This page is part of the FHIR Specification (v4.0.1: R4 - Mixed Normative and STU) in it's permanent home (it will always be available at this URL). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R5 R4B R4 R3 R2

6.4 Resource AuditEvent - Content

Security

Work Group

Maturity Level: 3

Trial Use

Security Category: Not Classified

Compartments: Device, Patient, Practitioner

A record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage.

6.4.1 Scope and Usage

The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by DICOM (see DICOM Part 15 Annex A5 ).

ASTM E2147 – Setup the concept of security audit logs for healthcare including accounting of disclosures
IETF RFC 3881 – Defined the Information Model (IETF rule forced this to be informative)
DICOM Audit Log Message – Made the information model Normative, defined Vocabulary, Transport Binding, and Schema
IHE ATNA – Defines the grouping with secure transport and access controls; and defined specific audit log records for specific IHE transactions.
NIST SP800-92 – Shows how to do audit log management and reporting – consistent with our model
HL7 PASS – Defined an Audit Service with responsibilities and a query interface for reporting use
ISO 27789 – Defined the subset of audit events that an EHR would need
ISO/HL7 10781 EHR System Functional Model Release 2
ISO 21089 Trusted End-to-End Information Flows

This resource is managed collaboratively between HL7, DICOM, and IHE.

The primary purpose of this resource is the maintenance of security audit log information. However, it can also be used for any audit logging needs and simple event-based notification.

6.4.2 Background and Context

All actors - such as applications, processes, and services - involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are properly functioning across an enterprise's system-of-systems. Thus, it is typical to get an auditable event recorded by both the application in a workflow process and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detection of. For example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors, such as trusted intermediary, that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary.

Security relevant events are not limited to communications or RESTful events. They include:

software start-up and shutdown;
user login and logout;
access control decisions;
configuration events;
software installation;
policy rules changes; and
manipulation of data that exposes the data to users.

See the Audit Event Sub-Type vocabulary for guidance on some security relevant events.

The content of an AuditEvent is intended for use by security system administrators, security and privacy information managers, and records management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as providers or patients, although reports generated from the raw data would be useful. An example is a patient-centric accounting of disclosures or an access report. Servers that provide support for AuditEvent resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access to the AuditEvent would typically be limited to security, privacy, or other system administration purposes.

Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource and may be persisted with the AuditEvent target resource.

Structure

Name	Flags	Card.	Type	Description & Constraints
AuditEvent	TU		DomainResource	Event record kept for security purposes Elements defined in Ancestors: id, meta, implicitRules, language, text, contained, extension, modifierExtension
type	Σ	1..1	Coding	Type/identifier of event Audit Event ID (Extensible)
subtype	Σ	0..*	Coding	More specific type/id for the event Audit Event Sub-Type (Extensible)
action	Σ	0..1	code	Type of action performed during the event AuditEventAction (Required)
period		0..1	Period	When the activity occurred
recorded	Σ	1..1	instant	Time when the event was recorded
outcome	Σ	0..1	code	Whether the event succeeded or failed AuditEventOutcome (Required)
outcomeDesc	Σ	0..1	string	Description of the event outcome
purposeOfEvent	Σ	0..*	CodeableConcept	The purposeOfUse of the event V3 Value SetPurposeOfUse (Extensible)
agent		1..*	BackboneElement	Actor involved in the event
type		0..1	CodeableConcept	How agent participated ParticipationRoleType (Extensible)
role		0..*	CodeableConcept	Agent role in the event SecurityRoleType (Example)
who	Σ	0..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	Identifier of who
altId		0..1	string	Alternative User identity
name		0..1	string	Human friendly name for the agent
requestor	Σ	1..1	boolean	Whether user is initiator
location		0..1	Reference(Location)	Where
policy		0..*	uri	Policy that authorized event
media		0..1	Coding	Type of media Media Type Code (Extensible)
network		0..1	BackboneElement	Logical network location for application activity
address		0..1	string	Identifier for the network access point of the user device
type		0..1	code	The type of network access point AuditEventAgentNetworkType (Required)
purposeOfUse		0..*	CodeableConcept	Reason given for this user V3 Value SetPurposeOfUse (Extensible)
source		1..1	BackboneElement	Audit Event Reporter
site		0..1	string	Logical source location within the enterprise
observer	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	The identity of source detecting the event
type		0..*	Coding	The type of source where event originated Audit Event Source Type (Extensible)
entity	I	0..*	BackboneElement	Data or objects used + Rule: Either a name or a query (NOT both)
what	Σ	0..1	Reference(Any)	Specific instance of resource
type		0..1	Coding	Type of entity involved Audit event entity type (Extensible)
role		0..1	Coding	What role the entity played AuditEventEntityRole (Extensible)
lifecycle		0..1	Coding	Life-cycle stage for the entity ObjectLifecycleEvents (Extensible)
securityLabel		0..*	Coding	Security labels on the entity SecurityLabels (Extensible)
name	Σ I	0..1	string	Descriptor for entity
description		0..1	string	Descriptive text
query	Σ I	0..1	base64Binary	Query parameters
detail		0..*	BackboneElement	Additional Information about the entity
type		1..1	string	Name of the property
value[x]		1..1		Property value
valueString			string
valueBase64Binary			base64Binary
Documentation for this format

