management program based on the type of activities being logged, you should have a solid and supported explanation in terms of why you didn’t also retain your other audit logs for 6 years.

Next Steps for Your HIPAA Compliance

While it may be frustrating that the governing bodies haven’t been more specific around this subject, hopefully, these details and the inclusion of other resources have provided at least some clarity. Of course, you may still feel a bit hesitant, and it’s no wonder—HIPAA penalties are no small thing.

But remember that, historically, the OCR has been clear it’s your risk analysis and risk management program that should drive your HIPAA control selections. So, if you take a risk-based approach, you can find the audit log retention plan that best fits the nature of your organization and your services provided in the healthcare provider chain. You’ll also be in the best position to support your chosen approach should the OCR seek an explanation.

If you’re still seeking an explanation—on HIPAA audit logs or otherwise—we would encourage you to reach out to us so that we may put any further concerns to rest. In the meantime, be sure to check our other content, which can help you continue demystifying the details of compliance for those in healthcare:

  • HIPAA Violations and How to Avoid Them
  • Who Needs to be HIPAA Compliant?
  • The Differences Between HIPAA and HITRUST

How Long Should I Keep HIPAA Audit Logs? | Schellman (2024)

FAQs

How Long Should I Keep HIPAA Audit Logs? | Schellman? ›

Save all audit logs for at least 6 years if: It's not cost-prohibitive to your organization; and. The logs contain information that is related to actions on systems containing ePHI.

Read On
How long to keep HIPAA logs? ›

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

Discover More Details
How long should audit logs be kept? ›

For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years. This timeframe is the log retention period.

Continue Reading
How long must HIPAA records be kept? ›

Organizations must maintain these records for at least 6 years from the date of creation or 6 years after the “last effective date”, whichever is later. The “last effective date” is the last day the policies, procedures, or systems are still in use.

See Details
How long must the audit trail history be retained? ›

In particular, when striving for PCI compliance, audit logs, log management, and log retention become crucial components, as stipulated in PCI DSS requirement 10.7. This requirement mandates that audit logs must be retained for at least one year.

Find Out More
Do HIPAA records have to be retained for 6 years? ›

The Health Insurance Portability and Accountability Act (HIPAA) requires Covered Entities and Business Associates to maintain required documentation for a minimum of six (6) years from the date of its creation, or the date when it last was in effect, whichever is later.

Tell Me More
What is the 7 year retention rule? ›

The rule generally carries out a congressional mandate. The rule, in general, prohibits the destruction for seven years of certain records related to the audit or review of an issuer's or registered investment company's financial statements.

Show Me More
Should audit logs be maintained? ›

Audit logs create a historical record that's maintained independently of your system's current state. Administrators and compliance teams can use the audit logs to investigate user actions, spot suspicious activity and adhere to regulatory frameworks.

Explore More
What are the audit logs for HIPAA compliance? ›

The purpose of HIPAA audit logs is to record and monitor access to electronic protected health information (ePHI). Audit trails and logs record who accessed or modified protected health information (PHI) and when. Audit trails track actions like adding, deleting, or modifying PHI at a granular level.

Continue Reading
What is the best way to store audit logs? ›

As a general rule, storage of audit logs should include 90 days “hot” (meaning you can actively search/report on them with your tools) and 365 days “cold” (meaning log data you have backed up or archived for long-term storage). Store logs in an encrypted format. See our post on Encryption Policies for more information.

Show Me More

How long do you have to keep emails for HIPAA? ›

The HIPAA email retention period for these communications is a minimum of six years. During this time, access controls and audit controls have to be implemented to safeguard the integrity of PHI and prevent improper modification or data deletion.

Read The Full Story
Does HIPAA ever expire? ›

While a HIPAA authorization must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure, the Privacy Rule does not otherwise prescribe the expiration date or event that must apply to the authorization, which may vary based on the circ*mstances.

See Details
What is the new audit trail rule? ›

With effect from 1 April 2023, the Ministry of Corporate Affairs (MCA) has made it mandatory for companies to maintain an audit trail throughout the year for transactions impacting books of accounts.

