Are there requirements or standards that advise how long a CE should retain audit logs of system activity (login, read, modify, etc.) and logs of security breaches? If not, what are other providers/hospitals doing?
The retention requirements are listed in the HIPAA Security regulations. The retention period is 6 years.
Can you cite specifically where the security rule states 6 years?
Take a look at § 164.316 Policies and procedures and
documentation requirements and its associated sub sections.
Note that in previous discussions on other forums, some people apply the six year period to audit reports while others apply this period to the audit reports along with the audit logs or audit data sources used to compile the audit reports.
Thanks for your response. The original question from Linda asks about system activity, log retention, etc. My understanding of section 164.316 is that it refers to the retention of documentation of policies and procedures and not specifically data gathered when adhering to the policy and procedures. I reference the micellaneous comments section from the final rule:
q. Comment: One commenter asked
that data retention be addressed more
specifically, since this will become a
significant issue over time. It is
recommended that a national work
group be convened to address this issue.
Response: The commenter’s concern
is noted. While the documentation
relating to Security Rule
implementation must be retained for a
period of 6 years (see § 164.316(b)(2)), it
is not within the scope of this final rule
to address data retention time frames for
administrative or clinical records.
These comments seem to leave it up to the CE to determine what is appropriate for data retention.
It’s perfect that people are able to take the http://www.lowest-rate-loans.com moreover, this opens up new chances.
Thanks Frank and Steve
I agree it’s not completely clear when it comes to transaction logs and we’ll tend to be conservative where $$ allow.
I’d like to hear other hospitals’ opinions about allowing volunteers access to systems requiring unique username/pswd and containing PHI.
While we do not routinely allow this, the quesiton has come up; as more and more data becomes electronic the relevance will increase.
Specifically, we’ve found other local hospitals who do not allow volunteer access to systems make an exception for cancer registry. This is an area often staffed with volunteers and the need to allow electronic access to medical records is increasing in order to maintain volunteers in this capacity.
We will be having privacy/security committee discussions about this but there are differing opinions. Volunteers undergo the same screening and education regarding confidentiality that employees do.
Please weigh in with your practice and opinions.
Implementation Specification §164.316(b)(2)(i) Time Limit (Required)Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later …. Now, goto para(b)(1)of this section and it states “a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created” My Comments: A plan (CE) must be able to prove they are adearing to HIPAA Security Rule. How? Assessments, audit findings, documentation, actions, activates taken to support the rule. You don’t have to collect ALL logs per say, but you have better be able to prove you’re collecting and reviewing them. The results of these reviews/assessments/actions/ whatever, must be retained for 6 years. The intent is not Policies and Procedures only or all logs. It’s the Missouri Clause, SHOW ME you’ve implimented the rule! Show me actions that prove this fact, oh and by the way, keep those records for 6 years cuz we’re coming for them.