PATIENT ADMINISTRTAION (PA) Workgroup Development Draft

6.6 Resource AuditEvent - Content

This resource maintained by the Security Work Group

A record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage.

6.6.1 Scope and Usage

The audit event is based on the ATNA Audit record definitions, originally from RFC 3881, and now managed by DICOM (see DICOM Part 15 Annex A5). This resource is managed collaboratively between HL7, DICOM, and IHE for the MHD/mHealth initiatives.

The primary purpose of this resource is the maintenance of audit log information. However, it can also be used for simple event-based notification or even general indexing of resources stored in a variety of repositories.

6.6.2 Background and Context

Servers that provide support for Audit Event resources should not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record.

Audit Events are created as events occur, to track and audit the events. Audit Event resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource was obtained. Provenance resources are prepared by the application that initiates the create/update etc. of the resource.

6.6.3 Resource Content

Structure

NameFlagsCard.TypeDescription & Constraintsdoco
.. AuditEvent DomainResourceEvent record kept for security purposes
... event 1..1ElementWhat was done
.... type 1..1CodeableConceptType/identifier of event
Audit Event ID (Required)
.... subtype 0..*CodeableConceptMore specific type/id for the event
Audit Event Sub-Type (Required)
.... action 0..1codeType of action performed during the event
AuditEventAction (Required)
.... dateTime 1..1instantTime when the event occurred on source
.... outcome 0..1codeWhether the event succeeded or failed
AuditEventOutcome (Required)
.... outcomeDesc 0..1stringDescription of the event outcome
.... purposeOfEvent 0..*CodingThe purposeOfUse of the event
... participant I1..*ElementA person, a hardware device or software process
Either a userId or a reference, but not both
.... role 0..*CodeableConceptUser roles (e.g. local RBAC codes)
Audit Active Participant Role ID Code (Required)
.... reference I0..1Practitioner | Organization | Device | Patient | RelatedPersonDirect reference to resource
.... userId I0..1stringUnique identifier for the user
.... altId 0..1stringAlternative User id e.g. authentication
.... name 0..1stringHuman-meaningful name for the user
.... requestor 1..1booleanWhether user is initiator
.... location 0..1LocationWhere
.... policy 0..*uriPolicy that authorized event
.... media 0..1CodingType of media
.... network 0..1ElementLogical network location for application activity
..... identifier 0..1stringIdentifier for the network access point of the user device
..... type 0..1codeThe type of network access point
AuditEventParticipantNetworkType (Required)
.... purposeOfUse 0..*CodingParticipant purposeOfUse
... source 1..1ElementApplication systems and processes
.... site 0..1stringLogical source location within the enterprise
.... identifier 1..1stringThe id of source where event originated
.... type 0..*CodingThe type of source where event originated
Audit Event Source Type (Required)
... object I0..*ElementSpecific instances of data or objects that have been accessed
Either a name or a query (or both)
Either an identifier or a reference, but not both
.... identifier I0..1IdentifierSpecific instance of object (e.g. versioned)
.... reference I0..1AnySpecific instance of resource (e.g. versioned)
.... type 0..1codeType of object involved
AuditEventObjectType (Required)
.... role 0..1codeWhat role the Object played
AuditEventObjectRole (Required)
.... lifecycle 0..1codeLife-cycle stage for the object
AuditEventObjectLifecycle (Required)
.... sensitivity 0..1CodeableConceptPolicy-defined sensitivity for the object
Audit Event Object Sensitivity (Example)
.... name I0..1stringInstance-specific descriptor for Object
.... description 0..1stringDescriptive text
.... query I0..1base64BinaryActual query for object
.... detail 0..*ElementAdditional Information about the Object
..... type 1..1stringName of the property
..... value 1..1base64BinaryProperty value

