Compliance with HIPAA inherently requires rigorous standards and procedures, which are essential to the security of patient medical records. Although Protected Individuals and Business Associates are bound by the laws of their respective states with regard to how long medical records must be kept, the HIPAA log regulations are different.
For example, HIPAA needs you to keep track of who has access to protected health information ( PHI), Why they have access to it, and what it is that they really have access to it. In this vein, user access is also something that needs to be registered – both failed and active login attempts – in any environment where PHI data is stored. Logouts must also be held, as this shows that someone will no longer have access to the information. Device and network access to information is another log that must also be stored.
Although nobody wants to think that this might happen, attempts at any malicious activity must also be kept, from malware software to attempted infringements to other attempts to interrupt services. This will involve any effort to remove or change the logs themselves. As well, every kind of security problem is something that needs to be retained and maintained.
And how long do you have to hold and store these logs? According to the HIPAA Rules, these logs must be maintained for at least six years. Although some businesses hold records much longer, this is the absolute minimum necessary. This applies to the date the log was last in effect.
Below is a list of the most general types of documents to be held under the HIPAA Regulation:
Risk assessment and risk analysis
Authorizations for PHI Disclosure
Plans for disaster management and contingency
Company Partner Arrangement
Employee Sanction Policy
Documentation of incident and violation notification
Complaints and Resolution Documents
Physical Protection Maintenance Record
Logs Recording Access to and Upgrade to PHI HIPAA guidelines also states that that you are able to check and have access to these logs at any time. HIPAA Compliant Hosting Providers should provide a simplified approach to logging and sorting through logs.