Skip to content Skip to navigation

HIPAA Security: Audit Controls Policy

I. Scope & Applicability

This policy applies to Stanford University HIPAA Components (SUHC) information systems that access, use or maintain electronic protected health information (ePHI).

Information systems that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.

II. Policy Statement

SUHC will support security management activities designed to detect potential security incidents by implementing hardware, software, and/or procedural mechanisms that will record and examine information systems activity.

III. Principles

  1. Log Files.  For each information system, SUHC will implement automated or procedural audit logging that supports individual accountability, reconstruction of events, intrusion detection, and other problem identification for the purposes of detecting security incidents including wrongful access, disclosure, and data modification.
    1. Log Files Content.  SUHC will record sufficient user and system information to establish when someone has created, accessed, modified, or deleted ePHI.  Log files will, at a minimum, include:
      • Type of event and result
      • Time and day the event occurred
      • User ID associated with the event
      • Program or command used to initiate the event
    2. Log Files Retention.  SUHC will retain log files, at a minimum, until an information system activity review of the files is performed and documented as outlined in the SUHC HIPAA Security: Security Management Policy.  The System Owner will determine what additional retention period may be necessary beyond the completion of a system activity review in order to meet operational, risk management, or regulatory requirements.
  2. Log Files Security.  Unauthorized modification or deletion and other falsification of log files are strictly prohibited.  SUHC will protect log files from unauthorized access by taking the following precautions:
    1. Access Restrictions.  SUHC will restrict access to an information system’s log files to only that system’s System Owners, System Administrators, and other persons responsible for performing system activity review and incident handling as described in the SUHC HIPAA Security: Security Management Policy.
    2. Separation of Duties.  Whenever possible, SUHC security personnel who administer the access control function will not also administer the log files.  For information regarding the access control function, refer to the SUHC HIPAA Security: Information Access Controls Policy.
  3. Log Files Back-up and Storage Requirements.  Backup and storage requirements are covered in the SUHC HIPAA Security: Contingency Planning Policy.

IV. Procedures

Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy.  Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

V. Exceptions

Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.

VI. Related Documents

  1. SUHC HIPAA Security: Information Access Controls Policy
  2. SUHC HIPAA Security: Security Management Policy
  3. SUHC HIPAA Security: Contingency Policy

VII. Document Information

  1. Legal Authority/References
    ​Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.312(b)
  2. Contact for Questions Related to this Policy
    Stanford University Chief Information Security Officer
    securityofficer@stanford.edu
  3. Document Review History
    Version Date Modified Comments
    1.0 01/28/2005 Yes  
    1.1 12/07/2015 Yes Reviewed and updated by Aaron Arutunian

This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.

Last modified May 4, 2016