'/%3e%3cpath%20d='M534.104%20592.554C517.522%20607.15%20492.036%20605.65%20479.37%20587.55C432.827%20521.038%20409.925%20440.343%20415.135%20358.545C420.344%20276.748%20453.298%20199.61%20507.904%20139.54C522.764%20123.194%20548.234%20124.939%20562.83%20141.521L608.023%20192.862C622.619%20209.444%20620.638%20234.536%20607.101%20251.994C581.387%20285.156%20565.941%20325.498%20563.237%20367.978C560.53%20410.458%20570.733%20452.433%20592.032%20488.59C603.245%20507.624%20602.027%20532.765%20585.445%20547.361L534.104%20592.554Z'%20fill='url(%23paint1_linear_154_257)'/%3e%3cpath%20d='M404.368%20499.661L455.381%20493.203L438.013%20356L387%20362.458L404.368%20499.661Z'%20fill='white'/%3e%3cpath%20d='M349%20408.709L355.956%20459.657L492.983%20440.947L486.026%20390L349%20408.709Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_154_257'%20x1='170'%20y1='492.5'%20x2='449'%20y2='508.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236648E0'/%3e%3cstop%20offset='1'%20stop-color='%23413AC9'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint1_linear_154_257'%20x1='429'%20y1='384'%20x2='549.5'%20y2='380.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%235B51FF'/%3e%3cstop%20offset='1'%20stop-color='%233428E6'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
HIPAA Audit Logging Requirements: What to Log, How Long to Keep It
HIPAA's audit controls standard explained — what events to log, immutable log storage implementation on AWS, the 6-year retention requirement, and what hospital auditors verify.
What HIPAA Actually Requires for Audit Logs
HIPAA's Security Rule (45 CFR § 164.312) requires mechanisms to record and examine activity in systems that contain PHI. This is the Audit Controls standard.
What HIPAA does not specify: exact log format, which specific events must be logged, or required granularity. This gives engineers flexibility — but also means many teams underestimate what hospital security audits actually expect.
What Hospital Security Teams Look For
- User-level access logging: Who accessed which PHI record, when, from where
- Mutation logging: Who created, updated, or attempted to delete a PHI record
- Authentication events: Successful and failed login attempts, with timestamp and IP
- Privilege escalation: Any event where a user's permissions were elevated
- Configuration changes: Infrastructure or application changes to systems holding PHI
- Log retention: Minimum 6 years (HIPAA's documentation retention requirement)
The Application-Level Implementation
import json, boto3
from datetime import datetime, timezone
cloudwatch = boto3.client("logs")
def log_phi_access(
user_id: str,
patient_id: str,
action: str, # "READ" | "CREATE" | "UPDATE" | "DELETE"
resource_type: str, # "Patient" | "Observation" | "TimeLog"
ip_address: str,
success: bool
):
event = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"user_id": user_id,
"patient_id": patient_id,
"action": action,
"resource_type": resource_type,
"ip_address": ip_address,
"success": success,
"event_type": "PHI_ACCESS"
}
cloudwatch.put_log_events(
logGroupName="/hipaa/phi-access",
logStreamName=datetime.now().strftime("%Y/%m/%d"),
logEvents=[{
"timestamp": int(datetime.now().timestamp() * 1000),
"message": json.dumps(event)
}]
)
Critical: PHI access logs must be immutable. Application roles must not have DeleteLogEvents or DeleteLogGroup permissions on the HIPAA log groups. S3 with Object Lock (WORM mode) for log archives adds a second layer of protection.
The 6-Year Retention Requirement
resource "aws_cloudwatch_log_group" "phi_access" {
name = "/hipaa/phi-access"
retention_in_days = 2190 # 6 years
kms_key_id = aws_kms_key.phi.arn
}
If CloudWatch becomes expensive at 6-year retention, archive logs older than 90 days to S3 Glacier with a lifecycle policy — Glacier storage is ~$0.004/GB/month vs CloudWatch's $0.03/GB. Both satisfy the retention requirement.
Audit Logs Enable More Than Compliance
When a patient requests an accounting of PHI disclosures (a guaranteed HIPAA right), audit logs are how you fulfill it. When a security incident occurs, they're forensic evidence. When a billing dispute arises, they prove what data was accessed and when.
Audit logging is also the evidence layer for Zero Trust architecture — continuous verification requires continuous logging. It's required by both HIPAA and SOC 2 Type II auditors; building it once satisfies both.
The HIPAA & SOC 2 Cloud Architecture service includes full audit logging infrastructure — immutable logs, 6-year retention, and PHI access reporting.
Related Service
HIPAA & SOC 2 Cloud Architecture
Deep-dive into our engineering approach, capabilities, and technical specifications.
Written by Sheharyar Amin
Founder & Lead Engineer, Opexia