UML Diagram (Legend)

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> 
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <type><!-- 1..1 Coding Type/identifier of event --></type>
 <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <period><!-- 0..1 Period When the activity occurred --></period>
 <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded -->
 <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
 <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
 <purposeOfEvent><!-- 0..* CodeableConcept The purposeOfUse of the event --></purposeOfEvent>
 <agent>  <!-- 1..* Actor involved in the event -->
  <type><!-- 0..1 CodeableConcept How agent participated --></type>
  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <who><!-- 0..1 Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) Identifier of who --></who>
  <altId value="[string]"/><!-- 0..1 Alternative User identity -->
  <name value="[string]"/><!-- 0..1 Human friendly name for the agent -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* CodeableConcept Reason given for this user --></purposeOfUse>
 </agent>
 <source>  <!-- 1..1 Audit Event Reporter -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <observer><!-- 1..1 Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) The identity of source detecting the event --></observer>
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <entity>  <!-- 0..* Data or objects used -->
  <what><!-- 0..1 Reference(Any) Specific instance of resource --></what>
  <type><!-- 0..1 Coding Type of entity involved --></type>
  <role><!-- 0..1 Coding What role the entity played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel>
  <name value="[string]"/><!--  0..1 Descriptor for entity -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!--  0..1 Query parameters -->
  <detail>  <!-- 0..* Additional Information about the entity -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value[x]><!-- 1..1 string|base64Binary Property value --></value[x]>
  </detail>
 </entity>
</AuditEvent>