Get More Info Here
What is audit trail rule? ›

An audit trail is defined as a step-by-step sequential record which provides evidence of the documented history of financial transactions to its source. An auditor can trace the financial data of a particular transaction right from the general ledger to its source document with the help of the audit trail.

Continue Reading
Can audit trails be deleted? ›

To Delete Audit Trail Records

Select Setup > System > Processes > Delete Audit Trail Records. Click the File button and select the files containing the audit trail records you want to delete. The list includes all files that are available to audit.

View More
How long do you have to keep patient information? ›

CMS requires that providers submitting cost reports retain all patient records for at least five years after the closure of the cost report. And if you're a Medicare managed care program provider, CMS requires that you retain the patient records for 10 years. How should medical records be retained?

View Details
Are under HIPAA practices required to keep patients medical records for at least 10 years? ›

Does the HIPAA Privacy Rule require covered entities to keep patients' medical records for any period of time? No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained.

See More
What is the HIPAA standard for logging? ›

HIPAA requires you to keep logs for at least six years. These three HIPAA requirements apply to logging and log monitoring: § 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). [Implement procedures] for monitoring log-in attempts and reporting discrepancies.

Learn More
Top Articles
Blockchain Intelligence Group | Crypto Investigations and Risk Management
Implied Contract: Definition, Example, Types, and Rules
Uhauldealer.com Login Page
Regal Amc Near Me
Ghosted Imdb Parents Guide
1970 Chevrolet Chevelle SS - Skyway Classics
Florida (FL) Powerball - Winning Numbers & Results
2016 Hyundai Sonata Price, Value, Depreciation & Reviews | Kelley Blue Book
5808 W 110Th St Overland Park Ks 66211 Directions
What Time Chase Close Saturday
Walthampatch
Transfer Credits Uncc
Red Tomatoes Farmers Market Menu
Alexandria Van Starrenburg
Dutch Bros San Angelo Tx
Harem In Another World F95
Niche Crime Rate
Golden Abyss - Chapter 5 - Lunar_Angel
Missouri Highway Patrol Crash
Bridge.trihealth
FDA Approves Arcutis’ ZORYVE® (roflumilast) Topical Foam, 0.3% for the Treatment of Seborrheic Dermatitis in Individuals Aged 9 Years and Older - Arcutis Biotherapeutics
Schedule An Oil Change At Walmart
How your diet could help combat climate change in 2019 | CNN
Bella Bodhi [Model] - Bio, Height, Body Stats, Family, Career and Net Worth 
All Breed Database
Japanese Mushrooms: 10 Popular Varieties and Simple Recipes - Japan Travel Guide MATCHA
Plaza Bonita Sycuan Bus Schedule
Reviews over Supersaver - Opiness - Spreekt uit ervaring
Utexas Iot Wifi
kvoa.com | News 4 Tucson
manhattan cars & trucks - by owner - craigslist
Orange Park Dog Racing Results
Ipcam Telegram Group
What Is Opm1 Treas 310 Deposit
Jeep Cherokee For Sale By Owner Craigslist
How to Play the G Chord on Guitar: A Comprehensive Guide - Breakthrough Guitar | Online Guitar Lessons
W B Crumel Funeral Home Obituaries
Instafeet Login
Gary Lezak Annual Salary
PruittHealth hiring Certified Nursing Assistant - Third Shift in Augusta, GA | LinkedIn
How Big Is 776 000 Acres On A Map
Ehome America Coupon Code
Yale College Confidential 2027
Lyons Hr Prism Login
RubberDucks Front Office
Contico Tuff Box Replacement Locks
Boyfriends Extra Chapter 6
Bonecrusher Upgrade Rs3
Scott Surratt Salary
Optimal Perks Rs3
Cognitive Function Test Potomac Falls
Latest Posts
How Will My New TV Impact My Electricity Bill? | East West Electric, INC.
Reading a Text File Line by Line
Article information

Author: Nathanial Hackett

Last Updated:

Views: 5847

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.