hipaa-ts-2 High priority Technical Safeguards / Audit Controls

Implement hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI

Audit logging is fundamental to accountability: you cannot investigate a breach if you have no record of who accessed what and when. HIPAA requires covered entities to implement technical mechanisms to record activity in systems that contain ePHI. This includes login and logoff events, record access and modifications, user provisioning changes, and failed access attempts. Audit logs must be retained for a sufficient period to support breach investigations and reviewed regularly for suspicious activity.

8h estimated effort

hipaa audit-logging siem monitoring

Implementation steps

1

Enable audit logging on all ePHI systems

Configure all systems containing ePHI to generate audit logs capturing: user login and logoff, access to patient records (view, create, modify, delete), failed access attempts, administrative actions such as user provisioning, and system events. Verify that logging is enabled and generating records for all relevant activity.

splunk microsoft-sentinel aws-cloudtrail azure-monitor
2

Centralize and retain audit logs

Aggregate audit logs from all ePHI systems into a centralized logging system. Logs should be retained for at minimum 6 years (aligned with HIPAA's documentation retention requirement). Ensure logs are protected from modification or deletion: logs stored in a centralized system with write-once controls are harder to tamper with.

splunk microsoft-sentinel aws-cloudwatch-logs datadog
3

Review audit logs regularly

Establish procedures for regular review of audit logs. High-risk events (mass record downloads, after-hours access, access to records of VIP patients) should generate automated alerts. Periodic manual reviews should look for patterns that automated rules miss. Document review activities and any findings.

splunk microsoft-sentinel datadog