JSON Template

{
  "resourceType" : "AuditEvent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "type" : { Coding }, // R!  Type/identifier of event
  "subtype" : [{ Coding }], // More specific type/id for the event
  "action" : "<code>", // Type of action performed during the event
  "period" : { Period }, // When the activity occurred
  "recorded" : "<instant>", // R!  Time when the event was recorded
  "outcome" : "<code>", // Whether the event succeeded or failed
  "outcomeDesc" : "<string>", // Description of the event outcome
  "purposeOfEvent" : [{ CodeableConcept }], // The purposeOfUse of the event
  "agent" : [{ // R!  Actor involved in the event
    "type" : { CodeableConcept }, // How agent participated
    "role" : [{ CodeableConcept }], // Agent role in the event
    "who" : { Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) }, // Identifier of who
    "altId" : "<string>", // Alternative User identity
    "name" : "<string>", // Human friendly name for the agent
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ CodeableConcept }] // Reason given for this user
  }],
  "source" : { // R!  Audit Event Reporter
    "site" : "<string>", // Logical source location within the enterprise
    "observer" : { Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated
  },
  "entity" : [{ // Data or objects used
    "what" : { Reference(Any) }, // Specific instance of resource
    "type" : { Coding }, // Type of entity involved
    "role" : { Coding }, // What role the entity played
    "lifecycle" : { Coding }, // Life-cycle stage for the entity
    "securityLabel" : [{ Coding }], // Security labels on the entity
    "name" : "<string>", // C? Descriptor for entity
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Query parameters
    "detail" : [{ // Additional Information about the entity
      "type" : "<string>", // R!  Name of the property
      // value[x]: Property value. One of these 2:
      "valueString" : "<string>"
      "valueBase64Binary" : "<base64Binary>"
    }]
  }]
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:AuditEvent;
  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event
  fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event
  fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event
  fhir:AuditEvent.period [ Period ]; # 0..1 When the activity occurred
  fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event was recorded
  fhir:AuditEvent.outcome [ code ]; # 0..1 Whether the event succeeded or failed
  fhir:AuditEvent.outcomeDesc [ string ]; # 0..1 Description of the event outcome
  fhir:AuditEvent.purposeOfEvent [ CodeableConcept ], ... ; # 0..* The purposeOfUse of the event
  fhir:AuditEvent.agent [ # 1..* Actor involved in the event
    fhir:AuditEvent.agent.type [ CodeableConcept ]; # 0..1 How agent participated
    fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event
    fhir:AuditEvent.agent.who [ Reference(PractitionerRole|Practitioner|Organization|Device|Patient|RelatedPerson) ]; # 0..1 Identifier of who
    fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User identity
    fhir:AuditEvent.agent.name [ string ]; # 0..1 Human friendly name for the agent
    fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator
    fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where
    fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event
    fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media
    fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity
      fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device
      fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point
    ];
    fhir:AuditEvent.agent.purposeOfUse [ CodeableConcept ], ... ; # 0..* Reason given for this user
  ], ...;
  fhir:AuditEvent.source [ # 1..1 Audit Event Reporter
    fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise
    fhir:AuditEvent.source.observer [ Reference(PractitionerRole|Practitioner|Organization|Device|Patient|RelatedPerson) ]; # 1..1 The identity of source detecting the event
    fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated
  ];
  fhir:AuditEvent.entity [ # 0..* Data or objects used
    fhir:AuditEvent.entity.what [ Reference(Any) ]; # 0..1 Specific instance of resource
    fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved
    fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played
    fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity
    fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity
    fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity
    fhir:AuditEvent.entity.description [ string ]; # 0..1 Descriptive text
    fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters
    fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity
      fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property
      # AuditEvent.entity.detail.value[x] : 1..1 Property value. One of these 2
        fhir:AuditEvent.entity.detail.valueString [ string ]
        fhir:AuditEvent.entity.detail.valueBase64Binary [ base64Binary ]
    ], ...;
  ], ...;
]

Changes since R3

AuditEvent

AuditEvent.action

Change value set from http://hl7.org/fhir/ValueSet/audit-event-action to http://hl7.org/fhir/ValueSet/audit-event-action|4.0.1

AuditEvent.period

Added Element

AuditEvent.outcome

Change value set from http://hl7.org/fhir/ValueSet/audit-event-outcome to http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.1

AuditEvent.agent.type

Added Element

AuditEvent.agent.role

Remove Binding http://hl7.org/fhir/ValueSet/security-role-type (extensible)

AuditEvent.agent.who

Added Element

AuditEvent.agent.network.type

Change value set from http://hl7.org/fhir/ValueSet/network-type to http://hl7.org/fhir/ValueSet/network-type|4.0.1

AuditEvent.source.observer

Added Mandatory Element

AuditEvent.source.type

Change code system for extensibly bound codes from "http://hl7.org/fhir/security-source-type" to "http://terminology.hl7.org/CodeSystem/security-source-type"

