HIPAA Logs have Strict Retention Requirements
By Stephen Trout, , HIPAA Blog, Resources

HIPAA compliance necessarily involves comprehensive standards and procedures, vital for protecting Patient Health Information.

While Covered Entities and Business Associates are bound by the laws of their particular state with regard to how long medical records must be retained, the regulations concerning HIPAA logs are different.

For example, HIPAA requires that you keep track of who accesses protected health information (PHI), why they are accessing it, and what it is they are actually accessing. In this vein, user access is also something that must be recorded – both failed and successful login attempts – to any areas where PHI data is kept.

Logouts must also be kept, as this indicates when someone would no longer be accessing the information. System and network access to information is another log that must be stored as well.

While nobody likes to think it could happen, attempts at any malicious conduct must also be kept, from malicious software to attempted breaches and other attempts at disrupting services. This would include any attempts to delete or modify the logs themselves. As well, any type of security issue is something that needs to be kept and retained. 

So how long must these logs be retained and stored? According to HIPAA regulations, these logs must be kept for a minimum of six years. While some companies do keep records around much longer, this is the absolute minimum required. This applies to the date the log was last in effect.

So here is a list of the most common types of documents that must be retained, under HIPAA regulations:

  • Risk Assessments and Risk Analyses
  • Authorizations for the Disclosure of PHI
  • Disaster Recovery and Contingency Plans
  • Business Associate Agreements
  • Information Security and Privacy Policies
  • Employee Sanction Policies
  • Incident and Breach Notification Documentation
  • Complaint and Resolution Documentation
  • Physical Security Maintenance Records
  • Logs Recording Access to and Updating of PHI
  • Notice of Privacy practices (not applicable to health plans and clearinghouses) 
  • IT Security System Reviews (including new procedures or technologies implemented)

Under HIPAA regulation, it’s vital that you are able to review and have access to these logs at any time. HIPAA Compliant Hosting Providers should offer a streamlined approach to gathering logs and searching through them. 

Finding a good HIPAA hosting provider like HIPAA Vault that offers proper server log management and log auditing is also key. They should provide an easily manageable, indexed system to review the logs. With these steps, log retention doesn’t have to be an unmanageable or overwhelming task.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.