Any electronically stored information that an entity collects, stores, and transmits that may identify a patient is considered electronic protected health information (ePHI). To protect their patients’ ePHI, a covered healthcare entity must implement hardware, software, and/ or procedural mechanisms that record and examine activity on the entity’s network. 45 CFR §164.312 (b). With almost all medical files being stored electronically today, audit logs are critical to an entity’s security and an essential part of risk management. Although HIPAA requires audit logs to maintain a record of system activity, it is not clear how long HIPAA requires an entity to retain these audit logs.
The confusion over HIPAA’s requirement stems from different interpretations of the 6-year rule for document retention. Pursuant to 45 CFR §164.316 (b), a covered entity is required to retain written security policies and procedures and written records of actions, activities, or assessments for 6 years. However, HHS has not defined whether all the details captured in audit logs are considered an action, activity, or assessment. Nor has HHS defined what falls under these categories. Thus, there is no clear-cut rule regarding whether audit logs fall under the 6-year retention rule.
Without a clear-cut rule, healthcare entities should seek guidance from HIPAA’s flexible Security Rule. “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.” Office for Civil Rights: Guidance on Risk Analysis Requirements under the HIPAA Security Rule (July 14, 2010). Risk analysis is an ongoing process that will vary depending on the specifics of the covered entity. Accordingly, the Security Rule does not provide a specific risk analysis method since methods will vary depending on the size, complexity, and capabilities of the covered entity.
Because the information in entity logs is based on what is deemed relevant according to the entity’s own risk analysis, entities should use their risk analysis to determine what specific action, activity, or assessment should be retained for 6-years. If an entity decides not to maintain their entire audit logs for 6 years, they need to show clear justifications as to why their risk analysis led them to retain some information and discard other information.