Categories
HIPAA

How long should I retain HIPAA audit logs?

HIPAA stands for Health Insurance Portability & Accountability Act. This law was introduced in the 1996 and was signed by President Bill Clinton. The administrative rules of HIPAA require covered entities and other health care organizations to retain required documentations from the date of its creation or the date when it was last in effect.

HIPPA privacy regulations apply to electronically stored and transmitted electronic data. Though HIPAA does not lay down any time period regarding the retention of medical records but each state in U.S has their own requirement regarding the retention of medical records in its laws. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that health care organizations must protect the medical records and PHI of an individual.

There is no time period specified for medical records by HIPAA but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Why Is It So Important To Retain HIPAA Audit Logs?

It is important to retain HIPAA audit logs because it helps an organization to monitor activity on their computing network. It helps organization to keep records of events and user activity. Essentially, all system activity creates priceless audit trail for organizations to use as a tool for security. Retaining and appropriately maintaining these logs has become a significant measure in risk management. It helps in protecting all information, particularly ePHI of an individual.

Audit logs also help in identifying theft, fraud, and physical theft.

General HIPAA Audit Log Requirements: What Is Included?

Combination of both electronic and physical information is included in HIPAA log requirement. It is necessary for an organization to keep a record of employees that have access to standard physical PHI and stored paper files.

Audit logs for your ePHI is more involved and should include the following information:

  • User access logins
  • Addition of new users to the system
  • New users’ level and areas of access
  • Files accessed by all users
  • All changes made to databases
  • Firewall logs
  • Operating system logs
  • Anti-malware logs

How Long HIPAA Audit Logs Should Be Kept?

CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.