HIPAA Log Queries

Owned by Kai Cowger
Last updated: Mar 26, 2024 by Krinda Wernicke

 

CommCare’s logging capabilities and policies are aligned with HIPAA requirements. We log both user access and activity logs related to protected health information (PHI). 

To view digital activity logs of users, the following options are available:

  1. For day-to-day operational audits, we recommend using our in-product capabilities. For each data element CommCare tracks the entire trail of changes which includes the following metadata associated with each change: 

    1. Record and Data Element Identifier 

    2. Who made the change

    3. How the change was made

    4. When the change was made

    5. What the specific change was (and it’s prior value)

  2. Additionally, CommCare also supports a comprehensive suite of Messaging Reports, which can be used to audit automated interactions with cases and manual interactions between users and cases.

  3. For more targeted queries that are not attainable through CommCare’s UI, we request our partners create a support ticket by writing to us at support@dimagi.com. Within the request, please clearly outline exactly what logs you are requesting and in what time frame. The support team will review the request for HIPAA log eligibility and, if eligible, we will then work with you to provide a secure file containing the relevant information. We commit to responding to all HIPAA log queries within our Service Level Agreement timelines.

Retention Policy 

In alignment with HIPAA, we store these logs for 6 years.