HIPAA log requirements clarification
In response to yesterday's diary we have received quite the flurry of emails
asking for clarification of the six-year HIPAA log retention requirement. This
may seem a bit convoluted if you're not used to rummaging around inside US
Federal statutes...here goes.
The specific language in HIPAA introduces the six year window in two
"An individual has a right to receive an accounting of
disclosures of protected health information made by a covered entity
in the six years prior to the date on which the accounting is
with regard to "Security Standards for the Protection of
Electronic Protected Health Information":
"(i) Time limit (Required). Retain the documentation
required by paragraph (b)(1) of this section for 6 years from the date
of its creation or the date when it last was in effect, whichever is
This part pertains to records that:
"(i) Maintain the policies and procedures implemented to comply with
this subpart in written (which may be electronic) form;:
"(ii) If an action, activity or assessment is required by this subpart
to be documented, maintain a written (which may be electronic) record
of the action, activity, or assessment."
Regarding the above patient right to receive notification:
"disclosures" is a tough word, as such PHI (Protected Health
Information) disclosure can be intentional, accidental, malicious,
etc. To exercise due diligence in the protection of PHI we (I and
others) conduct security audits, penetration tests, policy reviews,
etc. Should a covered entity NOT retain system logs for 6 years and it
be later revealed that PHI was disclosed but system records of that
disclosure are no longer available, especially at the request of the
patient, there is a problem.
As for the second bit, it is much clearer that you must record and
maintain recoreds about policies & procedures & their enforcement.
This has little to do with system and network logs.
Even the Office of the Secretary of HHS waffled when asked about retaining system logs. From Federal Register / Vol. 68, No. 34 -
q. Comment: One commenter asked that data retention be addressed more
specifically, since this will become a significant issue over time. It
is recommended that a national work group be convened to address this
Response: The commenter s concern is noted. While the
documentation relating to Security Rule implementation must be
retained for a period of 6 years (see § 164.316(b)(2)), it is not
within the scope of this final rule to address data retention time
frames for administrative or clinical records.
As is indicated here, the six year standard need not be taken
literally for all system and network logs. However, as the language is
deliberately vague, there is the possibility of later court
"interpretation". For now, you need to weigh the costs of storage vs.
the risk of a hungry litigator & willing court. For fileserver access
logs, this is probably wise. For router, IDS/IPS/firewall logs, you
are less likely to run into troubles.
The final rule can be read at:
Mozilla foundation discloses and fixes three vulns
Mark Dowd of the discovered
a GIF library overflow condition that could be used to execute arbitrary code
with the rights of the browser or mail client process. According to ISS:
Firefox 1.0.2, Thunderbird 1.0.2, and Mozilla Suite 1.7.6 address this and two
other less serious bugs. Mozilla advisories are at:
And for goodness sake, folks, always ski in control!
Mar 24th 2005
1 decade ago