jason0 wrote on Tuesday, January 10, 2012:
Hello,
I am looking at a customer’s log table and the table is 467 megabytes in size, when dumped to a file. How long do we need to keep this data around, and/or would it not be reasonable to have a backup to rotate it to?
-jason
yehster wrote on Tuesday, January 10, 2012:
From http://rtacpa.blogs.com/reedtinsley/2008/06/hipaa-and-audit.html
Q: Our system generates audit logs that capture all accesses and updates to patient information. What does HIPAA require in terms of audit log retention?
A: CMS provides no clear guidance pertaining to audit log retention, so the debate continues. However, there are generally two opinions regarding how long you should retain your audit logs.
One opinion, with which I concur, requires you to review audit logs on a regular basis and to formally document this in your policies and procedures. After reviewing the audit logs and writing a formal findings report, it is a good idea to retain audit logs for 60–90 days following the completion of the report. This allows time for any necessary mitigation if anomalies are found. Thereafter, retention of the audit logs is unnecessary, but you should retain the report for six years.
The other school of thought requires you to retain audit logs and the formal findings reports for six years. Even though audit logs require significant storage space when retained for this amount of time, the cost of storage has decreased. Therefore, it is logical to assume that you need to retain audit logs, just like any other security-related records, for the full HIPAA-required retention period.