• E-mail
• Print
• RSS

Q: Our system generates audit logs that capture all accesses and updates to patient information. What does HIPAA require in terms of audit log retention?

HIPAA Weekly Advisor, June 2, 2008

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

A: CMS provides no clear guidance pertaining to audit log retention, so the debate continues. However, there are generally two opinions regarding how long you should retain your audit logs.

One opinion, with which I concur, requires you to review audit logs on a regular basis and to formally document this in your policies and procedures. After reviewing the audit logs and writing a formal findings report, it is a good idea to retain audit logs for 60–90 days following the completion of the report. This allows time for any necessary mitigation if anomalies are found. Thereafter, retention of the audit logs is unnecessary, but you should retain the report for six years.

The other school of thought requires you to retain audit logs and the formal findings reports for six years. Even though audit logs require significant storage space when retained for this amount of time, the cost of storage has decreased. Therefore, it is logical to assume that you need to retain audit logs, just like any other security-related records, for the full HIPAA-required retention period.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• Comment
• E-mail to a Colleague
• Print
• RSS
• Archive

Comments