HIPAA audit trails and tamper-evidence: what the Security Rule really requires

Audit controls and integrity are two of the Security Rule’s hardest technical safeguards — and the place software most often fails quietly. What “good” looks like.

By ClaimZen · Updated July 2026 · ~7 min read

Two of the HIPAA Security Rule’s technical safeguards do the quiet, load-bearing work of compliance: audit controls (45 CFR §164.312(b)) and integrity (§164.312(c)(1)). Nearly every system claims to satisfy them. Far fewer can prove it when an auditor or a breach forensic actually asks.

What the rule requires — and leaves open

Audit controls require “hardware, software, and/or procedural mechanisms that record and examine activity” in systems with ePHI. Integrity requires protecting ePHI from “improper alteration or destruction.” Notice what the rule does not say: how. That flexibility is why two systems can both check the box while offering wildly different assurance.

The gap: a log you can edit isn’t evidence

A conventional audit log is a database table. It records who did what — but with enough privilege, a user, an administrator, or a DBA can update or delete rows. Its integrity rests on trusting those people and that database. In an OCR audit or a breach investigation, that’s exactly the weak point: you can attest the log is complete, but you can’t rule out that it was altered. “We can’t prove it wasn’t tampered with” is how a control becomes a finding.

What tamper-evidence looks like

Tamper-evident means any alteration is detectable. Three techniques, usually combined:

Add offline verifiability — the ability to hand a third party a slice of the record they can check without your servers — and integrity stops being something you re-audit periodically and becomes something anyone can confirm on demand.

Weak vs. strong, side by side

PropertyWeak implementationStrong implementation
StorageEditable table rowsAppend-only log
AlterationPossible with privilege, undetectedBreaks a hash chain — detectable
Trust modelTrust the admin & databaseVerify with math
Proof to a third party“Take our word for it”Signed export, verifiable offline
Integrity checkPeriodic reviewOn demand, byte-for-byte

What to look for in a system

Ask: Is the audit log append-only? Can an administrator alter or delete history? Is it cryptographically verifiable? Can you export a record whose completeness a third party can confirm independently? “Yes” to those is the difference between a log and evidence — a question worth putting on your vendor checklist.

ClaimZen’s ledger is append-only and hash-chained, Ed25519-signed with a key sealed at rest, and every case exports as a signed evidence packet that verifies offline against a BLAKE3 state root — so you prove integrity rather than assert it. See HIPAA compliance by design.

Frequently asked questions

What do HIPAA audit controls require?

Mechanisms that record and examine activity in systems with ePHI (§164.312(b)). The rule doesn’t specify how, so assurance varies widely.

What is tamper-evidence?

A property where any alteration is detectable — via append-only storage, hash-chaining, and signatures, so editing or deleting an entry breaks verification.

Isn’t a database audit log good enough?

It records activity, but if privileged users can change it, its integrity rests on trust. Tamper-evident designs let you prove it instead.

Sources

  1. HHS, HIPAA Security Rule, audit controls 45 CFR §164.312(b) and integrity §164.312(c)(1).
  2. HHS, person or entity authentication, 45 CFR §164.312(d).
  3. NIST, SP 800-66 Rev. 2, Implementing the HIPAA Security Rule.
  4. NIST, SP 800-92, Guide to Computer Security Log Management.
  5. ClaimZen, HIPAA compliance by design and system architecture.

General information, not legal or compliance advice. HIPAA obligations depend on your organization, your data, and your contracts — consult your privacy/security officer and counsel.

An audit trail that’s evidence, not assertion.

ClaimZen’s ledger is append-only, hash-chained, and signed — so you can prove your records weren’t altered, offline.

Get early access