HIPAA Compliant Logging and Archiving for Audit Trails

I’m looking at using the pgaudit extension on my Postgresql database to maintain an audit trail, which as I understand it would create the audit trail in the Postgres logs.

What are the best practices around logging and archiving those logs in a HIPAA compliant environment? I see archiving to S3 mentioned in the Aptible Log Drain documentation as well as the documentation for tools like Datadog and Mezmo (LogDNA), but if logs are archived to an S3 account I control then HIPAA data has left the managed Aptible/Datadog/Mezmo stack and I’m responsible for ensuring my AWS account’s HIPAA compliance, which is what I’m trying to avoid/delegate as much as possible by using Aptible/Datadog/Mezmo in the first place. Is the trick just to exclude PHI/PII from the logs? If that’s the case, is an audit trail without the details of what changed “good enough” for HIPAA (i.e. “user X changed record B”, not “user X changed the phone number in record B to 1234556789”)?

Does anyone have experience maintaining an audit trail for HIPAA using the pgaudit extension? Or maybe even maintaining an audit trail at the application level (I’m using python and sqlalchemy)?