Audit

The Audit Service is responsible for recording service events from other Services, and maintaining those records. It captures all audit information necessary to perform security audits, and determine compliance with governing policy and procedure.

Basic Functional Requirements

  • Accept and record an audit record from one or more event sources, including itself
  • Retrieve audit records, filtered based on some related criteria, such as date range, patient id, or provider id
  • Provide information sufficient for an Accounting of Disclosures, including:
    • Date and time of disclosure;
    • Reason for disclosure
    • Description of information disclosed
    • Identity of the requester
    • Identity of the discloser


Scenarios

Disclosure to another clinician

A patient visits the ER with a broken arm. The ER physician treats the break, and a discharge summary is created and sent to the patient's GP. The disclosure of the information about this visit is recorded in the audit log.

Break the Glass

A patient is transported to the ER, and arrives unconcious. The ER physician notices that some parts of the patient's records are blocked from retrieval. He determines he can't safely treat the patient without the records and breaks the glass. The act of breaking the glass, and the reason for the BTG event are recorded in the audit log. All subsequent accesses of the blocked information are recorded in the audit log.

Request for Accounting of Disclosures

A patient that is in the middle of a divorce has also been receiving treatment for a cardiac issue. She fears her spouse, who is a doctor at the hospital, may be accessing her records to use against her. She asks for a report of all disclosures of the information in her records, to determine if they have been accessed improperly.


Candidate Standards

IHE ATNA

Implementations

HSSP-PASS Audit

Implementations

  • None known