UML Diagram

AuditEvent (DomainResource)EventIdentifier for a family of the eventtype : CodeableConcept 1..1 « Type of eventAudit Event ID »Identifier for the category of eventsubtype : CodeableConcept 0..* « Sub-type of eventAudit Event Sub-Type »Indicator for type of action performed during the event that generated the auditaction : code 0..1 « Indicator for type of action performed during the event that generated the audit.AuditEventAction »The time when the event occurred on the sourcedateTime : instant 1..1Indicates whether the event succeeded or failedoutcome : code 0..1 « Indicates whether the event succeeded or failedAuditEventOutcome »A free text description of the outcome of the eventoutcomeDesc : string 0..1The purposeOfUse (reason) that was used during the event being recordedpurposeOfEvent : Coding 0..*ParticipantSpecification of the role(s) the user plays when performing the event. Usually the codes used in this element are local codes defined by the role-based access control security system used in the local contextrole : CodeableConcept 0..* « Role(s) the user plays (from RBAC)Audit Active Participant Role ID Code »Direct reference to a resource that identifies the participantreference : Reference(Practitioner|Organization| Device|Patient|RelatedPerson) 0..1Unique identifier for the user actively participating in the eventuserId : string 0..1Alternative Participant Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g., single sign-on), if availablealtId : string 0..1Human-meaningful name for the username : string 0..1Indicator that the user is or is not the requestor, or initiator, for the event being auditedrequestor : boolean 1..1Where the event occurredlocation : Reference(Location) 0..1The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token usedpolicy : uri 0..*Type of media involved. Used when the event is about exporting/importing onto mediamedia : Coding 0..1The purposeOfUse (reason) specific to this participant that was used during the event being recordedpurposeOfUse : Coding 0..*NetworkAn identifier for the network access point of the user device for the audit eventidentifier : string 0..1An identifier for the type of network access point that originated the audit eventtype : code 0..1 « The type of network access point of this participant in the audit eventAuditEventParticipantNetworkType »SourceLogical source location within the healthcare enterprise networksite : string 0..1Identifier of the source where the event originatedidentifier : string 1..1Code specifying the type of source where event originatedtype : Coding 0..* « Code specifying the type of system that detected and recorded the eventAudit Event Source Type »ObjectIdentifies a specific instance of the participant object. The reference should always be version specificidentifier : Identifier 0..1Identifies a specific instance of the participant object. The reference should always be version specificreference : Reference(Any) 0..1The type of the object that was involved in this audit eventtype : code 0..1 « Code for the object type involved auditedAuditEventObjectType »Code representing the functional application role of Participant Object being auditedrole : code 0..1 « Code representing the role the Object played in the eventAuditEventObjectRole »Identifier for the data life-cycle stage for the participant objectlifecycle : code 0..1 « Identifier for the data life-cycle stage for the objectAuditEventObjectLifecycle »Denotes policy-defined sensitivity for the Participant Object ID such as VIP, HIV status, mental health status or similar topicssensitivity : CodeableConcept 0..1 « (The sensitivity of an object. May also encompass confidentiality and rudimentary access control (e.g. HCS)Audit Event Object Sensitivity) »An instance-specific descriptor of the Participant Object ID audited, such as a person's namename : string 0..1Text that describes the object in more detaildescription : string 0..1The actual query for a query-type participant objectquery : base64Binary 0..1DetailName of the propertytype : string 1..1Property valuevalue : base64Binary 1..1Identifies the name, action type, time, and disposition of the audited eventevent1..1Logical network location for application activity, if the activity has a network locationnetwork0..1A person, a hardware device or software processparticipant1..*Application systems and processessource1..1Additional Information about the Objectdetail0..*Specific instances of data or objects that have been accessedobject0..*

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <event>  <!-- 1..1 What was done -->
  <type><!-- 1..1 CodeableConcept Type/identifier of event --></type>
  <subtype><!-- 0..* CodeableConcept More specific type/id for the event --></subtype>
  <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
  <dateTime value="[instant]"/><!-- 1..1 Time when the event occurred on source -->
  <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
  <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
  <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent>
 </event>
 <participant>  <!-- 1..* A person, a hardware device or software process -->
  <role><!-- 0..* CodeableConcept User roles (e.g. local RBAC codes) --></role>
  <reference><!-- ?? 0..1 Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) Direct reference to resource --></reference>
  <userId value="[string]"/><!-- ?? 0..1 Unique identifier for the user -->
  <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication -->
  <name value="[string]"/><!-- 0..1 Human-meaningful name for the user -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <identifier value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* Coding Participant purposeOfUse --></purposeOfUse>
 </participant>
 <source>  <!-- 1..1 Application systems and processes -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <identifier value="[string]"/><!-- 1..1 The id of source where event originated -->
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <object>  <!-- 0..* Specific instances of data or objects that have been accessed -->
  <identifier><!-- ?? 0..1 Identifier Specific instance of object (e.g. versioned) --></identifier>
  <reference><!-- ?? 0..1 Reference(Any) Specific instance of resource (e.g. versioned) --></reference>
  <type value="[code]"/><!-- 0..1 Type of object involved -->
  <role value="[code]"/><!-- 0..1 What role the Object played -->
  <lifecycle value="[code]"/><!-- 0..1 Life-cycle stage for the object -->
  <sensitivity><!-- 0..1 CodeableConcept Policy-defined sensitivity for the object --></sensitivity>
  <name value="[string]"/><!-- ?? 0..1 Instance-specific descriptor for Object -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!-- ?? 0..1 Actual query for object -->
  <detail>  <!-- 0..* Additional Information about the Object -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value value="[base64Binary]"/><!-- 1..1 Property value -->
  </detail>
 </object>
</AuditEvent>