AuditEvent.entity.what

Added Element

AuditEvent.entity.role

Change code system for extensibly bound codes from "http://hl7.org/fhir/object-role" to "http://terminology.hl7.org/CodeSystem/object-role"

AuditEvent.entity.detail.value[x]

Renamed from value to value[x]
Add Type string

AuditEvent.agent.reference

deleted

AuditEvent.agent.userId

deleted

AuditEvent.source.identifier

deleted

AuditEvent.entity.identifier

deleted

AuditEvent.entity.reference

deleted

See the Full Difference for further information

This analysis is available as XML or JSON.

See R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.)

Structure

Name	Flags	Card.	Type	Description & Constraints
AuditEvent	TU		DomainResource	Event record kept for security purposes Elements defined in Ancestors: id, meta, implicitRules, language, text, contained, extension, modifierExtension
type	Σ	1..1	Coding	Type/identifier of event Audit Event ID (Extensible)
subtype	Σ	0..*	Coding	More specific type/id for the event Audit Event Sub-Type (Extensible)
action	Σ	0..1	code	Type of action performed during the event AuditEventAction (Required)
period		0..1	Period	When the activity occurred
recorded	Σ	1..1	instant	Time when the event was recorded
outcome	Σ	0..1	code	Whether the event succeeded or failed AuditEventOutcome (Required)
outcomeDesc	Σ	0..1	string	Description of the event outcome
purposeOfEvent	Σ	0..*	CodeableConcept	The purposeOfUse of the event V3 Value SetPurposeOfUse (Extensible)
agent		1..*	BackboneElement	Actor involved in the event
type		0..1	CodeableConcept	How agent participated ParticipationRoleType (Extensible)
role		0..*	CodeableConcept	Agent role in the event SecurityRoleType (Example)
who	Σ	0..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	Identifier of who
altId		0..1	string	Alternative User identity
name		0..1	string	Human friendly name for the agent
requestor	Σ	1..1	boolean	Whether user is initiator
location		0..1	Reference(Location)	Where
policy		0..*	uri	Policy that authorized event
media		0..1	Coding	Type of media Media Type Code (Extensible)
network		0..1	BackboneElement	Logical network location for application activity
address		0..1	string	Identifier for the network access point of the user device
type		0..1	code	The type of network access point AuditEventAgentNetworkType (Required)
purposeOfUse		0..*	CodeableConcept	Reason given for this user V3 Value SetPurposeOfUse (Extensible)
source		1..1	BackboneElement	Audit Event Reporter
site		0..1	string	Logical source location within the enterprise
observer	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	The identity of source detecting the event
type		0..*	Coding	The type of source where event originated Audit Event Source Type (Extensible)
entity	I	0..*	BackboneElement	Data or objects used + Rule: Either a name or a query (NOT both)
what	Σ	0..1	Reference(Any)	Specific instance of resource
type		0..1	Coding	Type of entity involved Audit event entity type (Extensible)
role		0..1	Coding	What role the entity played AuditEventEntityRole (Extensible)
lifecycle		0..1	Coding	Life-cycle stage for the entity ObjectLifecycleEvents (Extensible)
securityLabel		0..*	Coding	Security labels on the entity SecurityLabels (Extensible)
name	Σ I	0..1	string	Descriptor for entity
description		0..1	string	Descriptive text
query	Σ I	0..1	base64Binary	Query parameters
detail		0..*	BackboneElement	Additional Information about the entity
type		1..1	string	Name of the property
value[x]		1..1		Property value
valueString			string
valueBase64Binary			base64Binary
Documentation for this format

UML Diagram (Legend)

