I have been asked this question by a few clients recently and unfortunately the answer is not so straightforward, especially for Business Associates. If you do a search on this topic you will find multiple articles that state this is a hard black and white requirement, all audit logs in your ePHI environment need to be retained for at least 6 years. This school of thought is especially popular with log management companies and consulting firms. If you dig a little deeper though, you might start to question this. To start, let’s look at the specific HIPAA requirements that speak to this topic. It requires cross referencing multiple requirements to get at the heart of the question, so hang in there though this part.
This first requirement to consider is the actual logging requirement, §164.312(b) which sates: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Note this requirement doesn’t specifically speak to any retention timelines. It also doesn’t state specifically what needs to be logged or how often audit logs need to be reviewed. I’ll touch on that later in my conclusion.
Where the six-year retention question comes into play is when you look at Documentation requirement §164.316(b)(2)(i), which states: Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. So, we then need to know what the (b)(1) that is referenced here means to understand this.
The (b)(1) reference in §164.316(b)(2)(i) is referring to §164.316(b)(1)(i) which states: Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record or the action, activity, or assessment.
The heart of this issue is the question, are all actions/activities logged in an ePHI environment that end up in audit logs considered an “action, activity, or assessment” as defined by HIPAA? If all actions /activities that are systematically logged are, then you have a clear-cut case of the 6-year requirement applying to audit logs for systems in your ePHI environment. But if they aren’t, or maybe only certain types of audit actions/activities are, then the answer because less black and white.
What doesn’t help is the HHS has not defined if all details captured in audit logs are considered an action, activity, or assessment and has not defined what technically falls under these categories. I’ve seen some articles state that operational logs don’t have retention requirements, but I’ve not seen operational logs defined by HIPAA either. What is an organization to do then and how can this be interpreted? I’d like to provide a few examples both for and against 6-year audit log retention for all audit logs capturing activity in your ePHI environment.
For the 6-year audit log retention requirement
NIST SP 800-92 which is the Guide to Computer Security Log Management makes a reference to HIPAA audit log retention. It states that Section 4.22 of NIST SP 800-66 (An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule) says “documentation of actions and activities need to be retained for at least six years.” In this context it appears NIST’s interpretation of “actions and activities” in HIPAA would include all audit logs. While NIST isn’t what determines HIPAA compliance, there are multiple references to NIST in HIPAA guidance by the OCR as solid tools for guidance. You could make the determination that if NIST SP 800-92 is putting audit logs in this category of action and activities when referring to NIST SP 800-66 they need to be retained at least 6 years per the HIPAA requirement.
The HHS put out a bulletin in January 2017 around understanding the importance of audit controls (https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf?language=es) and the bulletin states in one place “Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.” There is one of those three magic words referenced in §164.316(b)(1), activity. One could view this as meaning items in audit logs fit the definition of an activity as it relates to §164.316(b)(1) and therefore the audit logs that include the details of these activities need to be retained at least 6 years.
Against the 6-year retention requirement
That HHS bulletin released in January 2017 referenced above also had some things in it that support this point of view too. First, this bulletin was specifically written about audit logs and there was not one mention of 6-year audit log retention or any required retention for that matter. Next, the bulletin reiterates that the HIPAA Security Rule does not identify what information should be collected from an audit log or even have often those logs should be reviewed. It points to an organizations risk analysis results as well as organizational factors in making these decisions. It seems reasonable then that if HIPAA doesn’t define these very important things, you could interpret that as how long audit log files are being retained to also be a decision an organization makes after factoring that into its risk analysis. The bulletin also references two sources at the end, one points to NIST SP 800-12 and another is the security rule guidance on the HHS website, neither of which state anything about audit log retention. This just seems like a place where if the HHS wanted to stress audit logs and all details around them as they relate to HIPAA, retention requirements would have come up here if it was a hard a fast 6-year requirement.
Another point is that with no consideration to the type of actions in the audit logs, the risk of retention, the impact on individuals, or the organization and what they are providing seems to go against the spirt of HIPAA. The level of risk that some Business Associates might have in terms of needing everything logged in an audit log can be very different than a Covered Entity. HIPAA is meant to have that direct tie to an organizations risk analysis / risk management program and allow for organizations to take that risk-based approach when defining their controls. The HIPAA Security Rule was not architected in a prescriptive way by design.
Now that I’ve provided some rationale from both sides of the fence, I’d like to give my thoughts. If it’s not cost prohibitive to your organization, the safest move is to save all audit logs for at least 6 years if they are logging information that is related to actions on systems containing ePHI. That is the most clear-cut answer, but for many organizations this isn’t the case, so they must make some decisions. To them I’d say with HIPAA being built in such a non-prescriptive way which allows organizations to put in controls based on their risk analysis / risk management program, I have a hard time seeing the intent of the 6 year documentation retention requirement meaning that all organizations handling ePHI have to retain every single possible audit log in their environment for 6 years without any consideration to risk or impact to the organization.
As I mentioned above, the HHS/OCR have made it clear that HIPAA doesn’t specially tell you what you need to log or even how often you need to review logs. What I find interesting then is that §164.316(b)(1)(i) says “and(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record or the action, activity, or assessment.” HIPAA doesn’t specifically tell you what activities you have to log, just that you should have audit logs that contain activity in information systems containing ePHI deemed relevant based on your risk analysis. Therefore, HIPAA does not tell you what specific potential “action, activity, or assessment” would need to be “documented” in the audit logs. That to me means this requirement gives organizations freedom in terms of what they determine to be the critical actions/activities they need to log and retain for at least 6-years. They could maintain other audit logs that might support the services for more internal purposes, but they could put higher risk category activities that are documented in audit logs into a category that then does require the 6-year retention. They can then user their judgement based on their risk analysis in terms of retention for the more operations type logs that while relevant to the ePHI environment, do not seem to meet that level of risk to require 6-year retention.
If you can clearly demonstrate you considered audit log retention as part of your risk analysis / risk management program based on the type of activities being logged, I think you would have solid support for an explanation in terms of why you didn’t retain your more operational type audit logs for 6 years. I think by taking a risk-based approach, organizations can find the audit log retention plan that best fits them based on the nature of their organization and the services they provide in the healthcare provider chain. The OCR has made it clear in their history of fines that the driving factor in HIPAA is an organizations risk analysis and risk management program driving their control selections. I think if organizations take that into account while they are determining their audit log retention strategy, they will have a strong case to support their position if they ever need to with the OCR.