The HIPAA Requirement Almost Everyone Logs and Almost Nobody Reviews

June 3, 2026 · HIPAA Security Suite

Logging Is Not the Requirement

Ask a healthcare practice whether it meets the HIPAA audit control requirement and the answer is almost always yes — "our EHR keeps an audit trail, our firewall logs traffic, our server records access." All true, and all beside the point. The Security Rule's audit control standard at §164.312(b) requires mechanisms to record and examine activity in systems that contain electronic PHI. The recording half is usually handled automatically by the software. The examining half — the part that actually detects a problem — is where the overwhelming majority of organizations fall short.

This distinction is not academic. In multiple 2025 enforcement actions, OCR cited covered entities that could not demonstrate they had reviewed system activity logs before a breach. The logs existed. The intrusion was sitting in them. Nobody had looked. OCR's read is straightforward: a log that is collected but never examined is evidence that the organization was not monitoring for indicators of compromise. You had the data and you missed the warning.

Why Unreviewed Logs Are Worse Than No Logs

There is an uncomfortable corollary here. When an organization with no logging suffers a breach, the finding is a failure to implement audit controls. When an organization that logs everything but reviews nothing suffers a breach, the finding can be sharper: the evidence of the attacker's activity was captured, retained, and ignored. The first looks like a gap. The second looks like negligence. The forensic timeline OCR reconstructs after the fact will show exactly when the anomalous access began — and exactly how long it went unnoticed in logs the organization was keeping.

What "Review" Actually Means at a Small Practice

The reasonable objection is that no small practice has a security operations center watching dashboards around the clock. That is true, and HIPAA does not require one. The standard is reasonableness scaled to your size and resources. For most covered entities, a defensible log review practice has four characteristics:

It is scoped. You are not reading every line of every log. You are reviewing a defined set of high-signal events: failed login bursts, access from new or foreign locations, after-hours activity in clinical systems, privilege escalations, and bulk record exports.
It is scheduled. Review happens on a stated cadence — weekly for the highest-signal events, monthly for the broader sweep — not "when something feels off."
It is documented. Each review leaves a record: who reviewed, what period, what was examined, and what was found or escalated. That record is the evidence that the control operates.
It has a response path. When the review surfaces something, there is a defined next step — investigate, escalate, or document as benign — rather than a shrug.

The High-Signal Events Worth Your Attention

The art of log review is ignoring the noise to find the signal. For a healthcare environment, a short list of patterns deserves standing attention:

Impossible travel. A user account that logs in from two distant locations within an interval no human could travel is a near-certain sign of compromised credentials. This is one of the most reliable early indicators of the credential-based attacks driving healthcare breaches.
Access by terminated accounts. Any activity on a credential that belongs to someone who has left is an emergency. It is also entirely preventable with disciplined offboarding, which is why this event should be near-zero if your access revocation is working.
Records access without a treatment relationship. An employee viewing the chart of a celebrity patient, a coworker, a neighbor, or a family member is the classic snooping pattern. EHR audit trails capture it; someone has to look.
Bulk exports and unusual query volume. A single account suddenly pulling thousands of records is either a legitimate reporting job or the staging phase of data exfiltration. The review distinguishes them.
Authentication failures at scale. A burst of failed logins against one account or many is the audible signature of a password-spraying or brute-force attempt.

From Manual Slog to Operational Practice

Reviewing raw logs by hand is tedious enough that it does not get done, which is precisely why it shows up in enforcement actions. The practices that sustain log review do one of two things: they reduce the volume to a curated set of alerts, or they adopt monitoring that surfaces the anomalies and lets a human confirm them. Continuous network security monitoring shifts the work from "read everything and hope you notice" to "investigate the handful of things the system flagged." The HIPAA requirement is unchanged; the human effort to satisfy it drops to something a busy practice can actually sustain.

Building the Evidence Trail

Because audit control is a control that auditors specifically probe, the documentation is as important as the activity. A simple, repeatable log of your log reviews — date, reviewer, scope, findings, actions — is the artifact that turns "we review our logs" from an assertion into a demonstrated practice. Fold the review summary into your quarterly mini-audit so the cadence is visible across the year, and so a pattern that builds slowly over months has a place to be noticed.

The organizations that get audit controls right are not the ones with the most sophisticated tools. They are the ones that decided log review is a recurring task with an owner, a schedule, and a paper trail — rather than a feature they bought and never opened.

Call to Action

See how HIPAA Security Suite surfaces the high-signal events worth reviewing and keeps a dated record of every review — so audit controls become a workflow you can defend, not a log file you hope nobody asks about. Or schedule a walkthrough to see it against your environment.