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> 
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <type><!-- 1..1 Coding Type/identifier of event --></type>
 <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <period><!-- 0..1 Period When the activity occurred --></period>
 <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded -->
 <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
 <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
 <purposeOfEvent><!-- 0..* CodeableConcept The purposeOfUse of the event --></purposeOfEvent>
 <agent>  <!-- 1..* Actor involved in the event -->
  <type><!-- 0..1 CodeableConcept How agent participated --></type>
  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <who><!-- 0..1 Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) Identifier of who --></who>
  <altId value="[string]"/><!-- 0..1 Alternative User identity -->
  <name value="[string]"/><!-- 0..1 Human friendly name for the agent -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* CodeableConcept Reason given for this user --></purposeOfUse>
 </agent>
 <source>  <!-- 1..1 Audit Event Reporter -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <observer><!-- 1..1 Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) The identity of source detecting the event --></observer>
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <entity>  <!-- 0..* Data or objects used -->
  <what><!-- 0..1 Reference(Any) Specific instance of resource --></what>
  <type><!-- 0..1 Coding Type of entity involved --></type>
  <role><!-- 0..1 Coding What role the entity played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel>
  <name value="[string]"/><!--  0..1 Descriptor for entity -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!--  0..1 Query parameters -->
  <detail>  <!-- 0..* Additional Information about the entity -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value[x]><!-- 1..1 string|base64Binary Property value --></value[x]>
  </detail>
 </entity>
</AuditEvent>

JSON Template

{
  "resourceType" : "AuditEvent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "type" : { Coding }, // R!  Type/identifier of event
  "subtype" : [{ Coding }], // More specific type/id for the event
  "action" : "<code>", // Type of action performed during the event
  "period" : { Period }, // When the activity occurred
  "recorded" : "<instant>", // R!  Time when the event was recorded
  "outcome" : "<code>", // Whether the event succeeded or failed
  "outcomeDesc" : "<string>", // Description of the event outcome
  "purposeOfEvent" : [{ CodeableConcept }], // The purposeOfUse of the event
  "agent" : [{ // R!  Actor involved in the event
    "type" : { CodeableConcept }, // How agent participated
    "role" : [{ CodeableConcept }], // Agent role in the event
    "who" : { Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) }, // Identifier of who
    "altId" : "<string>", // Alternative User identity
    "name" : "<string>", // Human friendly name for the agent
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ CodeableConcept }] // Reason given for this user
  }],
  "source" : { // R!  Audit Event Reporter
    "site" : "<string>", // Logical source location within the enterprise
    "observer" : { Reference(PractitionerRole|Practitioner|Organization|Device|
    Patient|RelatedPerson) }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated
  },
  "entity" : [{ // Data or objects used
    "what" : { Reference(Any) }, // Specific instance of resource
    "type" : { Coding }, // Type of entity involved
    "role" : { Coding }, // What role the entity played
    "lifecycle" : { Coding }, // Life-cycle stage for the entity
    "securityLabel" : [{ Coding }], // Security labels on the entity
    "name" : "<string>", // C? Descriptor for entity
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Query parameters
    "detail" : [{ // Additional Information about the entity
      "type" : "<string>", // R!  Name of the property
      // value[x]: Property value. One of these 2:
      "valueString" : "<string>"
      "valueBase64Binary" : "<base64Binary>"
    }]
  }]
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:AuditEvent;
  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event
  fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event
  fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event
  fhir:AuditEvent.period [ Period ]; # 0..1 When the activity occurred
  fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event was recorded
  fhir:AuditEvent.outcome [ code ]; # 0..1 Whether the event succeeded or failed
  fhir:AuditEvent.outcomeDesc [ string ]; # 0..1 Description of the event outcome
  fhir:AuditEvent.purposeOfEvent [ CodeableConcept ], ... ; # 0..* The purposeOfUse of the event
  fhir:AuditEvent.agent [ # 1..* Actor involved in the event
    fhir:AuditEvent.agent.type [ CodeableConcept ]; # 0..1 How agent participated
    fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event
    fhir:AuditEvent.agent.who [ Reference(PractitionerRole|Practitioner|Organization|Device|Patient|RelatedPerson) ]; # 0..1 Identifier of who
    fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User identity
    fhir:AuditEvent.agent.name [ string ]; # 0..1 Human friendly name for the agent
    fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator
    fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where
    fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event
    fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media
    fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity
      fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device
      fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point
    ];
    fhir:AuditEvent.agent.purposeOfUse [ CodeableConcept ], ... ; # 0..* Reason given for this user
  ], ...;
  fhir:AuditEvent.source [ # 1..1 Audit Event Reporter
    fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise
    fhir:AuditEvent.source.observer [ Reference(PractitionerRole|Practitioner|Organization|Device|Patient|RelatedPerson) ]; # 1..1 The identity of source detecting the event
    fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated
  ];
  fhir:AuditEvent.entity [ # 0..* Data or objects used
    fhir:AuditEvent.entity.what [ Reference(Any) ]; # 0..1 Specific instance of resource
    fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved
    fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played
    fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity
    fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity
    fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity
    fhir:AuditEvent.entity.description [ string ]; # 0..1 Descriptive text
    fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters
    fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity
      fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property
      # AuditEvent.entity.detail.value[x] : 1..1 Property value. One of these 2
        fhir:AuditEvent.entity.detail.valueString [ string ]
        fhir:AuditEvent.entity.detail.valueBase64Binary [ base64Binary ]
    ], ...;
  ], ...;
]

Changes since Release 3

AuditEvent

AuditEvent.action

Change value set from http://hl7.org/fhir/ValueSet/audit-event-action to http://hl7.org/fhir/ValueSet/audit-event-action|4.0.1

AuditEvent.period

Added Element

AuditEvent.outcome

Change value set from http://hl7.org/fhir/ValueSet/audit-event-outcome to http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.1

AuditEvent.agent.type

Added Element

AuditEvent.agent.role

Remove Binding http://hl7.org/fhir/ValueSet/security-role-type (extensible)

AuditEvent.agent.who

Added Element

AuditEvent.agent.network.type

Change value set from http://hl7.org/fhir/ValueSet/network-type to http://hl7.org/fhir/ValueSet/network-type|4.0.1

AuditEvent.source.observer

Added Mandatory Element

AuditEvent.source.type

Change code system for extensibly bound codes from "http://hl7.org/fhir/security-source-type" to "http://terminology.hl7.org/CodeSystem/security-source-type"

AuditEvent.entity.what

Added Element

AuditEvent.entity.role

Change code system for extensibly bound codes from "http://hl7.org/fhir/object-role" to "http://terminology.hl7.org/CodeSystem/object-role"

AuditEvent.entity.detail.value[x]

Renamed from value to value[x]
Add Type string

AuditEvent.agent.reference

deleted

AuditEvent.agent.userId

deleted

AuditEvent.source.identifier

deleted

AuditEvent.entity.identifier

deleted

AuditEvent.entity.reference

deleted

See the Full Difference for further information

This analysis is available as XML or JSON.

See R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.)

See the Profiles & Extensions and the alternate definitions: Master Definition XML + JSON, XML Schema/Schematron + JSON Schema, ShEx (for Turtle) + see the extensions & the dependency analysis

