HIPAA Audit Controls 45 CFR 164.312(b)
The Audit Controls standard requires hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This guide explains exactly what 164.312(b) requires, what evidence OCR looks for, and how to implement it without a finding.
What are HIPAA audit controls?
HIPAA audit controls are the hardware, software, and procedural mechanisms a covered entity or business associate must implement to record and examine activity in any information system that contains or uses electronic protected health information. The requirement comes from 45 CFR 164.312(b), a technical safeguard under the HIPAA Security Rule. In plain terms: you must log who did what to ePHI, when, and from where, and you must actually review those logs. Audit controls are a Required standard, not Addressable, so every regulated organization must implement them regardless of size.
Two activities satisfy the standard together: recording system activity (audit logging) and examining that activity (audit log review). Logging alone is not compliance. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) treats audit logs as primary evidence in breach investigations because they are often the only way to prove what did, or did not, happen to a patient record.
Key takeaways
- 164.312(b) is Required, not Addressable. There is no implementation specification to scope around; the audit mechanism itself is the requirement.
- Logging plus review. You must both capture activity and examine it. Unreviewed logs are the single most common audit-controls finding.
- Retain records six years. 45 CFR 164.316(b)(2)(i) requires HIPAA documentation, including audit-control records, be kept for six years, far longer than most default log retention.
- Cover every ePHI system. EHR, identity provider, endpoints, email, and cloud or SaaS apps all need aggregated, reviewable logs.
- Evidence beats intent. OCR asks for the role-based access matrix, the review cadence, and dated review artifacts, not a policy that says you log.
- A platform plus a program wins. A SIEM records activity; a documented review process, named reviewer, and retention policy make it defensible. Petronella Technology Group pairs both.
What the regulation requires
There are no separate implementation specifications under this standard. The requirement is the audit mechanism itself, which is why OCR treats it as one of the most clear-cut technical safeguards to enforce. NIST SP 800-66 Revision 2 (February 2024) crosswalks 164.312(b) to the logging and monitoring families in NIST SP 800-53 and the DETECT function of NIST CSF 2.0, so a well-built audit-controls program also advances broader frameworks like NIST 800-171 and SOC 2.
The HIPAA Security Rule deliberately stays technology-neutral. It does not name a product, a log format, or a retention period inside 164.312(b) itself. That flexibility is why so many practices misjudge the bar: they enable logging in their EHR, assume they are done, and never build the review and retention layer that actually proves compliance.
Implementation specification
Audit Mechanisms
Hardware, software, and procedural controls that record and examine activity in any system containing ePHI: login events, ePHI views, exports, configuration changes, and security alerts. (164.312(b))
What HIPAA audit controls must record
| Activity to record | Why it matters under 164.312(b) | Evidence OCR asks for |
|---|---|---|
| Authentication events | Failed and successful logins reveal credential attacks and account sharing. | Login/logout logs with timestamps and source IP, retained six years. |
| ePHI access (views) | Detects snooping, VIP-record access, and unauthorized viewing. | Record-level access logs tied to a named user identity. |
| Creation, modification, deletion | Supports the Integrity safeguard (164.312(c)) and breach forensics. | Change history showing who altered which record and when. |
| Exports and bulk downloads | Mass downloads are the classic insider-exfiltration signal. | Export/print/download logs with volume and destination. |
| Privileged and admin actions | Admin accounts can disable logging or alter permissions. | Privileged-access monitoring and configuration-change logs. |
| Security alerts | Demonstrates the examine half of the standard, not just record. | Dated review artifacts showing alerts were triaged. |
How Petronella implements this safeguard
Every Petronella Technology Group HIPAA engagement maps 45 CFR 164.312(b) to documented evidence in your environment. Petronella Technology Group has secured regulated practices since 2002, holds CyberAB Registered Provider Organization status (RPO #1449), and has been BBB A+ accredited since 2003. This is what implementing the HIPAA audit controls standard looks like in practice:
- Centralized SIEM aggregating EHR audit logs, identity-provider events, endpoint telemetry, email security logs, and cloud platform logs into one reviewable timeline.
- Six-year log retention to satisfy 164.316(b)(2)(i), with immutable archival for legal hold and breach forensics.
- Daily automated review of high-risk events: privileged access, mass downloads, after-hours ePHI access, and VIP record access.
- Quarterly user-activity sampling against the role-based access matrix, which is the exact artifact OCR requests during an investigation.
- A named Security Official accountable for the review cadence, delivered through our vCISO services when you do not have one in house.
The documentation, training records, BAA inventory, and dated review artifacts live in ComplianceArmor, our proprietary compliance platform, with optional HIPAA managed IT services handling the technical safeguard layer. As Craig Petronella details in How HIPAA Can Crush Your Medical Practice (2026 Edition), the practices that survive an OCR audit are the ones that can produce the review artifact on demand, not the ones with the most logging turned on.
