Listen to: "Should HIPAA Audit Logs be Kept for 6 Years?"
HIPAA audit logs are a vital part of any conversation surrounding HIPAA compliance since they are required to ensure full and proper monitoring of the activity on your business’s computer network. Lately, we have come across several questions asking how long audit logs must be kept, so we thought we would take an in-depth look at audit logs to answer this important question.
HIPAA Logging Requirements Are an Important Way to Manage ePHI
According to HIPAA, any information that you collect, store, and transmit that may identify a patient is considered Protected Health Information (PHI)—and it has become increasingly common for those files to be stored electronically. Known as ePHI, these digital records require special precautions. A Business Associate (BA), for example, serves as a healthcare vendor and partner, providing essential products and services to the healthcare organization.
The BA must take special care of their audit logs, but many have questions regarding certain protocols in the HIPAA auditing process, such as the length of time they must retain their audit logs. In order for these valued parties to maintain HIPAA compliance, it is crucial that they fully understand the process and protocols to comply with their Business Associate Agreement (BAA) and HIPAA requirements. It’s also key to maintaining a good working relationship with the healthcare organization in serving its patients and protecting their data.
Of course, the BA is not the only party responsible for the security of all PHI. All covered entities must follow HIPAA protocols, including those that involve logging requirements.
HIPAA Security Rule Mandates for Auditing and HIPAA Logging Requirements
The compendium of HIPAA logging requirements, as encompassed by 45 C.F.R. § 164.312(b), requires all covered entities and BAs to keep appropriate audit controls in place at all times. All organizations must implement software, hardware, and procedural mechanisms or protocols that record and examine activity in information systems that contain, use or transmit ePHI.
Information systems may include any and all electronic devices and applications used within your business’s network. Such devices and applications might include laptop and desktop computers, smartphones, tablets, emails, internal services, and file-sharing applications. Essentially, HIPAA auditing procedures require all relevant organizations to regularly review and assess device usage and network activity.
Regardless of your type of organization, it must record and review audit logs for consistent HIPAA compliance and the proper safeguarding of all ePHI.
Why is it So Important to Retain HIPAA Audit Logs?
Audit logs allow your company to continuously and consistently monitor activity on your computing network, providing records of events surrounding user activity, applications, and the various systems for which you are responsible. Basically, all system activity creates an invaluable audit trail for you to use as a tool for security. Audit controls and audit logs have become a vital means of protecting all information, particularly ePHI, and keeping and properly maintaining these logs has become an important measure in risk management.
Audit logs are critical tools that can be used to identify theft, fraud, and physical theft. For example, they provided evidence when a paramedic changed patient medical records in a scheme to steal narcotics from a hospital. The crime was discovered and the culprit was caught after someone reviewed his logs and found discrepancies when compared to the corresponding hospital logs. Imagine if the hospital had not retained its own corresponding logs, or if there was no protocol requiring review of those logs. This illegal or otherwise negative incident might have gone undetected or unsolved without the required—or longer—retention time frame of audit logs.
General HIPAA Audit Log Requirements: What is Included?
HIPAA log requirements include a combination of electronic and physical information. For your standard physical PHI and stored paper files, it is important to keep a log of employee access to those files. For these logs, include data on when the files leave the room, where they are taken, who has had access to them and how they have been used.
Audit logs for your ePHI is more involved and should include the following information:
- User access logins
- Addition of new users to the system
- New users’ level and areas of access
- Files accessed by all users
- All changes made to databases
- Firewall logs
- Operating system logs
- Anti-malware logs
Additional information to record in logs includes repairs made to any physical assets and devices, tracking of disposed devices, and the proper data wiping and sanitizing of devices between uses from one party to another.
Today, ideally and most likely, software systems and cloud service providers can keep detailed logs of activity, simplifying a step in the process. Many IT departments are taking advantage of this benefit and are consolidating such logs for easier and quicker review.
If a security incident occurs, audit trails and logs need to be reviewed as quickly as possible to help determine whether there has been any tampering with the relevant information. Just as importantly, audit logs serve as preventive measures to help identify problems in your system before an incident can occur.
How Long Should HIPAA Audit Logs Be Kept?
After first addressing the actual logging requirements outlined in §164.312(b) – implementing the hardware, software, and procedural mechanisms to record and examine activity in information systems – which does not specify any necessary timelines, it is time to look more closely at the six-year retention question. However, the answer is not black and white.
Six-year retention comes into question when looking into the documentation requirement. It states that documentation required in §164.316(b)(2)(i) must be kept for six years from the date of creation or the last date that the documentation was in effect and used, whichever date is later.
The confusion for many covered entities and business associates is usually surrounding the maintenance of policies and procedures implemented regarding any written record or action, activity or assessment.
According to the Department of Health and Human Services (HHS), the main purpose of audit trails, or audit logs, is to maintain a record of system activity. With activity being one of the keywords associated with the six-year retention requirements, this reference would indicate that you should maintain your audit logs for six years. However, the HHS does not list a set-in-stone rule about the time frame for retaining audit logs, making it an unclear mandate, at best.
The most cautious strategy for companies—as long as it is not cost-prohibitive—is to keep all audit logs for a minimum of six years.
Are You Confident About Your Organization’s HIPAA Audit Logs?
Many decision-makers are unsure if HIPAA audit logs should be kept for just the standard six years. Are you considering saving them for a longer period of time? What should be your company’s best practice? I.S. Partners, LLC can help you determine the best length of time to retain audit logs and other HIPAA logging requirements.