Audit Log Requirements Under §164.312: What AI Voice Logs Must Capture

When OCR comes knocking, the question is never "do you have logs?" — it is "can you reconstruct exactly who, when, why, and what?"

What the rule says

flowchart TD
  In[Patient interaction] --> MinNec{Minimum necessary?}
  MinNec -->|yes| Process[AI process]
  MinNec -->|no| Reject[Block + log]
  Process --> Encrypt[(AES-256 at rest)]
  Encrypt --> DB[(PostgreSQL)]
  Process --> Audit[(Audit trail)]
  DB --> Right[Right of access §164.524]

45 CFR 164.312(b) is short: "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." There is no specification for fields, retention, or format — the regulation is principle-based, but the OCR enforcement record is field-tested. The 2024 NPRM proposes to make audit controls more prescriptive, including a documented review cadence and protected log integrity. NIST SP 800-66 Rev 2 and the HHS Security Rule Crosswalk to NIST 800-53 are the practical interpretation guides.

What it means for AI voice/chat agents

An AI voice agent is a multi-system pipeline: telephony carrier, media stack, STT, LLM, tool-calling layer, EHR integration, agent dashboard. Each of those is a system that contains or uses ePHI, and each needs auditable activity logs.

The minimum-viable audit log on every PHI-bearing system records, at a minimum, the user or service identity, the action, the resource (record, patient, tool), the timestamp with synchronized clocks, and the source IP or device. For LLM calls, the audit record should also capture the model provider, model name, BAA reference, the prompt size, and the response classification. For tool calls, it should capture the exact tool name and the field-level inputs and outputs. Critically, the log must be tamper-evident — append-only object storage, write-once-read-many media, or a log integrity hash chain.

The other two requirements buyers consistently miss are review cadence and retention. Logs that are written but never read are not audit controls. A documented weekly or monthly review of anomalous-access alerts is part of the control. And logs holding ePHI must be retained for at least 6 years from creation under 45 CFR 164.530(j) — which applies to documentation of policies, procedures, and actions.

CallSphere implementation

Every CallSphere agent — including the Healthcare Voice Agent — emits a structured audit event on every tool call, every model call, every dashboard access, and every PHI export. The events flow into an append-only log store with hash-chain integrity, retained for 7 years to cover the 6-year HIPAA minimum plus state retention extensions like CA CMIA. We log: caller phone, masked patient identifier, agent ID, tool name, tool arguments (with PHI fields named but not their values when not needed for review), tool response classification, model provider, BAA reference, and outcome. Anomalous-access detection runs over the log stream — repeated failed authentications, off-hours dashboard access, unusual data exports — and alerts our SOC and the customer's compliance officer. Across 115+ database tables we have unified audit schema, and our customers can query "every tool call that touched patient X in the last 90 days" in seconds. See the /industries/healthcare page for a sample audit event.

Build/audit checklist

1. Inventory every system in the AI voice pipeline that creates, receives, maintains, or transmits ePHI.
2. Define a unified audit-event schema: who, what, when, where, why.
3. Log every model call with provider, model, BAA reference, prompt size, response classification.
4. Log every tool call with tool name, field-level inputs and outputs, and outcome.
5. Use append-only storage with hash-chain integrity to make logs tamper-evident.
6. Synchronize clocks via NTP and store timestamps in UTC with sub-second precision.
7. Retain logs containing or referencing ePHI for at least 6 years from creation.
8. Run automated anomalous-access detection over the log stream and alert in real time.
9. Document a periodic log-review cadence and keep the review notes alongside the logs.
10. Test log restoration from cold storage at least annually.

FAQ

How long must we retain audit logs? At least 6 years under 45 CFR 164.530(j). Some state laws extend this — California CMIA effectively requires longer retention for some records.

What about PHI inside the audit log itself? Audit logs holding PHI are themselves ePHI and must be encrypted at rest, access-controlled, and included in your risk analysis.

Can we log raw LLM prompts? You can, but you should treat the prompt log as ePHI and encrypt it. Most mature buyers store hashed or redacted prompts plus a pointer to the secured full-prompt store.

Is there a required log review cadence? HIPAA does not specify, but the OCR enforcement record and the 2024 NPRM both push toward documented periodic review — weekly or monthly is the standard most healthcare buyers adopt.

Sources

• 45 CFR 164.312(b) Audit controls: https://www.ecfr.gov/current/title-45/section-164.312
• 45 CFR 164.530(j) Documentation retention: https://www.law.cornell.edu/cfr/text/45/164.530
• NIST SP 800-66 Rev 2 HIPAA Security Rule guide: https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final
• HHS HIPAA Security Series 4: Technical Safeguards: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html