From HcPro’s monthly newsletter Briefings on HIPAA:
Q: Our system generates audit logs that capture all accesses and updates to patient information. What does HIPAA require in terms of audit log retention?
A: CMS provides no clear guidance pertaining to audit log retention, so the debate continues. However, there are generally two opinions regarding how long you should retain your audit logs.
One opinion, with which I concur, requires you to review audit logs on a regular basis and to formally document this in your policies and procedures. After reviewing the audit logs and writing a formal findings report, it is a good idea to retain audit logs for 60–90 days following the completion of the report. This allows time for any necessary mitigation if anomalies are found. Thereafter, retention of the audit logs is unnecessary, but you should retain the report for six years.
The other school of thought requires you to retain audit logs and the formal findings reports for six years. Even though audit logs require significant storage space when retained for this amount of time, the cost of storage has decreased. Therefore, it is logical to assume that you need to retain audit logs, just like any other security-related records, for the full HIPAA-required retention period.