Skip to main content

Audit Log Overview

Rubric maintains detailed audit logs for every action involving protected health information (PHI). These logs are immutable, tamper-evident, and retained for 7 years to meet HIPAA requirements.

Complete Visibility

Every PHI access, modification, and export is logged with full context.

Immutable Records

Cryptographically signed logs that cannot be altered or deleted.

7-Year Retention

Automatic retention meeting HIPAA’s 6-year requirement plus buffer.

Real-Time Alerts

Instant notifications for suspicious access patterns and anomalies.

What Gets Logged

Rubric captures comprehensive audit events across all system interactions. Each log entry includes who, what, when, where, and the outcome of each action.

Event Categories

CategoryEventsExamples
AuthenticationLogin, logout, MFA, session eventsUser login, failed MFA attempt, session timeout
PHI AccessView, search, download PHI recordsViewed transcript, searched patient records
Data ModificationCreate, update, delete operationsAdded annotation, updated evaluation score
Export & ShareData exports, report generationExported dataset, generated compliance report
AdministrativeUser management, settings changesAdded team member, modified project settings
API AccessAll API calls with full request/responseSDK upload, evaluation creation
System EventsAutomated processes, scheduled jobsBackup completed, key rotation executed

Log Entry Structure

audit_log_entry.json
{
  "id": "log_2024031512345678",
  "timestamp": "2024-03-15T14:32:18.456Z",
  "event_type": "phi.access.view",
  "severity": "info",

  "actor": {
    "type": "user",
    "id": "user_abc123",
    "email": "[email protected]",
    "name": "Dr. Sarah Smith",
    "role": "clinical_reviewer",
    "ip_address": "192.168.1.100",
    "user_agent": "Mozilla/5.0...",
    "session_id": "sess_xyz789"
  },

  "resource": {
    "type": "call_transcript",
    "id": "call_def456",
    "project": "patient-triage",
    "patient_id": "PAT-12345",
    "contains_phi": true
  },

  "action": {
    "operation": "view",
    "fields_accessed": ["transcript", "ai_decision", "triage_level"],
    "duration_ms": 1250,
    "success": true
  },

  "context": {
    "reason": "clinical_review",
    "workflow": "evaluation_review",
    "break_glass": false
  },

  "signature": "sha256:abc123..."
}

Querying Audit Logs

Access audit logs through the API or dashboard with powerful filtering and search capabilities.

Basic Log Queries

query_logs.py
from rubric import Rubric
from datetime import datetime, timedelta

client = Rubric()

# Query recent PHI access events
logs = client.audit.query(
    event_types=["phi.access.*"],
    start_time=datetime.now() - timedelta(hours=24),
    end_time=datetime.now(),
    limit=100
)

for log in logs.entries:
    print(f"{log.timestamp} | {log.actor.email} | {log.event_type}")
    print(f"  Resource: {log.resource.type} ({log.resource.id})")
    print(f"  Action: {log.action.operation} - {'OK' if log.action.success else 'FAIL'}")

Search by Patient

patient_access_report.py
from rubric import Rubric

client = Rubric()

# Generate patient access report (required for HIPAA accounting of disclosures)
patient_report = client.audit.patient_access_report(
    patient_id="PAT-12345",
    start_time="2024-01-01T00:00:00Z",
    end_time="2024-03-15T23:59:59Z",
    include_system_access=False  # Exclude automated processes
)

print(f"Patient Access Report: {patient_report.patient_id}")
print(f"Period: {patient_report.start_time} to {patient_report.end_time}")
print(f"Total Accesses: {patient_report.total_accesses}")

print("\nAccess Timeline:")
for access in patient_report.accesses:
    print(f"  {access.timestamp}")
    print(f"    Who: {access.actor.name} ({access.actor.role})")
    print(f"    What: {access.action.operation} on {access.resource.type}")
    print(f"    Reason: {access.context.reason}")

# Export for patient request
patient_report.export_pdf(
    output_path="patient_access_report.pdf",
    include_signatures=True
)

Configuring Alerts

configure_alerts.py
from rubric import Rubric
from rubric.audit import AlertRule, AlertAction

client = Rubric()

# Create alert for suspicious access patterns
alert_rule = client.audit.alerts.create(
    name="Unusual PHI Access Volume",
    description="Alert when a user accesses more than 50 PHI records in 1 hour",

    # Trigger conditions
    conditions={
        "event_types": ["phi.access.*"],
        "aggregation": {
            "type": "count",
            "group_by": "actor.id",
            "window": "1h",
            "threshold": 50,
            "operator": ">"
        }
    },

    # Alert actions
    actions=[
        AlertAction.email(
            recipients=["[email protected]"],
            template="high_volume_access"
        ),
        AlertAction.slack(
            channel="#security-alerts",
            mention=["@security-team"]
        ),
        AlertAction.pagerduty(
            service_key="your-service-key",
            severity="high"
        )
    ],

    severity="high",
    enabled=True,
    cooldown_minutes=60
)

print(f"Alert rule created: {alert_rule.id}")

Anomaly Detection

Machine learning-powered anomaly detection identifies unusual access patterns that may indicate compromised accounts or insider threats.

Anomaly Types Detected

Anomaly TypeDescriptionIndicators
Unusual Access TimeAccess outside normal working hoursTime of day, day of week patterns
High Volume AccessAccessing more records than typicalRecord count per hour/day
Geographic AnomalyAccess from unusual locationIP geolocation, travel speed
New Resource TypesAccessing unfamiliar data typesFirst-time resource access
Bulk ExportLarge data exportsExport size, frequency
Pattern ChangeSudden change in access patternsMultiple behavioral deviations

Log Retention & Archival

Log TypeHot StorageWarm StorageCold StorageTotal Retention
PHI Access Logs90 days1 year6 years7 years
Authentication Logs90 days1 year6 years7 years
Administrative Logs90 days1 year6 years7 years
API Access Logs30 days1 year2 years3 years
System Events30 days6 months1 year18 months
Immutable Logs: All audit logs are cryptographically signed and stored in append-only storage. Logs cannot be modified or deleted, even by administrators, ensuring a complete and trustworthy audit trail.

Best Practices

PracticeDescription
Configure Critical AlertsSet up alerts for failed logins, bulk exports, and break-glass access.
Regular Access ReviewsConduct quarterly access reviews to identify and revoke unnecessary access.
Export to SIEMIntegrate with your SIEM for centralized security monitoring.
Enable Anomaly DetectionUse ML-powered anomaly detection to catch subtle security threats.
Document Access ReasonsRequire users to document reasons for accessing sensitive records.
Test AlertingRegularly test that alerts are working and reaching the right people.