Audit Controls
164.312(a)(2)
Technical Safeguards
High Risk
Moderate
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Implementation Guidance
Implement comprehensive audit logging including user activities, system access, data modifications, and security events.
NIST References
NIST SP 800-66 Rev. 2: Section 3.3.2
Best Practices
Implement comprehensive audit logging, regular audit review, proper audit retention, effective audit analysis.
Testing Procedures
Review audit control policies, test audit logging, verify audit review procedures, test audit retention.
Frequently Asked Questions
Q: What should be audited? A: All activities in information systems that contain or use ePHI should be audited.
Control Information
Control ID:
164.312(a)(2)
164.312(a)(2)
Category:
Technical Safeguards
Technical Safeguards
Subcategory:
Audit Controls
Audit Controls
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
2-4 months
2-4 months
Views:
11
11
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
NIST SP 800-66 Rev. 2: Audit Controls Guidance, HHS Audit Controls Guidance, Audit Logging Best Practices