Skip to main content

Audit log lookup (HIPAA pulls)

Outcome

You can answer the question "who looked at this member's record between dates A and B" — for HIPAA accounting-of-disclosures requests, breach investigations, or routine compliance audits — and export the result as PDF or CSV with a clean chain of custody.

Prerequisites

ScopeWhat it lets you do
security.audit.readRead the audit log
security.audit.exportExport PDF / CSV
security.audit.read.phiSee the specific PHI field that was viewed (not just the fact of access)

The audit log is append-only; rows are never edited or deleted, only added.

What is recorded

Every PHI-touching read and every member-record mutation is recorded:

Event typeWhen it fires
member.readA user opens a member detail page.
member.read.phiA user views a redacted-by-default field (SSN, full DOB).
member.updateDemographics, coverage, or documents change.
claim.readA user opens a claim detail page that includes member PHI.
document.readA user previews a clinical document.
document.uploadA document is uploaded or replaced.
eligibility.runA 270 is sent for the member.
auth.read / auth.updateAuthorization access.
report.exportA report or dashboard view is exported.

Platform staff impersonating into your tenant always carry an extra attribute on the audit row identifying both the impersonating MedSuite user and the tenant user account they assumed.

Steps

  1. Open Configuration → Audit Log at /admin/audit-log. The default view shows the last 24 hours of activity, most-recent first.

  2. Apply filters:

    FilterUse case
    MemberLookup by MRN or member name — narrows to a single subject.
    ActorNarrows to one staff member.
    Date rangeRequired for HIPAA accounting; default is "last 24h".
    Event typemember.read, claim.read, etc.
    Source IPNarrow by network origin (e.g., to confirm an event came from in-office).

  3. Review the rows. Each row shows when, who, what (event type), member subject, and the source IP. Click a row to see the before/after JSON for any mutation, or the exact PHI field viewed for a *.read.phi event.

  4. Export with Export PDF or Export CSV. The export carries:

    • A header naming the tenant, the requestor, the filter window, and the query timestamp.
    • A row count.
    • Every visible row at the time of export.

    The export is itself audited: a report.export row goes into the audit log naming the user, the filter window, and a SHA-256 digest of the exported file.

HIPAA accounting-of-disclosures workflow

A member (or their representative) is entitled by HIPAA to a list of disclosures of their PHI for the prior 6 years. To produce one:

  1. Filter by Member = the requesting member.

  2. Set Date range = today − 6 years to today, or the window the member specified.

  3. Set Event type = check member.read.phi, document.read, report.export, and any disclosure-class events your privacy officer defines.

  4. Export PDF. Hand to the privacy officer with the standard cover letter. Retain the SHA-256 digest with the case file.

Validation

CheckExpected
Filtered list matches the case scopeYes — every row references the member, falls in the date window.
Export includes the row count printed in the headerYes.
report.export row appears in the audit log immediately afterYes — confirms the export is itself accounted for.
File digest matches the cover letterYes — recompute with shasum -a 256 export.pdf.

Troubleshooting

SymptomCauseFix
Filter returns 0 rowsDate range too narrow, or actor filter too restrictiveWiden the range; remove unneeded filters.
Cannot see the specific PHI field that was viewedMissing security.audit.read.phi scopeHave a teammate with the scope retrieve the detail; or request the scope.
Export PDF shows fewer rows than the UIExport is paginated; default cap is 10,000 rowsNarrow the filter; or run multiple exports per case.
Impersonation row missing impersonator infoPre-2026 audit row from before impersonation tracking shippedThese rows are flagged in the UI; consult your platform admin.

Cross-references

Next

7.1 — Dashboards & scheduled email