Health Information Management

Q&A: EHR audit log retention

HIM-HIPAA Insider, February 2, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. Does any regulation define the retention period for EHR or electronic medical record audit logs?
A. HIPAA requires that covered entities retain their HIPAA-related audit reports for a minimum of six years. In addition, the Health Information Technology for Economic and Clinical Health Act mandates that any disclosure from an EHR be included in an accounting of disclosures for the preceding three years.
However, this requirement will not become effective for all providers for at least a year. An audit log will help track access but will not necessarily include all of the information that HHS will require for the new accounting requirement.
Two schools of thought exist regarding retention requirements for audit logs following review and audit report finalization. Some believe providers should retain all audit logs—not just the corresponding reports—for a minimum of six years. Others hold that providers only need to retain audit logs for 60–90 days following finalization of the audit report, which would then be retained for six years. This is presumably long enough to complete the investigation of any anomalies in the report.
I believe in the latter school of thought. Longer retention of audit logs increases legal risk because they are discoverable.
It also means providers are saving large amounts of data that are highly likely to be inaccessible and unusable after a few years. In addition, no specific regulatory requirement or guidance indicates providers must retain audit logs for a minimum of six years.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the February issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular