Download free DLP for AI whitepaper


  • There’s a lot of confusion around HIPAA’s logging requirements. Many organizations wonder if they need to retain their audit records for six years.

  • The answer is nuanced. Although, NIST-related HIPAA documentation states audit logs relating to ePHI should be retained for a minimum of six years under HIPAA.

  • However, this doesn’t mean you need to log everything. Because HIPAA is non-prescriptive, it’s up to you to define what activities and events should be logged, based on your own risk analysis undertaking.

  • No matter your approach, focus on implementing a rigorous logging approach for ePHI in high-risk environments like SaaS applications. Our tool, Polymer DLP, can automate this process for you.

“Is it true we need to retain our HIPAA (Health Insurance Portability and Accountability Act) audit log records for six years?” 

That’s a common question healthcare organizations ask us when they learn about Polymer data loss prevention (DLP) for HIPAA compliance

While our audit reporting capabilities enable you to capture records for well over a lifetime, retaining this information for that long isn’t always necessary. In fact, sometimes, six years isn’t even necessary either. 

Undoubtedly, there’s a lot of confusion around HIPAA’s logging requirements, which can easily lead organizations astray from compliance. Given that violations under the regulation can reach $25,000 per incident, there’s undoubtedly a lot at stake. 

To help you stay on the right side of the law, we’ll dispel the confusion around HIPAA’s retention requirements in this article. 

Here’s everything you need to know. 

What are HIPAA’s log retention requirements? 

As a first point of call, it makes sense to look to HIPAA itself for further information on logging requirements. Here’s what the regulation has to say: 

§164.312(b)“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” 
§164.316(b)(1)(i)“Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
§164.316(b)(2)(i)“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

As you can immediately see, things are far from clear cut. Looking at §164.312(b), you’ll notice that the requirement is very broad and open to interpretation, with no reference to what an ‘activity’ is, or how and when organizations should log these activities.

Naturally, then, one can look to the following requirements for further information. However, these often create more confusion than they do clarity. This is primarily due to the fact that HHS has not given a technical definition of what counts as an action, activity or assessment for logs relating to ePHI.  

HIPAA audit logs: our analysis of the requirements 

With no explicit definition to be found within HIPAA’s requirements, we looked further afield and found, yet again, that the subject is extremely nuanced. 

For example, in one HHS newsletter on audit controls, the body stated that “audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.”

Should an organization agree that audit trails are therefore an activity, as aforementioned in the table above, then it would be fair to say that a retention period of six years would meet compliance objectives.  

However, the same newsletter noted that the HIPAA Security Rule does not define the types of information that should be retained for auditing purposes. Instead, it proposed that the entity’s own risk analysis and business circumstances should dictate that. 

In a way, this makes a lot of sense. After all, HIPAA’s Security Rule is inherently non-prescriptive in nature, aware that covered entities range from large enterprises to small businesses with different resources and budgets.  

While one could therefore say that audit logging retention periods is therefore up to the individual organization, based on the outcomes of their risk analysis, this highly gray answer didn’t quite sit right with us. 

And so, we ventured over to the NIST website, and read through SP 800-92, which focuses on computer security log management, and SP 800-66, which offers guidance on adhering to HIPAA’s Security Rule.

Now, NIST and HIPAA are not one and the same. NIST has no authority to enforce HIPAA, for example. However, the Office of Civil Rights (OCR), which governs HIPAA, explicitly refers to NIST as a valuable resource for implementing HIPAA compliance initiatives. 

Finally, within the pages of NIST’s guides, we found some valuable intel. Namely, section 4.22 of SP 800-66 states that “documentation of actions and activities need to be retained for at least six years.” 

Ultimately, what this means is that, according to NIST, audit logs relating to ePHI should be retained for a minimum of six years under HIPAA. 

Depending on the size of your organization and your internal resources, storing countless amounts of audit logs for over six years may feel like an overwhelming prospect. Logging can be expensive and difficult to do well – especially at a grand scale. 

It’s safe to say that the simplest way to move forward would be to log everything for at least six years. However, if this isn’t possible for you, we advise, at a minimum, keeping logs of all activities and events relating to systems that contain ePHI. 

Because HIPAA is non-prescriptive, it’s up to you to define what activities and events are, based on your own risk analysis undertaking. We advise explicitly considering log retention requirements within your risk management framework and creating an audit log retention strategy. 

For example, you may decide that high risk activities or events taking place in high-risk applications should be retained for the defined period, while lower risk activities do not meet the retention period. 

In our view, the ability to demonstrate to assessors that you’ve carefully thought about log retention will be extremely beneficial, especially if there are instances in which you decide not to retain logs for the six year period. 

How does Polymer help with HIPAA auditing?

Undoubtedly, the most high-risk environment for ePHI and related information lies in the cloud apps employees use every day. While the cloud has revolutionized patient care and organizational efficiency for the better, it also extrapolates the risk of sensitive information being shared inappropriately or misguidedly with the wrong recipient. 

Keeping a detailed, long-term audit log of HIPAA-related activities in these apps should, regardless of other nuances, be a critical priority for organizations. While achieving this might have once seemed like an impossible, cumbersome task, Polymer DLP makes it possible, cost-effective and seamless. 

Not only does our tool discover and secure PHI in cloud apps like Slack, Teams and Google Drive, it also provides unparalleled visibility and audit capabilities, taking the responsibility of logging out of your hands. 

Using the power of automation and natural language processing (NLP), Polymer DLP works 24/7 in the background of your SaaS apps, monitoring PHI for signs of improper use, blocking non-compliant actions, and creating HIPAA-ready logs that you can confidently present to auditors. 

Ready to get started? Run a free Slack scan today to discover if you have unprotected PHI in your cloud apps.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.