HIPAA Access Log Template

Download a HIPAA access log template for small medical clinics. Covers audit control requirements of 45 CFR §164.312(b) and activity review requirements of §164.308(a)(1)(ii)(D). Includes both electronic and manual log formats.

Short answer

A HIPAA access log template covering the audit control and information system activity review requirements of 45 CFR §§164.312(b) and 164.308(a)(1)(ii)(D), with both an electronic log structure and a manual paper log for outage or emergency situations.

What is inside

Electronic log field specification: user ID, timestamp, patient identifier, record type, action, and access justification
Manual paper log format for use during system outages or when electronic logging is unavailable
Monthly access review checklist aligned to §164.308(a)(1)(ii)(D)
Break-glass access procedure and documentation requirements for emergency PHI access
A log retention schedule and storage policy meeting the six-year documentation requirement

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 23, 2026

Best next step: Open the matching product path

Verified: April 23, 2026

Sources

45 CFR §164.312(b) — Technical Safeguards: Audit Controls | eCFR / HHS
45 CFR §164.308(a)(1)(ii)(D) — Information System Activity Review | eCFR / HHS
45 CFR §164.316 — Policies and Procedures and Documentation Requirements | eCFR / HHS
NIST SP 800-92 — Guide to Computer Security Log Management | NIST

Download the PDF

An audit-ready access log structure for tracking who accessed patient records — and when, and why

Enter your email and we will send the PDF.

Questions

Does HIPAA require a separate access log, or does the EHR audit trail satisfy the requirement?

Most modern EHR systems generate audit logs that can satisfy the audit control requirement of §164.312(b) if properly configured and reviewed. The HIPAA requirement is not for a specific format but for activity recording and periodic review. If your EHR logs access by user, timestamp, and record, and you review those logs regularly, that satisfies the specification. This template helps you document the review process and covers gaps the EHR may not fill.

How often must access logs be reviewed?

45 CFR §164.308(a)(1)(ii)(D) requires covered entities to regularly review records of information system activity, including audit logs. Most Security Officers conduct monthly reviews for high-risk or high-volume access patterns and annual comprehensive reviews. The review frequency should be documented in your security policy.

What is break-glass access?

Break-glass access is emergency PHI access by a workforce member who does not normally have authorization for the records accessed — typically when a treating provider needs a patient's records in an emergency and the authorized provider is unavailable. Break-glass access must be logged and reviewed after the fact to confirm it was justified.

What if our EHR does not generate audit logs?

An EHR system that does not generate any audit logs is not meeting the audit control requirements of 45 CFR §164.312(b). If your current system has no logging capability, the security policy's technical safeguards section should document this as a gap and describe compensating controls. Upgrading to a system with audit logging is the appropriate remediation.