JSON Template

{doco
  "resourceType" : "AuditEvent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "event" : { // R!  What was done
    "type" : { CodeableConcept }, // R!  Type/identifier of event
    "subtype" : [{ CodeableConcept }], // More specific type/id for the event
    "action" : "<code>", // Type of action performed during the event
    "dateTime" : "<instant>", // R!  Time when the event occurred on source
    "outcome" : "<code>", // Whether the event succeeded or failed
    "outcomeDesc" : "<string>", // Description of the event outcome
    "purposeOfEvent" : [{ Coding }] // The purposeOfUse of the event
  },
  "participant" : [{ // R!  A person, a hardware device or software process
    "role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
    "reference" : { Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) }, // C? Direct reference to resource
    "userId" : "<string>", // C? Unique identifier for the user
    "altId" : "<string>", // Alternative User id e.g. authentication
    "name" : "<string>", // Human-meaningful name for the user
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "identifier" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ Coding }] // Participant purposeOfUse
  }],
  "source" : { // R!  Application systems and processes
    "site" : "<string>", // Logical source location within the enterprise
    "identifier" : "<string>", // R!  The id of source where event originated
    "type" : [{ Coding }] // The type of source where event originated
  },
  "object" : [{ // Specific instances of data or objects that have been accessed
    "identifier" : { Identifier }, // C? Specific instance of object (e.g. versioned)
    "reference" : { Reference(Any) }, // C? Specific instance of resource (e.g. versioned)
    "type" : "<code>", // Type of object involved
    "role" : "<code>", // What role the Object played
    "lifecycle" : "<code>", // Life-cycle stage for the object
    "sensitivity" : { CodeableConcept }, // Policy-defined sensitivity for the object
    "name" : "<string>", // C? Instance-specific descriptor for Object
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Actual query for object
    "detail" : [{ // Additional Information about the Object
      "type" : "<string>", // R!  Name of the property
      "value" : "<base64Binary>" // R!  Property value
    }]
  }]
}

Structure

NameFlagsCard.TypeDescription & Constraintsdoco
.. AuditEvent DomainResourceEvent record kept for security purposes
... event 1..1ElementWhat was done
.... type 1..1CodeableConceptType/identifier of event
Audit Event ID (Required)
.... subtype 0..*CodeableConceptMore specific type/id for the event
Audit Event Sub-Type (Required)
.... action 0..1codeType of action performed during the event
AuditEventAction (Required)
.... dateTime 1..1instantTime when the event occurred on source
.... outcome 0..1codeWhether the event succeeded or failed
AuditEventOutcome (Required)
.... outcomeDesc 0..1stringDescription of the event outcome
.... purposeOfEvent 0..*CodingThe purposeOfUse of the event
... participant I1..*ElementA person, a hardware device or software process
Either a userId or a reference, but not both
.... role 0..*CodeableConceptUser roles (e.g. local RBAC codes)
Audit Active Participant Role ID Code (Required)
.... reference I0..1Practitioner | Organization | Device | Patient | RelatedPersonDirect reference to resource
.... userId I0..1stringUnique identifier for the user
.... altId 0..1stringAlternative User id e.g. authentication
.... name 0..1stringHuman-meaningful name for the user
.... requestor 1..1booleanWhether user is initiator
.... location 0..1LocationWhere
.... policy 0..*uriPolicy that authorized event
.... media 0..1CodingType of media
.... network 0..1ElementLogical network location for application activity
..... identifier 0..1stringIdentifier for the network access point of the user device
..... type 0..1codeThe type of network access point
AuditEventParticipantNetworkType (Required)
.... purposeOfUse 0..*CodingParticipant purposeOfUse
... source 1..1ElementApplication systems and processes
.... site 0..1stringLogical source location within the enterprise
.... identifier 1..1stringThe id of source where event originated
.... type 0..*CodingThe type of source where event originated
Audit Event Source Type (Required)
... object I0..*ElementSpecific instances of data or objects that have been accessed
Either a name or a query (or both)
Either an identifier or a reference, but not both
.... identifier I0..1IdentifierSpecific instance of object (e.g. versioned)
.... reference I0..1AnySpecific instance of resource (e.g. versioned)
.... type 0..1codeType of object involved
AuditEventObjectType (Required)
.... role 0..1codeWhat role the Object played
AuditEventObjectRole (Required)
.... lifecycle 0..1codeLife-cycle stage for the object
AuditEventObjectLifecycle (Required)
.... sensitivity 0..1CodeableConceptPolicy-defined sensitivity for the object
Audit Event Object Sensitivity (Example)
.... name I0..1stringInstance-specific descriptor for Object
.... description 0..1stringDescriptive text
.... query I0..1base64BinaryActual query for object
.... detail 0..*ElementAdditional Information about the Object
..... type 1..1stringName of the property
..... value 1..1base64BinaryProperty value

