Log all API requests involving ePHI. ## Acceptance criteria - [ ] Log: timestamp, client ID, endpoint, response code, data accessed - [ ] Do not log actual ePHI in logs - [ ] Retain API logs for minimum 6 years - [ ] Real-time alerting for anomalous patterns --- **Source:** § 4.1.2 > Covered entities MUST log all API requests involving ePHI.
Log all API requests involving ePHI.
Acceptance criteria
Source: § 4.1.2