Log every access, create, update, delete, and disclosure event for records containing PHI; each log entry must capture who (user/system ID), what (resource type and ID), when (UTC timestamp), from where (IP address, device), and the outcome (success/failure).
Use an append-only log store (e.g. a write-once S3 bucket, a WORM-compliant database table, or a dedicated audit logging service) to prevent tampering or deletion of audit records.
Encrypt audit logs at rest using AES-256 or equivalent and in transit using TLS 1.2+; restrict read access to audit logs to security and compliance roles only.
Retain audit logs for a minimum of six years from the date of creation or last effective date, as required by the HIPAA Security Rule.
Implement automated alerts for anomalous patterns such as bulk exports, access outside normal hours, repeated failed authentication attempts, or access to records by users without a care relationship.
Periodically review audit logs and document reviews as part of your HIPAA risk management program; prepare log export procedures for breach investigations.
Known gotchas
Audit logs themselves may contain PHI (e.g. patient IDs, resource descriptions); they must be protected with the same or greater controls as the primary data store and are subject to the same retention and breach notification requirements.
Application-layer logs alone are insufficient; ensure infrastructure-level logs (cloud provider access logs, database audit logs, network flow logs) are also captured and correlated to provide a complete audit trail.
Logging everything can generate enormous volumes; balance completeness with storage and cost constraints by ensuring all PHI-touching events are captured, then apply sampling or aggregation only for non-PHI infrastructure noise.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp