Manual Audit Log Analysis

In our previous post, we examined what healthcare privacy breaches are and the five categories that drive them — from curiosity-driven snooping to systemic access control failures. The natural next question is: how do you actually find them?

The answer starts with your audit logs.

Every electronic health record system records who accessed what patient information, when, from where, and what they did with it. These logs are the single most important tool your privacy team has. The problem is that most organizations either ignore them entirely or review them only after a complaint arrives — by which point the breach has often been happening for weeks or months.

This post is a hands-on guide to changing that. We will walk through how to access and export audit logs from your healthcare system, how to organize them in a spreadsheet for analysis, and how to identify the specific access patterns that signal each category of privacy breach. Whether you are a privacy officer conducting your first systematic audit or a compliance lead looking to strengthen an existing process, this guide gives you a practical starting point.

Key Facts at a Glance

  • EHR audit logs record every access event: user ID, patient ID, action type, timestamp, workstation, and data elements viewed (Source: NIH/PMC, “Using EHR Audit Log Data for Research,” 2022).
  • HIPAA requires audit log retention for a minimum of six years, with tamper-proof storage (Source: 45 CFR § 164.312(b), § 164.530(j)).
  • A mid-sized hospital generates millions of audit log events per month — manual review of every event is impossible (Source: Journal of AHIMA).
  • Proactive audit review detects breaches weeks or months earlier than reactive (complaint-driven) review (Source: Journal of AHIMA, “Shifting from Reactive to Proactive HIPAA Audits”).
  • The proposed 2025 HIPAA Security Rule update calls for “security measures that can assist in detecting and identifying suspicious activity or unusual patterns of data access” (Source: Federal Register, 2025-01-06).
  • Most major EHR systems (Epic, Cerner/Oracle Health, MEDITECH) provide built-in audit log viewers and export-to-CSV functionality.

1. Recap: What Are Healthcare Privacy Breaches?

A healthcare privacy breach is any unauthorized or inappropriate access to, use of, or disclosure of protected health information (PHI) — regardless of intent and regardless of whether harm results. Under HIPAA in the United States and provincial statutes such as Ontario’s PHIPA and Alberta’s HIA in Canada, the unauthorized access itself constitutes the violation.

The key principle: A privacy breach does not require malicious intent or data sharing. An employee who opens a patient chart without a legitimate clinical or administrative reason has committed a breach — even if they never tell anyone what they saw.

In our first post, we identified five categories of breach defined by the motivation behind the unauthorized access. Each category leaves different traces in your audit logs, so understanding them is essential before you start reviewing:

A. Curiosity-Driven Snooping

Accessing records without clinical purpose — celebrity patients, neighbours, patients in the news.

B. Personal Relationship Access

Viewing records of family, friends, ex-partners, or co-workers for personal reasons.

C. Financially Motivated

Accessing or extracting PHI for identity theft, insurance fraud, or sale to third parties.

D. Malicious Disclosure

Deliberately accessing and sharing PHI to harm, embarrass, or intimidate a patient.

E. Systemic / Process-Driven

Breaches caused by organizational failures — overly broad permissions, poor de-provisioning, misconfigured access controls.

With these categories in mind, let us look at the tool that makes detection possible: the audit log.

2. How to View Audit Logs in Your Healthcare System — or Export Them to Excel

What Do Audit Logs Contain?

Every EHR system generates audit logs — timestamped records of every interaction with patient data. A 2022 NIH study described them as “a time-sequenced record of clinician activities while using the system.” While the exact format varies by vendor, the core data elements are consistent across platforms:

Audit Log Field What It Records Why It Matters for Privacy
User ID / Name The employee who performed the action Identifies who accessed the record
User Role / Department Clinical role, unit assignment, job title Determines whether access aligns with job duties
Patient ID / Name The patient whose record was accessed Identifies which patients are affected
Action Type View, edit, print, export, copy, delete Distinguishes browsing from data extraction
Data Elements Accessed Demographics, medications, labs, notes, billing Reveals what specific information was seen
Timestamp Date and time, often to the second Identifies after-hours or unusual timing
Workstation / Device Terminal, IP address, or device identifier Shows on-site vs. remote access
Session Context Login/logout times, session duration Reveals brief “peek” sessions vs. clinical work

Viewing Audit Logs In-System

The fastest way to review audit data is directly within your EHR. Most major systems provide a built-in audit log viewer that allows you to search by patient, by user, by date range, or by action type. This is the right approach when you have a specific question — such as “Who accessed Patient X’s record last week?” or “What records did Employee Y view yesterday?”

How to access the audit log viewer in common EHR systems:

Epic

Use the Access Log activity (sometimes called “Audit Log Viewer” or “Patient Access Audit”) available through the Epic menu. You can search by patient name/MRN or by user. For broader reporting, use Reporting Workbench to run an Access Log report with custom filters for date range, department, user role, or action type. Epic also supports Break-the-Glass audit trails for emergency access overrides.

Cerner (Oracle Health)

Access audit data through the Audit Vault or by running CCL (Cerner Command Language) audit queries. The Access Management module provides user-level and patient-level access reporting. For bulk analysis, results can be exported from the reporting tools.

MEDITECH

Use the Audit Trail Report within the MEDITECH platform. Reports can be filtered by user, patient, date, and transaction type. MEDITECH’s audit module tracks views, additions, modifications, and print events.

Note: In-system viewing is useful for targeted investigations — checking a specific patient or a specific user. But it is not practical for broad pattern analysis. To spot trends across thousands of access events, you need to export the data.

Exporting Audit Logs to Excel

For systematic analysis, export your audit logs to a CSV or delimited text file and open them in Excel (or Google Sheets). This gives you the ability to sort, filter, build pivot tables, and apply conditional formatting — turning raw access data into something you can actually read.

Step-by-step export process:

  1. Define the scope. Before exporting, decide what you are looking for. A full audit log dump for a large hospital can contain millions of rows. Narrow the export by date range (e.g., the past 30 days), by department, by specific patients (e.g., VIP patients, recent admissions), or by specific users under investigation. A focused export is manageable; a full export is not.
  2. Run the export. Use your EHR’s reporting or audit module to generate the report with the filters you defined. Export as CSV (comma-separated values) — this is universally compatible with Excel, Google Sheets, and database tools.
  3. Open in Excel and format as a table. Open the CSV in Excel. Select all data and format it as a table (Ctrl+T). This enables built-in sorting and filtering on every column header — essential for the analysis steps that follow.
  4. Validate the columns. Confirm that the export includes the key fields: User ID, User Role/Department, Patient ID, Action Type, Timestamp, and Workstation. If any fields are missing, check your export settings or consult your EHR administrator.
  5. Add helper columns. Create additional columns to support your analysis:
    • Date (extracted from the timestamp) — for filtering by day
    • Time of Day (extracted from the timestamp) — for flagging after-hours access
    • Day of Week — for identifying weekend access
    • On Care Team? (Y/N) — a column you will fill in during analysis, indicating whether the user was assigned to the patient’s care
Security reminder: Exported audit logs contain sensitive information — they reveal which employees accessed which patients, which can itself be a privacy concern. Store exports on encrypted, access-controlled drives. Do not save them to shared desktops or email them unencrypted. Delete working files when the review is complete and retain only the final documented findings in accordance with your retention policy.

What a Typical Exported Audit Log Looks Like

Once opened in Excel, your audit data will look something like this (simplified for illustration):

Timestamp User Role / Dept Patient Action Data Viewed Workstation
2026-03-15 08:12:04 J. Torres, RN Nurse / 4W Cardiology Patient A (MRN 10042) View Vitals, Meds, Notes WS-4W-03
2026-03-15 08:14:22 J. Torres, RN Nurse / 4W Cardiology Patient A (MRN 10042) Edit Nursing Note WS-4W-03
2026-03-15 22:47:11 M. Chen, Clerk Admin / Registration Patient B (MRN 10099) View Demographics, Diagnosis WS-REG-01
2026-03-16 09:05:33 Dr. R. Patel Physician / 4W Cardiology Patient A (MRN 10042) View Labs, Notes, Imaging WS-4W-07
2026-03-16 12:31:45 K. Okafor, RT Resp Therapy / 6E ICU Patient C (MRN 10200) View Demographics, Psych Notes WS-6E-02
2026-03-16 12:33:18 K. Okafor, RT Resp Therapy / 6E ICU Patient D (MRN 10201) Print Demographics, Insurance WS-6E-02

In this example, the first two rows and the fourth row look like normal clinical activity — a nurse and a physician on 4W Cardiology accessing their own patient’s record, with clinical documentation to match. The highlighted rows raise questions: a registration clerk viewing a patient’s diagnosis late at night, and a respiratory therapist accessing psychiatric notes and printing insurance information for patients who may not be on their caseload. These are the kinds of entries your analysis should surface.

