When a patient asks "who has looked at my records?" you need to answer with confidence. When an auditor asks the same thing, you need documentation to prove it.
That's what audit trails are for—records showing who accessed what patient information, when they accessed it, and what they did with it. For mental health practices, where patient privacy carries particular weight, proper audit trails aren't just compliance checkboxes. They're fundamental to the trust that effective treatment requires.
What HIPAA requires
The HIPAA Security Rule (45 C.F.R. § 164.312(b)) requires covered entities to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
This applies regardless of practice size. A solo therapist with a laptop has the same fundamental obligation as a large health system. Implementation scales to your resources and risk profile, but the requirement exists for everyone.
What needs to be logged
Effective audit trails capture four elements:
User identity. Every access tied to a specific individual—username, role, department. This is why shared logins are a compliance problem. When three staff members use the same credentials, your logs can't show who actually viewed a patient's PHQ-9 results.
Timestamp. Date, time, and time zone of access. Session duration when relevant.
Action taken. View, create, update, delete, export, or print. "User viewed patient record" is minimally acceptable. "User viewed PHQ-9 results for patient #12345 at 3:42 PM" is better.
What was accessed. Patient identifier, record type, specific fields or documents viewed.
Where available, also capture device used, IP address, and application or module accessed.
Types of audit trails
Application-level logs track activity within your clinical software: opening patient records, viewing assessment scores, modifying treatment plans, running reports, exporting data. This is where most mental health-specific activity appears.
System-level logs capture broader access: login attempts (successful and failed), password changes, account lockouts, permission changes. These help identify unauthorized access attempts.
Physical access logs cover non-digital access: sign-in sheets for file rooms, access card logs for restricted areas, visitor logs.
Retention requirements
HIPAA requires retaining audit logs for six years from creation. Some states require longer retention for medical records, and malpractice insurance may have its own recommendations. When uncertain, keep logs longer.
Plan for storage costs—six years of detailed logs adds up. Ensure logs remain readable for the full retention period even as systems change.
The minimum necessary standard
Audit trails serve the minimum necessary standard—the HIPAA requirement that PHI access be limited to what's needed for a specific job function. When reviewing logs, you're checking whether access patterns match job responsibilities:
- Is the billing coordinator only accessing billing-relevant information?
- Is a clinician viewing records only for patients they're treating?
- Is anyone accessing records without a documented treatment relationship?
The logs don't prevent inappropriate access. They make it visible so you can address it.
What to look for when reviewing
Unusual patterns. Access outside business hours, from unusual locations, to records without a treatment relationship, or high-volume sequential access suggesting data harvesting.
Failed attempts. Multiple failed logins, attempts to access restricted records, permission denials.
Configuration changes. New accounts created, permissions elevated, audit logging or security settings modified.
Single events may be innocent. Patterns reveal more. Is a staff member consistently accessing records they shouldn't? Are there recurring after-hours access events?
Assessment-specific considerations
Mental health assessments create specific audit trail needs. For patient-completed surveys, log when the assessment link was created, when the patient submitted it, and each time results are viewed. For provider-administered assessments, log who initiated it, responses entered, and result viewing. Log every data export—what was exported, to where, and for what purpose.
Common mistakes
Shared credentials. When multiple people share a login, your audit trail is useless. Every user needs unique credentials.
Logging without reviewing. Logs sitting in a database don't help anyone. Auditors will notice the lack of review documentation.
Assuming vendors handle everything. Your EHR vendor isn't responsible for your compliance. Verify what your systems actually log and maintain your own review procedures.
Logs accessible to everyone. If the people being audited can modify the logs, the logs aren't trustworthy. Protect log integrity—logs should be write-once or otherwise tamper-evident.
The current audit environment
OCR launched its 2024–2025 HIPAA audits in response to rising ransomware and cyberattacks targeting healthcare. From 2018-2023, individuals affected by large breaches increased by over 1000%. The audits focus on Security Rule compliance, especially risk analysis requirements—and inadequate audit logging is frequently cited in enforcement actions.
In December 2024, HHS proposed significant Security Rule updates that would strengthen audit logging requirements and remove the distinction between "required" and "addressable" implementation specifications. While the final rule's timeline remains uncertain, the direction is clear: more rigorous logging expectations are coming.
---
Proper audit trails protect both patients and practices. When access is tracked and reviewed, staff think twice before accessing records out of curiosity. When breaches occur, logs limit the damage by showing exactly what was accessed. And when auditors arrive, organized documentation makes the difference between a routine review and a painful investigation.