UML Diagram

AuditEvent (DomainResource)EventIdentifier for a family of the eventtype : CodeableConcept 1..1 « Type of eventAudit Event ID »Identifier for the category of eventsubtype : CodeableConcept 0..* « Sub-type of eventAudit Event Sub-Type »Indicator for type of action performed during the event that generated the auditaction : code 0..1 « Indicator for type of action performed during the event that generated the audit.AuditEventAction »The time when the event occurred on the sourcedateTime : instant 1..1Indicates whether the event succeeded or failedoutcome : code 0..1 « Indicates whether the event succeeded or failedAuditEventOutcome »A free text description of the outcome of the eventoutcomeDesc : string 0..1The purposeOfUse (reason) that was used during the event being recordedpurposeOfEvent : Coding 0..*ParticipantSpecification of the role(s) the user plays when performing the event. Usually the codes used in this element are local codes defined by the role-based access control security system used in the local contextrole : CodeableConcept 0..* « Role(s) the user plays (from RBAC)Audit Active Participant Role ID Code »Direct reference to a resource that identifies the participantreference : Reference(Practitioner|Organization| Device|Patient|RelatedPerson) 0..1Unique identifier for the user actively participating in the eventuserId : string 0..1Alternative Participant Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g., single sign-on), if availablealtId : string 0..1Human-meaningful name for the username : string 0..1Indicator that the user is or is not the requestor, or initiator, for the event being auditedrequestor : boolean 1..1Where the event occurredlocation : Reference(Location) 0..1The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token usedpolicy : uri 0..*Type of media involved. Used when the event is about exporting/importing onto mediamedia : Coding 0..1The purposeOfUse (reason) specific to this participant that was used during the event being recordedpurposeOfUse : Coding 0..*NetworkAn identifier for the network access point of the user device for the audit eventidentifier : string 0..1An identifier for the type of network access point that originated the audit eventtype : code 0..1 « The type of network access point of this participant in the audit eventAuditEventParticipantNetworkType »SourceLogical source location within the healthcare enterprise networksite : string 0..1Identifier of the source where the event originatedidentifier : string 1..1Code specifying the type of source where event originatedtype : Coding 0..* « Code specifying the type of system that detected and recorded the eventAudit Event Source Type »ObjectIdentifies a specific instance of the participant object. The reference should always be version specificidentifier : Identifier 0..1Identifies a specific instance of the participant object. The reference should always be version specificreference : Reference(Any) 0..1The type of the object that was involved in this audit eventtype : code 0..1 « Code for the object type involved auditedAuditEventObjectType »Code representing the functional application role of Participant Object being auditedrole : code 0..1 « Code representing the role the Object played in the eventAuditEventObjectRole »Identifier for the data life-cycle stage for the participant objectlifecycle : code 0..1 « Identifier for the data life-cycle stage for the objectAuditEventObjectLifecycle »Denotes policy-defined sensitivity for the Participant Object ID such as VIP, HIV status, mental health status or similar topicssensitivity : CodeableConcept 0..1 « (The sensitivity of an object. May also encompass confidentiality and rudimentary access control (e.g. HCS)Audit Event Object Sensitivity) »An instance-specific descriptor of the Participant Object ID audited, such as a person's namename : string 0..1Text that describes the object in more detaildescription : string 0..1The actual query for a query-type participant objectquery : base64Binary 0..1DetailName of the propertytype : string 1..1Property valuevalue : base64Binary 1..1Identifies the name, action type, time, and disposition of the audited eventevent1..1Logical network location for application activity, if the activity has a network locationnetwork0..1A person, a hardware device or software processparticipant1..*Application systems and processessource1..1Additional Information about the Objectdetail0..*Specific instances of data or objects that have been accessedobject0..*

