Skip to main content
Every action that touches PHI in your practice is recorded. As a practice admin you can view, filter, and export the audit log — for routine oversight, incident investigation, or HIPAA audit response.

The audit log view

Settings → Security → Audit logs. Requires the admin role. Each row shows:
ColumnWhat it means
TimestampUTC, millisecond precision
ActorUser ID, role at time of action, auth method
Event typeaccess, create, update, delete, export, disclosure, auth, settings
ResourceModel + ID (e.g. OverturnableDenial#1234) — not the PHI content
ActionHTTP method + route or service call
ResultSuccess / failure / denied
IP + UAFor troubleshooting and incident investigation
Request IDCorrelates with application logs

Filters

  • By actor (user, role)
  • By event type
  • By resource type
  • By date range
  • By result (show only failures / only denied)
  • By IP

What’s captured

Opening a denial, viewing a document, listing patients — all audit-logged.
Creating, updating, or deleting a PHI-bearing record.
Data exports — CSV, XLSX, JSON, PDF. The exported content isn’t logged, but the fact of the export and the scope are.
Sign-in success, sign-in failure, 2FA enroll/use/reset, passkey register/delete, account lockout, session termination.
Role changes, user invites, user removals, settings changes, bulk operations, audit log access itself.
When Pundit denies an action, we log it — helps detect enumeration attempts.

What’s NOT captured

  • The actual content of PHI being accessed — audit entries are metadata.
  • API response bodies — to keep the audit log from becoming a second copy of your data.
This is intentional: we don’t want the audit log to need the same level of protection as the source PHI.

Retention

  • 7 years — exceeds the HIPAA minimum of 6 years.
  • Stored in Cloud Logging with an independent immutable archive.
  • Cleanup is automated for entries older than 7 years; before that, no admin (including Denialbase internal) can delete entries.

Export

1

Settings → Security → Audit logs → Export

Filter to the date range or scope you need.
2

Choose format

CSV for spreadsheet analysis, JSON for programmatic review.
3

Download

Available within 10 minutes for typical ranges. Larger exports are emailed when ready.
The export itself is an audit-logged event. Downloading 10,000 log rows will show up as a settings.audit_log.export entry in the audit log.

Using the audit log for investigations

If you suspect improper access:
  1. Filter by the suspect user and date range.
  2. Look for patterns: off-hours access, unusually broad queries, bulk exports.
  3. Export the filtered slice for formal review.
  4. Suspend the account if warranted — see Team management.
  5. If you believe a breach may have occurred, notify security@denialbase.com — we can help with the incident response.

Integrating with your SIEM

  • Cloud Logging sink — enterprise customers can have audit events streamed to their own GCP project via a Cloud Logging sink. Contact support.
  • Webhook — per-event webhook (Q3 2026).

Underlying architecture

See Audit logging for the full architecture, integrity controls, and retention policy.