What Are HIPAA Audit Trail and Audit Log Requirements?
Audit logs are an important part of HIPAA compliance as they track access to your data. Establishing an audit trail, and tracking it in an audit log, enables the quick detection of breaches and ensures adherence to the minimum necessary standard. To provide guidance on tracking your data, HIPAA audit trail and audit log requirements are discussed.
HIPAA Audit Trail Requirements
The Department of Health and Human Services (HHS) released guidance on audit controls and audit trails.
HIPAA audit trail requirements as per the HHS include:
Application audit trails. Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.
System-level audit trails. Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed.
User audit trails. Normally monitor and log user activity in a ePHI system or application by
recording events initiated by the user, such as all commands directly initiated by the user, logon attempts with identification and authentication, and access to ePHI files and resources.
HIPAA Audit Log Requirements
HIPAA requires healthcare organizations to ensure the confidentiality, integrity, and availability of protected health information (PHI). As such, it is necessary to monitor and track access to PHI. Audit logs track both authorized and unauthorized access to PHI, ensuring adherence to the minimum necessary standard.
The HIPAA minimum necessary standard requires healthcare organizations to only access PHI for a specific purpose within their job role. By keeping audit logs, normal access patterns for each employee are established. By establishing access patterns for each employee, administrators can easily detect when an employee is abusing their access rights, or if an unauthorized party has stolen an employee’s login credentials to access data illegally.
HIPAA audit log requirements include the necessity to retain audit log records for six years. However, some states also have their own retention requirements that require healthcare organizations to retain records for longer than six years. When a state law requires stricter retention requirements, healthcare organizations must adhere to the stricter standard.
As part of HIPAA audit log requirements, healthcare organizations must track the following:
- Each time a user logins
- Whenever changes are made to databases
- When new users are added
- Access levels for each user
- File access by users
- Logins to operating systems
- Firewall logs
- Anti-malware logs
All of the above-mentioned HIPAA audit log requirements are for electronic PHI access. However, access to paper PHI must also be tracked. It is therefore important for employees to sign out paper files, and for organizations to keep an audit log for this access.
HHS Provides Questions that Covered Entities and Business Associates Should Consider
- What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?
- What are the audit control capabilities of information systems with ePHI?
- Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?
- Are changes or upgrades of an information system’s audit capabilities necessary?