An audit log records every meaningful event in a portal: every login, every record viewed, every document downloaded, every permission change, every record edited. For compliance (HIPAA, SOC 2, GDPR, financial regulations), audit logs must be immutable (cannot be modified or deleted, even by admins), retained (typically 1–6+ years), and queryable.
If you can’t answer “who accessed Patient X’s record in the last 90 days?” from your audit log, your audit controls are insufficient. Real audit logging is one of the strongest signals separating mature portals from immature ones.
See Secure Client Portal.