Let me clarify my statement for everyone.
I believe the question was asking about audit logs which are not the same as privacy 'accounting of disclosures.'
In my experience some people have incorrectly interpreted the 6 year documentation retention requirement in the security rule, section 164.316(b)(2)(i), as a time requirement for audit log retention. There is no time requirement in either the privacy or security rule for audit log retention. If someone can find a law that mandates 6 years for audit log retention please let me know because I need to go buy some stock in DASD companies. The amount of storage needed for that would be astronomical.
Following HIPAA Security rule guidelines an organization needs to determine, through risk assessment, not only the retention time for audit logs but also what data is logged and on which systems are audit logs enabled. It is unrealistic and impractical to think that an organization with hundreds of applications is going to have a complete or even partial audit log for all of those. There are cost, system response time, availability, and any number of other factors that need to be considered when determining whether or not to enable an audit log, what to include in that log, and how long to keep it.
Jeffrey D. Blevens
KP-IT Compliance
HIPAA Program - Security
Kaiser Foundation Health Plan Inc.
500 NE Multnomah
Portland, OR 97232
Office 503-813-4139
Cell 503-319-5293
| "K McMillen (CSA)" <[EMAIL PROTECTED]>
07/22/2003 01:19 PM
|
To: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> cc: Subject: RE: Acceptable time-frames to keep Audit logs |
At 01:14 PM 7/22/2003 -0500, KERBER, JEFF wrote:
Where in the security rules do you see a 6 year mandate for audit logs?
It is in the Privacy Regs:
§ 164.528 Accounting of disclosures of
protected health information.
(a) Standard: right to an accounting of
disclosures of protected health information.
(1) An individual has a right to receive an
accounting of disclosures of protected health
information made by a covered entity in the
six years prior to the date on which the
accounting is requested, except for
disclosures:
(3) An individual may request an
accounting of disclosures for a period of time
less than six years from the date of the
request.
The six years can not precede the start of the
privacy regs, but can happen as much as 6
years from now
kmac
Keith McMillen, CTO
Comprehensive Solutions Affiliates, Inc.
Affordable Compliance Solutions
Visit us at www.csa-hipaa.com
Phone: 630.337.0236
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
--- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
