What we log, how long we retain it, how anomalies are reviewed, and how breach notifications are handled.
Currently in effect: v1.2
Effective 2026-05-13 — Extended audit log retention from 5 to 6 years to align with HIPAA §164.316(b)(2).
Current policy (v1.2)
Our EHR and patient portal log every view, create, update, export, and login event tied to a user identity and timestamp. Logs are retained for at least six (6) years per HIPAA §164.316(b)(2) and reviewed routinely for anomalous activity.
Suspicious access triggers investigation by our Privacy & Security Officer. Confirmed breaches of unsecured PHI are reported per the HIPAA Breach Notification Rule.
Change history
Each revision is preserved for transparency. Older versions describe the practices in place at the time they were effective.
- v1.2Current
Extended audit log retention from 5 to 6 years to align with HIPAA §164.316(b)(2).
- Increased retention to a minimum of 6 years.
- Added patient-visible activity timeline (portal /activity).
- v1.0
Initial published policy.
← Back to Security overview · Questions about this policy? Contact privacy@rootedhealthmember.com or use our security contact page.