Implement HIPAA-compliant audit logging for PHI access in a FHIR agent pipeline

Verified steps

1. Log every FHIR API request that accesses PHI: record timestamp (UTC), user/system identity (client_id, user ID from token sub claim), patient ID accessed, resource type and ID, FHIR operation (read, search, create, update), and HTTP status code.
2. Use the FHIR AuditEvent resource structure as a logging schema: AuditEvent.agent[] for who acted, AuditEvent.entity[] for what was accessed (patient, resource), AuditEvent.recorded for timestamp, and AuditEvent.outcome for success/failure.
3. Store audit logs in an append-only, tamper-evident store separate from the application database; access to audit logs should require elevated privilege distinct from application access.
4. Implement PHI minimization in logs: do not log full resource payloads, query parameter values that contain PHI (e.g., patient names in search parameters), or response bodies; log only identifiers and metadata.
5. Retain audit logs for at least 6 years per HIPAA requirements; implement automated retention policies and ensure logs are included in your organization's backup and disaster recovery plan.
6. Generate regular audit reports showing access patterns; flag anomalies such as bulk access (many patients in a short window), off-hours access, or access by identities not associated with active care relationships.