Excel tip: Use conditional formatting to automatically highlight rows where the action type is “Print” or “Export” — these high-risk actions deserve attention in every review. Similarly, use conditional formatting on the timestamp column to flag access outside business hours (e.g., before 6:00 AM or after 9:00 PM).

3. How to Analyze Audit Logs to Detect Privacy Breaches

With your audit data exported and formatted, the next step is analysis. The goal is to identify access events that cannot be explained by a legitimate clinical or administrative purpose. Below, we walk through specific analysis techniques — mapped to each breach category — that you can perform in Excel today.

Important: Every technique below produces indicators, not conclusions. A flagged access event may have a perfectly legitimate explanation — a nurse who floated to an unfamiliar unit, a physician who consulted informally, a clerk fulfilling an authorized records request. Flags require investigation before a determination is made.

Analysis Technique 1: Detect Curiosity-Driven Snooping

What to look for

Curiosity snooping typically follows a triggering event — a newsworthy admission, a community incident, a celebrity patient. It produces a distinctive pattern: multiple unrelated users accessing the same patient record within a short timeframe.

How to find it in Excel

  1. Filter by patient. Start with high-risk patients: VIPs, well-known community members, patients involved in newsworthy events, or patients who have filed privacy complaints. Filter the spreadsheet to show only access events for that patient.
  2. Sort by timestamp. Look at the chronological sequence of who accessed the record and when.
  3. Build a pivot table: Rows = User Name, Columns = Date, Values = Count of access events. This shows you at a glance how many different users accessed the patient’s record each day — and who they were.
  4. Flag non-care-team users. Cross-reference each accessing user against the patient’s care team (available from your EHR’s care team assignment records, or from the charge nurse / unit manager). Mark each row in your “On Care Team?” helper column. Any user not on the care team requires further review.
  5. Look for “view-only” sessions. Filter for access where the action type is “View” only — no corresponding documentation, orders, or charting for that patient by that user. Brief view-only access without clinical follow-through is the hallmark of snooping.
Practical example: A local politician is admitted following a car accident. You filter the audit log to that patient’s MRN and discover 34 users accessed the record in the first 48 hours. The care team consists of 9 people. The remaining 25 accesses — from staff in unrelated departments, many view-only and lasting under 30 seconds — are strong snooping indicators.

Analysis Technique 2: Detect Personal Relationship Access

What to look for

Employees accessing records of people they know personally — family, friends, ex-partners, co-workers. These breaches are harder to detect because the employee often accesses only one or two specific patients, and may do so only once or twice.

How to find it in Excel

  1. Shared surname or address check. If your export includes patient demographics and you have access to employee records, look for cases where the employee and patient share a last name, home address, emergency contact, or phone number. Even a simple VLOOKUP or MATCH comparing employee surnames to the patient name column can surface obvious cases.
  2. Self-access. Filter for instances where the employee accessed their own record — this is a common and easily detectable violation in systems that don’t block self-access.
  3. Repeated access to a single non-assigned patient. Build a pivot table: Rows = User, Columns = Patient, Values = Count. Look for users who accessed the same non-care-team patient repeatedly across multiple days. One access might be an accident; repeated access to the same person without a care relationship is a strong indicator.
  4. Sensitive section access. If your audit log records which data elements were viewed, filter for access to mental health notes, sexual health records, substance use treatment, or reproductive health — specifically by users not assigned to those care areas. These are the record sections most commonly targeted in relationship-motivated breaches.

Analysis Technique 3: Detect Financially Motivated Breaches

What to look for

Financial breaches involve data extraction, not just viewing. The audit trail is often more distinctive because the employee needs to get data out of the system.