6.4.3.1 Terminology Bindings

Path	Definition	Type	Reference
AuditEvent.type	Type of event.	Extensible	AuditEventID
AuditEvent.subtype	Sub-type of event.	Extensible	AuditEventSub-Type
AuditEvent.action	Indicator for type of action performed during the event that generated the event.	Required	AuditEventAction
AuditEvent.outcome	Indicates whether the event succeeded or failed.	Required	AuditEventOutcome
AuditEvent.purposeOfEvent AuditEvent.agent.purposeOfUse	The reason the activity took place.	Extensible	v3.PurposeOfUse
AuditEvent.agent.type	The Participation type of the agent to the event.	Extensible	ParticipationRoleType
AuditEvent.agent.role	What security role enabled the agent to participate in the event.	Example	SecurityRoleType
AuditEvent.agent.media	Used when the event is about exporting/importing onto media.	Extensible	MediaTypeCode
AuditEvent.agent.network.type	The type of network access point of this agent in the audit event.	Required	AuditEventAgentNetworkType
AuditEvent.source.type	Code specifying the type of system that detected and recorded the event.	Extensible	AuditEventSourceType
AuditEvent.entity.type	Code for the entity type involved in the audit event.	Extensible	AuditEventEntityType
AuditEvent.entity.role	Code representing the role the entity played in the audit event.	Extensible	AuditEventEntityRole
AuditEvent.entity.lifecycle	Identifier for the data life-cycle stage for the entity.	Extensible	ObjectLifecycleEvents
AuditEvent.entity.securityLabel	Security Labels from the Healthcare Privacy and Security Classification System.	Extensible	All Security Labels

Path

Definition

Type

Reference

AuditEvent.type

Type of event.

Extensible

AuditEventID

AuditEvent.subtype

Sub-type of event.

Extensible

AuditEventSub-Type

AuditEvent.action

Indicator for type of action performed during the event that generated the event.

Required

AuditEventAction

AuditEvent.outcome

Indicates whether the event succeeded or failed.

Required

AuditEventOutcome

AuditEvent.purposeOfEvent
AuditEvent.agent.purposeOfUse

The reason the activity took place.

Extensible

v3.PurposeOfUse

AuditEvent.agent.type

The Participation type of the agent to the event.

Extensible

ParticipationRoleType

AuditEvent.agent.role

What security role enabled the agent to participate in the event.

Example

SecurityRoleType

AuditEvent.agent.media

Used when the event is about exporting/importing onto media.

Extensible

MediaTypeCode

AuditEvent.agent.network.type

The type of network access point of this agent in the audit event.

Required

AuditEventAgentNetworkType

AuditEvent.source.type

Code specifying the type of system that detected and recorded the event.

Extensible

AuditEventSourceType

AuditEvent.entity.type

Code for the entity type involved in the audit event.

Extensible

AuditEventEntityType

AuditEvent.entity.role

Code representing the role the entity played in the audit event.

Extensible

AuditEventEntityRole

AuditEvent.entity.lifecycle

Identifier for the data life-cycle stage for the entity.

Extensible

ObjectLifecycleEvents

AuditEvent.entity.securityLabel

Security Labels from the Healthcare Privacy and Security Classification System.

Extensible

All Security Labels

6.4.3.2 Constraints

Level

Location

Description

Expression

sev-1

Rule

AuditEvent.entity

Either a name or a query (NOT both)

name.empty() or query.empty()

6.4.3.3 Using Coded Values

The AuditEvent resource and the ATNA Audit record are used in many contexts throughout healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who defined these codes to meet very specific use cases. These codes should be used when they are suitable. When needed, other codes can be defined.

Note: When using codes from a vocabulary, the display element for the code can be left off to keep the AuditEvent size small and minimize impact of a large audit log of similar entries.

The set of codes defined for this resource is expected to grow over time, and additional codes may be proposed / requested using the "Propose a change" link above below.

6.4.3.4 Event codes for Common Scenarios

This table summarizes common event scenarios, and the codes that should be used for each case.

Scenario

type

subtype

action

Other

User Login (example)

110114 User Authentication

110122 User Authentication

E Execute

One agent which contains the details of the logged-in user.

User Logout (example)

110114 User Authentication

110123 User Logout

E Execute

One agent which contains the details of the logged-out user.

REST operation logged on server (example)

rest RESTful Operation

[code] defined for operation

* (see below)

Agent for logged in user, if available.

Search operation logged on server (example)

rest RESTful Operation

[code] defined for operation

E Execute

Agent for logged in user, if available, and one object with a query element.

