The use-cases must keep record of all system security events.
GDPR. Art. 33: Notification of a personal data breach to the supervisory authority.(5) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
HIPAA Security Rules 164.312(a)(2)(ii): Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.