How to find it in Excel

  1. Filter by action type. Immediately filter for high-risk actions: Print, Export, Download, Copy. These actions represent data leaving the system and deserve scrutiny in every review, regardless of who performed them.
  2. Volume analysis. Build a pivot table: Rows = User, Values = Count of records accessed. Sort descending. Look for users whose access volumes are significantly higher than peers in the same role. A registration clerk who views 200 patient records in a shift when peers view 40 is an outlier worth investigating.
  3. Demographic and financial field access. If your log records data elements, filter for disproportionate access to demographics, insurance information, Social Security / Social Insurance numbers, or billing records — especially by users whose role does not require that data.
  4. Off-hours extraction. Combine filters: action type = Print or Export, AND time of day = outside business hours (before 6:00 AM or after 9:00 PM), AND day of week = Saturday or Sunday. Data export during off-hours by users with no scheduled shift is a high-priority flag.
Excel formula example: To flag after-hours access, add a helper column with: =IF(OR(HOUR(timestamp)<6, HOUR(timestamp)>=21),"AFTER HOURS",""). Then filter on this column to isolate late-night and early-morning activity.

Analysis Technique 4: Detect Malicious or Retaliatory Disclosure

What to look for

Malicious breaches are the hardest to detect through audit logs alone because they are often single, targeted events rather than patterns. However, they can be identified through correlation with external information.

How to find it in Excel

  1. Correlate with known events. If a patient reports that their private health information has been disclosed (e.g., their HIV status was shared in their community), pull all audit log entries for that patient in the weeks preceding the reported disclosure. Identify every user who accessed the record and investigate each one for a legitimate care purpose.
  2. Cross-reference with HR records. If an employee is involved in a workplace conflict, disciplinary action, or complaint — and the other party is also a patient — check whether the employee accessed that person’s record around the time of the dispute.
  3. Look for targeted sensitive-section access. A single access to an individual’s HIV status, psychiatric diagnosis, substance use, or reproductive records — by a user with no clinical relationship to that patient — is a high-severity flag even if it occurs only once.

Analysis Technique 5: Detect Systemic and Process-Driven Breaches

What to look for

Systemic breaches are organizational, not individual. They often affect large numbers of patients and persist until someone notices the structural problem.

How to find it in Excel

  1. Former employee access. Obtain a list of employees who have left the organization or changed roles in the past 90 days. Cross-reference their user IDs against your audit log export. Any access events after their departure date indicate a de-provisioning failure — a reportable breach.
  2. Role-volume mismatch. Build a pivot table: Rows = User Role, Values = Average count of records accessed per user. Compare roles. If administrative or IT support staff are accessing clinical records at volumes comparable to clinicians, the access permissions are likely too broad.
  3. Post-change anomalies. If a system upgrade, migration, or configuration change occurred during your review period, compare access volumes and patterns in the week before and the week after the change. A sudden spike in access by users who previously had no access to certain records suggests that controls were inadvertently altered.
  4. Permission creep. Review users who hold multiple roles or have transferred between departments. Check whether their current access level reflects their current role only, or whether they have accumulated permissions from previous positions. In the audit log, this appears as access spanning multiple unrelated clinical areas.

Putting It All Together: A Practical Review Schedule

Manual audit log analysis is time-intensive. You cannot review everything, so you need to prioritize. Here is a practical review schedule that balances thoroughness with feasibility:

Review Type Frequency Focus
VIP / High-Profile Patient Review Within 48 hours of admission All non-care-team access to flagged patients
Event-Triggered Review Within 24-48 hours of trigger Access following newsworthy events, media reports, or internal incidents
High-Risk Action Review Weekly All print, export, and download actions — especially off-hours
Random Sample Review Monthly Random selection of 50-100 access events reviewed for care-team alignment
Former Employee Audit Monthly Cross-reference departures/transfers against active access logs
Volume Outlier Review Monthly Users whose access volume exceeds role-based norms by 2x or more
The reality check: This schedule is achievable for a dedicated privacy team reviewing targeted exports. But it has inherent limitations. Manual review in Excel can only analyze the data you pull — it cannot monitor continuously, it cannot alert in real time, and it cannot cross-reference access data with care team assignments and clinical schedules automatically. For organizations managing thousands of employees and millions of access events, manual review is a starting point, not a destination.
The documentation test: Throughout your analysis, one principle remains the most reliable indicator. In the majority of legitimate clinical access, the audit log shows not just a record view but a corresponding action — a note written, an order placed, a result acknowledged. Access without any corresponding clinical documentation is the single strongest signal that the access may not have had a legitimate purpose.

Frequently Asked Questions

How do I export EHR audit logs to Excel?