Audit Event Actions for RESTful operations:

Operation

Action

create

read, vread, history-instance, history-type, history-system

update

delete

transaction, operation, conformance, validate, search, search-type, search-system

6.4.3.5 Encoding a FHIR operation outcome

FHIR interactions can result in a rich description of the outcome using the OperationOutcome. The OperationOutcome Resource is a collection of error, warning or information messages that result from a system action. This describes in detail the outcome of some operation, such as when a RESTful operation fails.

When recording into an AuditEvent that some FHIR interaction has happened, the AuditEvent should include the OperationOutcome from that FHIR interaction. This is done by placing the OperationOutcome into an AuditEvent.entity. Likely as a contained resource, given that OperationOutcome resources often are not persisted.

entity.who is the OperationOutcome -- Likely contained

entity.type is code OperationOutcome

entity.description explains why this OperationOutcome was included.

See transaction failure example: When a client attempts to post (create) an Observation Resource, using a server Patient endpoint; this would result in an error with an OperationOutcome.

6.4.3.6 PurposeOfEvent and PurposeOfUse

The AuditEvent provides the element purposeOfEvent to convey the purpose of the event and purposeOfUse to convey the reason that a particular actor (machine, person, software) was involved in the event.

purposeOfEvent is an element at the level of AuditEvent and can convey the purpose of the activity that resulted in the event. This will occur when the system that is reporting the event is aware of the purpose of the event. A specific example would be a radiology reporting system where a radiologist has created and is sending a finished report. This system likely knows the purpose, e.g., "treatment". It is multi-valued because the one event may be related to multiple purposes.

It is also commonplace that the reporting system does not have information about the purpose of the event. In these cases, the event report would not have a purposeOfEvent.

It is also likely that the same event will be reported from different perspectives, e.g., by both the sender and recipient of a communication. These two different perspectives can have different knowledge regarding the purposeOfEvent.

purposeOfUse is an element at the level of agent within AuditEvent. This describes the reason that this person, machine, or software is participating in the activity that resulted in the event. For example, an individual person participating in the event may assert a purpose of use from their perspective. It is also possible that they are participating for multiple reasons and report multiple purposeOfUse.

The reporting system might not have knowledge regarding why a particular machine or person was involved and would omit this element in those cases.

When the same event is reported from multiple perspectives, the reports can have different knowledge regarding the purpose.

6.4.4 Search Parameters

Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.

Name	Type	Description	Expression	In Common
action	token	Type of action performed during the event	AuditEvent.action
address	string	Identifier for the network access point of the user device	AuditEvent.agent.network.address
agent	reference	Identifier of who	AuditEvent.agent.who (Practitioner, Organization, Device, Patient, PractitionerRole, RelatedPerson)
agent-name	string	Human friendly name for the agent	AuditEvent.agent.name
agent-role	token	Agent role in the event	AuditEvent.agent.role
altid	token	Alternative User identity	AuditEvent.agent.altId
date	date	Time when the event was recorded	AuditEvent.recorded
entity	reference	Specific instance of resource	AuditEvent.entity.what (Any)
entity-name	string	Descriptor for entity	AuditEvent.entity.name
entity-role	token	What role the entity played	AuditEvent.entity.role
entity-type	token	Type of entity involved	AuditEvent.entity.type
outcome	token	Whether the event succeeded or failed	AuditEvent.outcome
patient	reference	Identifier of who	AuditEvent.agent.who.where(resolve() is Patient) \| AuditEvent.entity.what.where(resolve() is Patient) (Patient)
policy	uri	Policy that authorized event	AuditEvent.agent.policy
site	token	Logical source location within the enterprise	AuditEvent.source.site
source	reference	The identity of source detecting the event	AuditEvent.source.observer (Practitioner, Organization, Device, Patient, PractitionerRole, RelatedPerson)
subtype	token	More specific type/id for the event	AuditEvent.subtype
type	token	Type/identifier of event	AuditEvent.type