How to Stay HIPAA Compliant with Audit Logs

Audit logs are a critical – not to mention required – way for your company to monitor activity on your network. A newsletter on the importance of importance of HIPAA logging requirements states this:1

“Audit logs are records of events based on applications, user, and systems. Audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application process and by user activity.”

Why are audit controls so important?

Whether this traffic is from an employee or another source, these logs are vital to protecting the information your organization holds. Keeping these logs is an important risk management measure.

A federal grand jury indicted a former MedStar Ambulance paramedic on counts of identity theft and fraud. He altered patient records as part of a scheme to steal narcotics from a local hospital from January 2013 to May 2015.2 The paramedic was finally caught after someone discovered his logs had various irregularities compared to the corresponding hospital records.

This incident highlights just how important it is to maintain and regularly monitor detailed logs. HIPAA log retention is also crucial; if the hospital had not archived the logs, investigators could not have found the incriminating records. HIPAA log retention requirements mandate that entities store and archive these logs for at least six years, unless state requirements are more stringent.

What HIPAA Security Rule Mandates

45 C.F.R. § 164.312(b) (also known as HIPAA logging requirements) requires Covered Entities and Business Associates to have audit controls in place.

These organizations must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).1

Information systems include all electronic devices and applications used within your company’s network (e.g. smartphones, computers, emails, file sharing application, internal server).

In plain English, HIPAA auditing requirements call for organizations to regularly review network activity and device usage.

Whether you are a medical or dental practice, health insurance agency, or an employee of an organization that manages health records, you need to record and review audit logs to stay compliant with HIPAA and protect the information you maintain.

Creating a log is not as complicated as it seems. You can follow a HIPAA audit log template for your records.

Your Audit Logs Should Include This Information:

  1. Risk Assessments and Risk Analyses (Risk Assessments are performed proactively; Risk Analyses, retroactively, after an incident)
  2. Authorizations for the Disclosure of PHI
  3. Disaster Recovery and Contingency Plans
  4. Business Associate Agreements
  5. Information Security and Privacy Policies
  6. Employee Sanction Policies
  7. Incident and Breach Notification Documentation
  8. Complaint and Resolution Documentation
  9. Physical Security Maintenance Records
  10. IT Security System Reviews (including new procedures or technologies implemented)
  11. Logs Recording Access to and Updating of PHI (Application Processes and any user activity, including denial of access)

Examples of this kind of activity include:

  • When workforce members log in
  • The number of failed login attempts on a computer
  • The last time you conducted a software update
  • Who downloaded a new program, the name of the program, and when
  • When passwords were changed, and by whom
  • Who logged into HR systems at a certain time
  • What information was accessed by the person who logged in

This extends beyond your electronic systems. If you use paper files to store information, keep a log of employee access. These logs should also include information about when the files leave the file room. We suggest requiring employees to “sign files out.”

Log repairs to any physical assets. You should also keep track of disposed devices. Make sure you are properly protecting or sanitizing these devices.

Many of the software systems you currently use already have the ability to keep detailed logs of activity. Your IT department should consolidate these logs so they are easy to review.

In the event of a security incident, audit trails and logs should be reviewed as soon as possible. This will help you determine if there is tampering with the information. Outside of cybersecurity incidents, audit trails can help you identify flaws in your network before things go wrong. This process will also help you make sure applications are performing as intended.

How to Maintain Compliance with HIPAA

Keeping detailed logs is the first step toward HIPAA compliance. Consider implementing the following three steps to protect your business.

First, create detailed policies and procedures around audit handling.

Second, educate staff on changes in procedures.

Third, keep up-to-date with regular reviews of audit logs and audit trails.

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

In conclusion, a HIPAA compliance service (like us) provides helpful guidance on establishing the logs that will help you monitor your network. Our HIPAA Prime™ program is a turn-key solution that helps you build a robust compliance program from the ground up. With the right documents in place, your staff can safeguard PHI from internal and external attempts to compromise the data.

  1. https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf?language=es
  2. http://www.healthcareinfosecurity.com/insider-threat-paramedic-indicted-for-narcotics-theft-a-9654

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)