Most major EHR systems provide a built-in audit log export function. In Epic, run an Access Log report through Reporting Workbench and export to CSV. In Cerner (Oracle Health), use the Audit Vault or CCL audit queries and export results. In MEDITECH, use the Audit Trail Report and export to delimited text. Once exported as CSV, open the file in Excel, select all data, and format as a table (Ctrl+T) to enable sorting and filtering. Always handle exports securely — audit data contains sensitive access information and should be treated as confidential.

What should I look for first when reviewing healthcare audit logs?

Start with the highest-risk items: (1) access to VIP or newsworthy patient records by non-care-team members, (2) print, export, or download actions — especially during off-hours, and (3) access by former employees or users who recently changed roles. These three checks catch the most common and most serious breach categories and can be performed quickly with basic Excel filtering.

How often should healthcare organizations manually review audit logs?

At minimum: within 48 hours for VIP or event-triggered reviews, weekly for high-risk actions (print/export), and monthly for random sampling, volume outlier analysis, and former employee audits. However, manual review has inherent limitations at scale — a mid-sized hospital generates millions of access events monthly, making comprehensive manual analysis impractical. Manual review is an important starting point; automated monitoring is where most organizations need to move.

Can Excel handle healthcare audit log analysis?

Excel is effective for targeted, periodic reviews — sorting by patient, filtering by user or action type, building pivot tables to spot outliers, and applying conditional formatting to flag after-hours access. However, Excel has significant limitations for ongoing monitoring: it cannot process millions of rows efficiently, requires manual refresh, cannot automatically cross-reference access with care team assignments or schedules, and provides no real-time alerting. Excel is a reasonable starting point, but it does not scale to continuous proactive monitoring.

What is the “documentation test” for identifying unauthorized access?

The documentation test is a practical heuristic used in privacy investigations. In legitimate clinical access, the audit log typically shows not just a record view but a corresponding clinical action — a note documented, an order entered, a result acknowledged, a medication administered. Access that produces no corresponding clinical documentation is the single strongest indicator that the access may not have had a legitimate purpose. It is not proof by itself, but it is the most reliable flag for further investigation.

What are the limitations of manual audit log review?

Manual review in Excel is limited in several key ways: it can only analyze the data you export (it is not continuous), it cannot alert you in real time when a suspicious access occurs, it cannot automatically determine whether a user was on the patient’s care team, it struggles with the data volumes that even a mid-sized hospital produces, and it depends entirely on the reviewer’s time and consistency. These limitations mean that manual review will inevitably miss breaches that a continuous, automated system would catch — particularly low-frequency events like single-instance snooping on a personal acquaintance.

Sources and References

  • NIH / PMC — Using Electronic Health Record Audit Log Data for Research (2022) — audit log data elements and structure
  • ScienceDirect — EHR Audit Logs: A New Goldmine for Health Services Research? — audit log capabilities and research applications
  • Journal of AHIMA — Shifting from Reactive to Proactive HIPAA Audits — the case for proactive monitoring
  • Federal Register (2025-01-06) — HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information — proposed rule on suspicious activity detection
  • U.S. Department of Health & Human Services — HIPAA Audit Protocol (45 CFR § 164.312(b), § 164.530(j)) — audit log and retention requirements
  • Kiteworks — HIPAA Audit Logs: Complete Requirements for Compliance — practical compliance guidance
  • AccountableHQ — Audit Controls to Detect HIPAA Employee Snooping: A Practical Guide — snooping detection methods
  • Bluesight — How to Monitor EHR Access Patterns for HIPAA Compliance — access pattern monitoring strategies
  • Ontario Information and Privacy Commissioner — Stamping Out Snooping Once and for All — regulatory expectations
  • HHS Office for Civil Rights — Enforcement actions and penalty data (2025) — regulatory consequences

Ready to Move Beyond Excel? RiskIntelligence Privacy Monitor Does What Manual Review Cannot.

Manual audit log review is an important first step — and if you are doing it, you are ahead of most organizations. But you already know its limits: you cannot review every access event, you cannot monitor continuously, and you cannot automatically cross-reference access with care team assignments, schedules, and clinical context.

RiskIntelligence Privacy Monitor picks up where spreadsheets leave off. It continuously analyzes your EHR audit logs, understands clinical context, and surfaces the events that matter — so your privacy team investigates real risks, not spreadsheet rows.

Start detecting breaches as they happen — not weeks later in a spreadsheet.