HIPAA Audit Log Requirements: What to Track and How Long to Keep Logs

Audit logs occupy an unusual place in HIPAA: they are both a control you are required to implement and the evidence you depend on when something goes wrong. The Security Rule names them directly but — by design — does not hand you a checklist of fields and a single retention number, which is exactly why so many organizations get this wrong.

What the rule actually requires

Two provisions drive audit logging. The Audit Controls standard at 45 CFR § 164.312(b) requires you to implement “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use” electronic PHI. Separately, the Information System Activity Review specification at § 164.308(a)(1)(ii)(D) requires you to actually review those records — log-ins, file access, security incident reports. Logging without review satisfies neither.

What to track

At minimum, logs covering ePHI systems should capture: user log-in and log-out events, including failed attempts; records that are created, viewed, modified, or deleted; the user identity and timestamp for each action; changes to user permissions and access rights; and security-relevant system events such as configuration changes or disabled controls. The guiding principle is reconstruction — after an incident you should be able to answer who accessed which record, when, and from where. In an EHR that means access logging at the patient-record level, not just server log-ins. This is the natural companion to strong HIPAA access control best practices.

How long to keep logs

Retention is where the myth lives. HIPAA does not set a universal “keep logs for X years” figure for the logs themselves. What it does require, at § 164.316(b)(2), is that the documentation of your policies, procedures, and required actions be retained for six years from creation or last effective date. In practice most organizations align audit-log retention to that same six-year horizon, both to demonstrate ongoing review and because state laws, breach investigations, and OCR audits routinely reach back years. Six years is the defensible default; shorter windows are hard to justify if an investigator asks for history you no longer have.

Reviewing is not optional

Logs you never read are a finding waiting to happen. Build a recurring review cadence, alert on high-risk events (mass exports, after-hours access to records, repeated failed log-ins), and document that the review happened — the documentation itself is part of what you retain. These obligations sit inside the broader HIPAA Security Rule requirements.

The Security Risk Analysis ties it together

Your Security Risk Analysis — the foundational requirement at 45 CFR § 164.308(a)(1)(ii)(A) — is where you decide which systems need logging, what each must capture, and how often you review. It connects the technical control to the actual risks in your environment rather than logging everything and reading nothing.

The proposed 2026 Security Rule update

The proposed 2026 update to the Security Rule would make logging expectations more explicit. Published as a Notice of Proposed Rulemaking in December 2024, it is not final — it remains a proposal, with a 240-day compliance window once a final rule is published. The NPRM moves toward more specific, consistently applied logging and review, narrowing the discretion the current rule allows.

How Medcurity helps

Medcurity’s guided Security Risk Analysis maps your ePHI systems and documents your audit-control and activity-review obligations, so logging and retention decisions are recorded as part of your compliance evidence rather than living in someone’s memory. Plans start at $499/year (about $42/month); larger organizations can request a quote.

Frequently Asked Questions

How long does HIPAA require you to keep audit logs?

HIPAA does not set a specific retention period for the logs themselves. It does require, at § 164.316(b)(2), that compliance documentation be kept for six years. Most organizations adopt a six-year audit-log retention to match, which is the defensible default for OCR audits and breach investigations.

What events must HIPAA audit logs capture?

At minimum: log-in and log-out events including failures, record creation, viewing, modification, and deletion, the user and timestamp for each action, permission changes, and security-relevant system events — enough to reconstruct who accessed which ePHI, when, and from where.

Is it enough to just collect logs?

No. The Information System Activity Review requirement at § 164.308(a)(1)(ii)(D) requires you to review the logs. Collecting without reviewing — and without documenting that review — fails the standard.

Does HIPAA require specific logging software?

No. The Audit Controls standard at § 164.312(b) is technology-neutral. It requires mechanisms that record and examine ePHI activity but lets you choose tools appropriate to your systems and risk.