HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Audit log and breach log retention

Email This Post Print This Post

Are there requirements or standards that advise how long a CE should retain audit logs of system activity (login, read, modify, etc.) and logs of security breaches? If not, what are other providers/hospitals doing?

Linda Kristie


  1. Frank Ruelas says:


    The retention requirements are listed in the HIPAA Security regulations. The retention period is 6 years.


  2. Steve Martin says:

    Can you cite specifically where the security rule states 6 years?

  3. Frank Ruelas says:


    Take a look at § 164.316 Policies and procedures and
    documentation requirements and its associated sub sections.

    Note that in previous discussions on other forums, some people apply the six year period to audit reports while others apply this period to the audit reports along with the audit logs or audit data sources used to compile the audit reports.


  4. Steve Martin says:


    Thanks for your response. The original question from Linda asks about system activity, log retention, etc. My understanding of section 164.316 is that it refers to the retention of documentation of policies and procedures and not specifically data gathered when adhering to the policy and procedures. I reference the micellaneous comments section from the final rule:

    q. Comment: One commenter asked
    that data retention be addressed more
    specifically, since this will become a
    significant issue over time. It is
    recommended that a national work
    group be convened to address this issue.
    Response: The commenter’s concern
    is noted. While the documentation
    relating to Security Rule
    implementation must be retained for a
    period of 6 years (see § 164.316(b)(2)), it
    is not within the scope of this final rule
    to address data retention time frames for
    administrative or clinical records.

    These comments seem to leave it up to the CE to determine what is appropriate for data retention.



  5. It’s perfect that people are able to take the http://www.lowest-rate-loans.com moreover, this opens up new chances.

  6. Linda Kristie says:

    Thanks Frank and Steve
    I agree it’s not completely clear when it comes to transaction logs and we’ll tend to be conservative where $$ allow.

  7. Linda Kristie says:

    I’d like to hear other hospitals’ opinions about allowing volunteers access to systems requiring unique username/pswd and containing PHI.
    While we do not routinely allow this, the quesiton has come up; as more and more data becomes electronic the relevance will increase.
    Specifically, we’ve found other local hospitals who do not allow volunteer access to systems make an exception for cancer registry. This is an area often staffed with volunteers and the need to allow electronic access to medical records is increasing in order to maintain volunteers in this capacity.
    We will be having privacy/security committee discussions about this but there are differing opinions. Volunteers undergo the same screening and education regarding confidentiality that employees do.
    Please weigh in with your practice and opinions.
    Thank you

  8. Mike Williams, CISSP,CHS says:

    Implementation Specification §164.316(b)(2)(i) Time Limit (Required)Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later …. Now, goto para(b)(1)of this section and it states “a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created” My Comments: A plan (CE) must be able to prove they are adearing to HIPAA Security Rule. How? Assessments, audit findings, documentation, actions, activates taken to support the rule. You don’t have to collect ALL logs per say, but you have better be able to prove you’re collecting and reviewing them. The results of these reviews/assessments/actions/ whatever, must be retained for 6 years. The intent is not Policies and Procedures only or all logs. It’s the Missouri Clause, SHOW ME you’ve implimented the rule! Show me actions that prove this fact, oh and by the way, keep those records for 6 years cuz we’re coming for them.

Leave a Reply