Core Platform

Medicare Underpayment Audit

Find potential coding & charge-capture leaks in your paid claims, cited to CMS.

HIPAA Kit

Downloadable policy templates covering all 23 required safeguards.

Free Tools

Doc Builder

FREE

Free AI generator for appeal letters, PA requests, and call scripts.

Ask D3

FREE

AI compliance assistant answering HIPAA & billing questions instantly.

GuidesSign In
HelpGuidesStatesTemplatesAsk D3PrivacyTerms
© 2026 D3rx. All rights reserved.

Questions or feedback? [email protected]

HIPAA Templates/Audit Controls Policy
Technical Safeguards (164.312)

Audit Controls Policy

45 CFR § 164.312(b)

Requires implementation of hardware, software, and procedural mechanisms to record and examine activity in systems that contain or use ePHI. Defines what events to log, how long to retain logs, and who reviews them.

What's Included

  • Policy document
  • Audit log configuration checklist
  • Log retention schedule
  • Audit review procedures
  • Implementation checklist
  • Annual review template
2 pages · ~873 words · 8 sectionsEstimated customization: ~10 minutesLast updated May 2026

Sample Preview

Technical Safeguards (164.312)Page 1 of 2

Audit Controls Policy

Version 1.0·Effective [EFFECTIVE DATE]·Approved by [PRIVACY/SECURITY OFFICER NAME]

1. Purpose

This policy requires the implementation of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI at [PRACTICE NAME]. Audit controls create the evidentiary trail necessary to detect unauthorized access, support incident investigations, and demonstrate compliance.

2. Scope

This policy applies to all information systems that create, receive, maintain, or transmit ePHI, including EHR systems, practice management software, patient portals, email systems, file servers, network devices, cloud services, and physical access control systems. It applies to all workforce members responsible for configuring, maintaining, or reviewing these systems.

3. Policy Statement

[PRACTICE NAME] shall implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI, as required by 45 CFR § 164.312(b). Audit logs shall be generated, protected, retained, and reviewed according to the procedures established in this policy.

4. Definitions

Audit Log: A chronological record of system activities maintained by a system that is sufficient to enable the reconstruction, review, and examination of a sequence of events surrounding or leading to an activity.

Audit Trail: The aggregate of audit log entries across systems that documents the who, what, when, where, and how of system activity.

Log Integrity: The assurance that log entries have not been tampered with, altered, or deleted.

SIEM (Security Information and Event Management): A system that collects, correlates, and analyzes log data from multiple sources to detect anomalies and potential security incidents.

5. Procedures

1. AUDIT LOG GENERATION

1.1 All systems containing or processing ePHI shall be configured to generate audit logs that capture the following events at minimum: - Successful and failed login attempts - User account creation, modification, and deletion - Access to patient records (view, create, modify, delete, print, export, download) - Changes to system configurations or security settings - Privilege escalation events - System startup and shutdown - Application errors affecting ePHI availability or integrity

1.2 Each audit log entry shall include: date and time of the event, user identification (unique user ID), type of event, affected data or system component, source (IP address, workstation, or device ID where available), and outcome (success or failure).

1.3 The IT Manager shall verify that audit logging is enabled and properly configured on each ePHI system during initial deployment and at least annually thereafter.

2. LOG PROTECTION AND INTEGRITY

2.1 Audit logs shall be protected against unauthorized access, modification, and deletion.

2.2 Where technically feasible, logs shall be transmitted to a centralized log repository or SIEM that is separate from the source system.

2.3 Access to audit logs shall be restricted to the Security Officer, IT Manager, and other specifically authorized personnel.

2.4 Workforce members shall not have the ability to modify or delete their own audit trail entries on the systems they use.

3. LOG RETENTION

3.1 As a matter of [PRACTICE NAME] policy, audit logs shall be retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later. (45 CFR § 164.316(b)(2)(i) requires this six-year retention period for required Security Rule documentation — such as records of log reviews, findings, and written policies; [PRACTICE NAME] applies the same period to the underlying audit logs.)

3.2 Archived logs shall be stored securely and remain accessible for investigation or compliance review throughout the retention period.

4. LOG REVIEW

4.1 The Security Officer or designated reviewer shall conduct regular reviews of audit logs per the Information System Activity Review Policy.

4.2 Automated alerting shall be configured where feasible for high-risk events, including: multiple failed login attempts, access to large volumes of records, after-hours access to ePHI systems, and changes to security configurations.

4.3 All review activities and findings shall be documented.

5. AUDIT CAPABILITIES BY SYSTEM TYPE

5.1 EHR System: Enable the vendor's built-in audit reporting. Configure patient record access reports and verify they capture all required data elements.

5.2 Operating Systems: Enable Windows Event Logging or equivalent for login events, privilege changes, and system changes.

5.3 Network Devices: Enable logging on firewalls, routers, and switches for connection attempts and configuration changes.

5.4 Cloud Services: Enable the cloud provider's audit logging (e.g., AWS CloudTrail, Azure Activity Log, Google Cloud Audit Logs) and verify log availability and retention settings.

5.5 Email Systems: Enable mail flow logging and administrator audit logging.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Defines audit logging requirements. Reviews or oversees the review of audit logs. Investigates anomalies. Ensures log retention compliance.

IT Manager/Vendor ([IT CONTACT NAME]): Configures audit logging on all systems. Maintains the centralized log repository. Implements automated alerting. Ensures log integrity and retention. Provides log data for investigations.

EHR Vendor: Provides built-in audit logging capabilities. Supports configuration of audit reports. Maintains log data per the BAA terms.

All Workforce Members: Understand that their system activities are logged and auditable. Do not attempt to circumvent or disable audit logging.

7. Review Schedule

This policy shall be reviewed at least annually. Audit logging configurations shall be verified during the annual security evaluation. Log review frequency is governed by the Information System Activity Review Policy.

8. Regulatory References

45 CFR § 164.312(b) — Audit controls (Required) 45 CFR § 164.308(a)(1)(ii)(D) — Information system activity review (Required) 45 CFR § 164.316(b)(2)(i) — Security Rule documentation retention (6 years) NIST SP 800-92 — Guide to Computer Security Log Management

Continue reading — unlock the full audit controls policy
D3rx · HIPAA Compliance Templates
Free

while we’re in beta

A professional, CFR-referenced policy template, ready to customize for your practice. Free during the beta.

Open template

Free while we’re in beta

Need more than one?

Get all 23 policies — free

The Complete HIPAA Policy Library — every policy, checklist, and review template. Free while we’re in beta.

Open the library

Free while we’re in beta

Templates require customization and legal review before adoption. Not legal advice. See full disclaimer.