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <event>  <!-- 1..1 What was done -->
  <type><!-- 1..1 CodeableConcept Type/identifier of event --></type>
  <subtype><!-- 0..* CodeableConcept More specific type/id for the event --></subtype>
  <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
  <dateTime value="[instant]"/><!-- 1..1 Time when the event occurred on source -->
  <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
  <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
  <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent>
 </event>
 <participant>  <!-- 1..* A person, a hardware device or software process -->
  <role><!-- 0..* CodeableConcept User roles (e.g. local RBAC codes) --></role>
  <reference><!-- ?? 0..1 Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) Direct reference to resource --></reference>
  <userId value="[string]"/><!-- ?? 0..1 Unique identifier for the user -->
  <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication -->
  <name value="[string]"/><!-- 0..1 Human-meaningful name for the user -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <identifier value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* Coding Participant purposeOfUse --></purposeOfUse>
 </participant>
 <source>  <!-- 1..1 Application systems and processes -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <identifier value="[string]"/><!-- 1..1 The id of source where event originated -->
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <object>  <!-- 0..* Specific instances of data or objects that have been accessed -->
  <identifier><!-- ?? 0..1 Identifier Specific instance of object (e.g. versioned) --></identifier>
  <reference><!-- ?? 0..1 Reference(Any) Specific instance of resource (e.g. versioned) --></reference>
  <type value="[code]"/><!-- 0..1 Type of object involved -->
  <role value="[code]"/><!-- 0..1 What role the Object played -->
  <lifecycle value="[code]"/><!-- 0..1 Life-cycle stage for the object -->
  <sensitivity><!-- 0..1 CodeableConcept Policy-defined sensitivity for the object --></sensitivity>
  <name value="[string]"/><!-- ?? 0..1 Instance-specific descriptor for Object -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!-- ?? 0..1 Actual query for object -->
  <detail>  <!-- 0..* Additional Information about the Object -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value value="[base64Binary]"/><!-- 1..1 Property value -->
  </detail>
 </object>
</AuditEvent>

JSON Template

{doco
  "resourceType" : "AuditEvent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "event" : { // R!  What was done
    "type" : { CodeableConcept }, // R!  Type/identifier of event
    "subtype" : [{ CodeableConcept }], // More specific type/id for the event
    "action" : "<code>", // Type of action performed during the event
    "dateTime" : "<instant>", // R!  Time when the event occurred on source
    "outcome" : "<code>", // Whether the event succeeded or failed
    "outcomeDesc" : "<string>", // Description of the event outcome
    "purposeOfEvent" : [{ Coding }] // The purposeOfUse of the event
  },
  "participant" : [{ // R!  A person, a hardware device or software process
    "role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
    "reference" : { Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) }, // C? Direct reference to resource
    "userId" : "<string>", // C? Unique identifier for the user
    "altId" : "<string>", // Alternative User id e.g. authentication
    "name" : "<string>", // Human-meaningful name for the user
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "identifier" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ Coding }] // Participant purposeOfUse
  }],
  "source" : { // R!  Application systems and processes
    "site" : "<string>", // Logical source location within the enterprise
    "identifier" : "<string>", // R!  The id of source where event originated
    "type" : [{ Coding }] // The type of source where event originated
  },
  "object" : [{ // Specific instances of data or objects that have been accessed
    "identifier" : { Identifier }, // C? Specific instance of object (e.g. versioned)
    "reference" : { Reference(Any) }, // C? Specific instance of resource (e.g. versioned)
    "type" : "<code>", // Type of object involved
    "role" : "<code>", // What role the Object played
    "lifecycle" : "<code>", // Life-cycle stage for the object
    "sensitivity" : { CodeableConcept }, // Policy-defined sensitivity for the object
    "name" : "<string>", // C? Instance-specific descriptor for Object
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Actual query for object
    "detail" : [{ // Additional Information about the Object
      "type" : "<string>", // R!  Name of the property
      "value" : "<base64Binary>" // R!  Property value
    }]
  }]
}

 

Alternate definitions: Schema/Schematron, Resource Profile (XML, JSON)

