As a software developer in the role of business associate I have read about what needs to be captured and stored by software that handles PHI for a covered entity. To be a good vendor, we want to provide our customer the requisite log data about user credentialing (adds, permissions, changes, disables, deletes), and about PHI activity within our software product. We currently log all changes to PHI made by our product. My question is – how granular should the logs be with respect to simple user views of PHI? Is it sufficient to record user login events, and therefore know then who gained access (for the duration of the login session) to view PHI for any patient in the system? Or is it necessary to know and log each user's retrieval of each PHI-bearing record?
Question No. 114