Full checklist › Audit-trail / access-log loss

Audit-trail / access-log loss Medium-risk silent loss

Legacy access histories and audit logs are dropped at cutover — but the HIPAA 6-year retention obligation follows the DATA, not the system. You must still be able to produce historical access logs for records created in the legacy EHR.

Anchored to:

• HIPAA Security Rule (summary) — HHS

• 45 CFR § 164.312(b) — Audit controls (required) — HHS / eCFR (Mechanisms that record and examine activity in systems containing ePHI.)

• 45 CFR § 164.316(b)(2)(i) — 6-year documentation retention — HHS / eCFR (Retain 6 years from creation or last-in-effect, whichever is later.)

General IT / operational guidance — not medical, legal, or compliance advice. This is a data-integrity validation checklist for EHR migration. Standards and versions revise; verify every citation and version against the live owner page and confirm requirements with your EHR vendor and your organization's compliance/HIM team before acting.

What to validate

Confirm legacy audit logs / access histories are migrated OR retained in an accessible archive for the full 6-year window (45 CFR 164.316(b)(2)(i)).
Verify audit-control mechanisms (45 CFR 164.312(b)) are operational on the TARGET system at go-live.
Confirm you can still produce historical access logs for records created in the legacy system post-decommission.

Get the runnable validation toolkit →All 7 failure modes

Not medical advice. IT/operational guidance for EHR data-migration validation, anchored to official HL7/FHIR, ONC/ASTP, HIPAA (eCFR), and code-system sources. Last verified 2026-06-22. Verify versions and requirements with your vendor and compliance team. Some outbound links may be referral links.