6.6.3.1 Terminology Bindings

PathDefinitionTypeReference
AuditEvent.event.type Type of eventRequiredhttp://hl7.org/fhir/vs/audit-event-type
AuditEvent.event.subtype Sub-type of eventRequiredhttp://hl7.org/fhir/vs/audit-event-sub-type
AuditEvent.event.action Indicator for type of action performed during the event that generated the audit.Requiredhttp://hl7.org/fhir/audit-event-action
AuditEvent.event.outcome Indicates whether the event succeeded or failedRequiredhttp://hl7.org/fhir/audit-event-outcome
AuditEvent.participant.role Role(s) the user plays (from RBAC)Requiredhttp://hl7.org/fhir/vs/dicm-402-roleid
AuditEvent.participant.network.type The type of network access point of this participant in the audit eventRequiredhttp://hl7.org/fhir/network-type
AuditEvent.source.type Code specifying the type of system that detected and recorded the eventRequiredhttp://hl7.org/fhir/vs/audit-source-type
AuditEvent.object.type Code for the object type involved auditedRequiredhttp://hl7.org/fhir/object-type
AuditEvent.object.role Code representing the role the Object played in the eventRequiredhttp://hl7.org/fhir/object-role
AuditEvent.object.lifecycle Identifier for the data life-cycle stage for the objectRequiredhttp://hl7.org/fhir/object-lifecycle
AuditEvent.object.sensitivity The sensitivity of an object. May also encompass confidentiality and rudimentary access control (e.g. HCS)Examplehttp://hl7.org/fhir/vs/audit-event-sensitivity

6.6.3.2 Constraints

  • sev-1: On AuditEvent.object: Either a name or a query (or both) (xpath on f:AuditEvent/f:object: not(exists(f:name)) or not(exists(f:query)))
  • sev-2: On AuditEvent.object: Either an identifier or a reference, but not both (xpath on f:AuditEvent/f:object: exists(f:identifier) != exists(f:reference))
  • sev-3: On AuditEvent.participant: Either a userId or a reference, but not both (xpath on f:AuditEvent/f:participant: exists(f:userId) != exists(f:reference))

6.6.3.3 Using Coded Values

The audit event resource and the ATNA Audit record are used in many contexts through healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who all defined these codes to meet very specific use cases. These codes should be used when the are suitable, or other codes can be defined.

The set of codes defined for this resource are expected to grow over time, and additional codes may be proposed / requested using the community input link above.

6.6.3.4 Event codes for Common Scenarios

This table summarizes common event scenarios, and the codes that should be used for each case.

ScenariotypesubtypeactionOther
User Login (example)110114 User Authentication110122 User Authentication E ExecuteOne participant which contains the details of the logged in user
OAuth based User Login 110114 User Authentication110122 User Authentication E Executetodo
User Logout (example)110114 User Authentication110123 User Logout E ExecuteOne participant which contains the details of the logged out user
REST operation logged on server (example)rest RESTful Operation[code] defined for operation * (see below)Participant for logged in user, if available, and one object with a reference if at least the type is known as part of the operation. Reference.url should be provided to the granularity known

Audit Event Actions for RESTful operations:

OperationAction
create C
read, vread, tags-get, history-instance, history-type, history-system R
update, tags-update U
delete, tags-delete D
search, validate, transaction, conformance, mailbox E

6.6.4 Search Parameters

Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.

NameTypeDescriptionPaths
actiontokenType of action performed during the eventAuditEvent.event.action
addresstokenIdentifier for the network access point of the user deviceAuditEvent.participant.network.identifier
altidtokenAlternative User id e.g. authenticationAuditEvent.participant.altId
datedateTime when the event occurred on sourceAuditEvent.event.dateTime
descstringInstance-specific descriptor for ObjectAuditEvent.object.name
identitytokenSpecific instance of object (e.g. versioned)AuditEvent.object.identifier
namestringHuman-meaningful name for the userAuditEvent.participant.name
object-typetokenType of object involvedAuditEvent.object.type
participantreferenceDirect reference to resourceAuditEvent.participant.reference
(Practitioner, Organization, Device, Patient, RelatedPerson)
patientreferenceA patient that the .object.reference refers to
(Patient)
patientidtokenThe id of the patient (one of multiple kinds of participations)
policyuriPolicy that authorized eventAuditEvent.participant.policy
referencereferenceSpecific instance of resource (e.g. versioned)AuditEvent.object.reference
(Any)
sitetokenLogical source location within the enterpriseAuditEvent.source.site
sourcetokenThe id of source where event originatedAuditEvent.source.identifier
subtypetokenMore specific type/id for the eventAuditEvent.event.subtype
typetokenType/identifier of eventAuditEvent.event.type
usertokenUnique identifier for the userAuditEvent.participant.userId