DIY logging vs a managed audit-controls program
| Capability | DIY / EHR defaults | Petronella managed program |
|---|---|---|
| Log coverage | EHR only; cloud, email, and endpoints often missed | All ePHI systems aggregated in one SIEM |
| Log review | Rarely performed; no dated artifact | Daily high-risk review + quarterly sampling, documented |
| Retention | 30–365 days by default | Six-year immutable retention per 164.316(b)(2)(i) |
| OCR evidence | Policy text only | Role-based access matrix + dated review records in ComplianceArmor |
| Insider detection | VIP/snooping access usually undetected | Behavioral alerts on after-hours and VIP record access |
| Accountability | Unassigned or "IT will handle it" | Named Security Official via vCISO |
Free 30-minute HIPAA audit-controls gap check
We will review your current logging, retention, and review process against 45 CFR 164.312(b) and tell you exactly where an OCR auditor would find a gap. No cost, no obligation.
Book Your Gap Check →Where most practices fall short
OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under 45 CFR 164.312(b). We surface these before they become a finding.
- EHR audit logging is on but no one reviews the logs. This was cited in the $2 million Excellus settlement and the $5.5 million Memorial Healthcare settlement, where a business associate was found to have repeatedly accessed celebrity records undetected.
- Logs retained for 30 to 365 days by default, blowing the six-year HIPAA documentation requirement under 164.316(b)(2)(i).
- Cloud and SaaS application audit logs are not aggregated, so post-incident investigation has blind spots exactly where modern ePHI lives.
- VIP and employee record access is never reviewed, leaving snooping cases undetected for years and turning a single curious login into a reportable breach.
- No dated review artifact exists, so even a practice that does review logs cannot prove it to OCR.
HIPAA audit controls: frequently asked questions
What does 45 CFR 164.312(b) require?
It requires covered entities and business associates to implement hardware, software, and procedural mechanisms that record and examine activity in any information system that contains or uses electronic protected health information. Both recording (logging) and examining (review) are required, and there are no separate implementation specifications to scope around.
Are HIPAA audit controls Required or Addressable?
Audit controls are a Required standard under the HIPAA Security Rule, so every regulated organization must implement them. Unlike Addressable specifications, you cannot document a rationale for not implementing audit controls. The only judgment call is how, given your systems and risk, not whether.
How long must HIPAA audit logs be retained?
HIPAA documentation, including audit-control records and the review artifacts that prove examination occurred, must be retained for six years under 45 CFR 164.316(b)(2)(i). Many systems default to 30 to 365 days, so retention is one of the most common gaps. Petronella Technology Group configures six-year immutable archival to close it.
Is enabling logging in my EHR enough for compliance?
No. Logging satisfies only the record half of 164.312(b). The standard also requires you to examine that activity, and OCR specifically asks for dated review artifacts and a role-based access matrix. Unreviewed logs are the single most common audit-controls finding we see during gap assessments.
What evidence does OCR ask for during a HIPAA audit?
OCR typically requests the role-based access matrix, your documented log-review cadence, dated review records showing the review actually happened, and proof of six-year retention. A policy that says you log activity is not sufficient; OCR wants the artifacts that demonstrate ongoing examination.
Which systems need audit controls?
Every information system that contains or uses ePHI: the EHR or EMR, the identity provider, endpoints, email and secure messaging, and any cloud or SaaS application that touches patient data. The most common blind spot is cloud and SaaS logs that are never aggregated with on-premise systems.
How do HIPAA audit controls relate to NIST and SOC 2?
NIST SP 800-66 Rev 2 crosswalks 164.312(b) to the audit and accountability families in NIST SP 800-53 and the DETECT function of NIST CSF 2.0. A properly built audit-controls program therefore also advances NIST 800-171 and SOC 2 logging and monitoring criteria, which is why Petronella designs one logging architecture that serves multiple frameworks.
Can Petronella Technology Group manage audit controls for us?
Yes. We deliver a managed audit-controls program built on ComplianceArmor: centralized SIEM, six-year retention, daily high-risk review, quarterly access-matrix sampling, and a named Security Official through our vCISO service. As a CyberAB Registered Provider Organization (RPO #1449) securing regulated practices since 2002, we produce the exact evidence OCR asks for. Call 919-348-4912 for a free gap check.
Related HIPAA safeguards
HIPAA Audit Controls interacts with several other Security Rule standards. Cover them together for a defensible program, and start with a HIPAA security risk assessment to scope the whole environment.
Need help with HIPAA Audit Controls?
Talk to a HIPAA specialist from a team that has secured regulated practices since 2002. We will map 164.312(b) to your systems, build the review and retention layer OCR asks for, and run it for you. Free consultation, no long-term contract required.