HomeDocumentationAudit Log & Compliance
Advanced
🔍

Audit Log & Compliance

Immutable per-clinic audit trail: every login, record access, edit, deletion, and payment — with user ID, IP, and timestamp.

Last updated 2026-05-15T23:54:42.185064+00:00

What the audit log records

The audit log is an immutable, append-only record of every action taken in your clinic.


Every log entry records:

  • Timestamp (UTC, millisecond precision)
  • User ID and full name
  • User role at time of action
  • IP address (IPv4/IPv6)
  • User agent (browser and OS)
  • Action type (see categories below)
  • Resource type and ID (e.g. Patient P-1042, Invoice INV-2026-00391)
  • Change summary (for edits: previous value → new value)

ACTION CATEGORIES


Authentication:

login.success, login.failed, logout, password_reset, 2fa_enabled, 2fa_disabled, device_remembered, account_locked


Patients:

patient.created, patient.updated, patient.deleted, patient.viewed, patient.exported


Clinical:

session.opened, session.saved, prescription.issued, lab_order.created, referral.generated


Billing:

invoice.created, invoice.issued, payment.collected, invoice.voided, installment.paid


Appointments:

appointment.created, appointment.cancelled, appointment.status_changed, appointment.rescheduled


Admin:

staff.invited, staff.deactivated, settings.changed, print_template.updated, webhook.created


FILTERING AND EXPORT

Audit Log > Filter by: date range, user, action type, resource type, IP address.

Export as CSV for HIPAA/GAHAR compliance reporting. All exports are themselves logged (audit_log.exported).

Compliance and retention

RETENTION POLICY

Audit logs are retained for a minimum of 2 years, matching Egyptian MOH medical record requirements. Logs older than 2 years may be archived to cold storage but are not deleted.


DATA PROTECTION LAW COMPLIANCE (Egypt Law 151/2020)

The audit log provides the technical basis for compliance with Egypt's Personal Data Protection Law:

  • Right to access: patients can request a summary of who accessed their record and when
  • Breach notification: the audit log is the first source for identifying the scope of any data access incident
  • Data controller records: each log entry identifies the controller (clinic) and processor (Clinit)

HIPAA ALIGNMENT

Although Egyptian clinics are not directly subject to HIPAA, Clinit's audit log meets HIPAA Security Rule requirements (§164.312(b)):

  • Unique user identification in every entry
  • Emergency access procedures logged
  • Automatic log-off (session timeout) recorded
  • Audit controls (hardware/software/procedural mechanisms)

GAHAR ACCREDITATION

The audit log export (CSV or PDF summary) satisfies the medical record and information security documentation requirements for GAHAR hospital/clinic accreditation.


ACCESSING THE AUDIT LOG

Clinic Management > Audit Log. Available to Clinic Owner role only. Doctors and receptionists cannot access the audit log (their own actions can be reviewed by the Clinic Owner).

← Previous
🏥 Patient Portal
Was this helpful?
Contact support if something isn't clear.