This page is part of the FHIR Specification (v4.5.0: R5 Preview #3). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R5 R4B R4 R3 R2
Security Work Group | Maturity Level: 3 | Trial Use | Security Category: Not Classified | Compartments: Device, Patient, Practitioner |
A record of an event relevant for purposes such as operations, privacy, security, maintenance, and performance analysis.
The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by DICOM (see DICOM Part 15 Annex A5 ).
This resource is managed collaboratively between HL7, DICOM, and IHE.
A record of an event relevant for purposes such as operations, privacy, security, maintenance, and performance analysis.
All actors - such as applications, processes, and services - involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are properly functioning across an enterprise's system-of-systems. Thus, it is typical to get an auditable event recorded by both the application in a workflow process and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detection of security, privacy, or other operational problems. For example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors, such as trusted intermediary, that also detect a security, privacy, or operational relevant event and thus would record an AuditEvent.
Security relevant events are not limited to communications or RESTful events. They include:
See the Audit Event Sub-Type vocabulary for guidance on some security relevant events.
The content of an AuditEvent is intended for use by security system administrators, security and privacy information managers, and records management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as providers or patients, although reports generated from the raw data would be useful. An example is a patient-centric accounting of disclosures or an access report. Servers that provide support for AuditEvent resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access to the AuditEvent would typically be limited to security, privacy, or other system administration purposes.
Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource and may be persisted with the AuditEvent target resource.
No resources refer to this resource directly.
This resource implements the Event pattern.
Structure
Name | Flags | Card. | Type | Description & Constraints |
---|---|---|---|---|
AuditEvent | TU | DomainResource | Record of an event Elements defined in Ancestors: id, meta, implicitRules, language, text, contained, extension, modifierExtension | |
type | Σ | 1..1 | Coding | Type/identifier of event Audit Event ID (Extensible) |
subtype | Σ | 0..* | Coding | More specific type/id for the event Audit Event Sub-Type (Extensible) |
action | Σ | 0..1 | code | Type of action performed during the event AuditEventAction (Required) |
severity | Σ | 0..1 | code | emergency | alert | critical | error | warning | notice | informational | debug AuditEventSeverity (Required) |
period | 0..1 | Period | When the activity occurred | |
recorded | Σ | 1..1 | instant | Time when the event was recorded |
outcome | Σ | 0..1 | CodeableConcept | Whether the event succeeded or failed AuditEventOutcome (Extensible) |
purposeOfEvent | Σ | 0..* | CodeableConcept | The purposeOfUse of the event PurposeOfUse (Extensible) |
agent | 1..* | BackboneElement | Actor involved in the event | |
type | 0..1 | CodeableConcept | How agent participated ParticipationRoleType (Extensible) | |
role | 0..* | CodeableConcept | Agent role in the event SecurityRoleType (Example) | |
who | Σ | 0..1 | Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson) | Identifier of who |
altId | 0..1 | string | Alternative User identity | |
name | 0..1 | string | Human friendly name for the agent | |
requestor | Σ | 1..1 | boolean | Whether user is initiator |
location | 0..1 | Reference(Location) | Where | |
policy | 0..* | uri | Policy that authorized event | |
media | 0..1 | Coding | Type of media Audit Agent Media Type (Extensible) | |
network | 0..1 | BackboneElement | Logical network location for application activity | |
address | 0..1 | string | Identifier for the network access point of the user device | |
type | 0..1 | code | The type of network access point AuditEventAgentNetworkType (Required) | |
purposeOfUse | 0..* | CodeableConcept | Reason given for this user PurposeOfUse (Extensible) | |
source | 1..1 | BackboneElement | Audit Event Reporter | |
site | 0..1 | string | Logical source location within the enterprise | |
observer | Σ | 1..1 | Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson) | The identity of source detecting the event |
type | 0..* | Coding | The type of source where event originated Audit Event Source Type (Extensible) | |
entity | I | 0..* | BackboneElement | Data or objects used + Rule: Either a name or a query (NOT both) |
what | Σ | 0..1 | Reference(Any) | Specific instance of resource |
type | 0..1 | Coding | Type of entity involved Audit event entity type (Extensible) | |
role | 0..1 | Coding | What role the entity played AuditEventEntityRole (Extensible) | |
lifecycle | 0..1 | Coding | Life-cycle stage for the entity ObjectLifecycleEvents (Extensible) | |
securityLabel | 0..* | Coding | Security labels on the entity SecurityLabels (Extensible) | |
name | ΣI | 0..1 | string | Descriptor for entity |
query | ΣI | 0..1 | base64Binary | Query parameters |
detail | 0..* | BackboneElement | Additional Information about the entity | |
type | 1..1 | string | Name of the property | |
value[x] | 1..1 | Property value | ||
valueString | string | |||
valueBase64Binary | base64Binary | |||
Documentation for this format |
UML Diagram (Legend)
XML Template
<AuditEvent xmlns="http://hl7.org/fhir"> <!-- from Resource: id, meta, implicitRules, and language --> <!-- from DomainResource: text, contained, extension, and modifierExtension --> <type><!-- 1..1 Coding Type/identifier of event --></type> <subtype><!-- 0..* Coding More specific type/id for the event --></subtype> <action value="[code]"/><!-- 0..1 Type of action performed during the event --> <severity value="[code]"/><!-- 0..1 emergency | alert | critical | error | warning | notice | informational | debug --> <period><!-- 0..1 Period When the activity occurred --></period> <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded --> <outcome><!-- 0..1 CodeableConcept Whether the event succeeded or failed --></outcome> <purposeOfEvent><!-- 0..* CodeableConcept The purposeOfUse of the event --></purposeOfEvent> <agent> <!-- 1..* Actor involved in the event --> <type><!-- 0..1 CodeableConcept How agent participated --></type> <role><!-- 0..* CodeableConcept Agent role in the event --></role> <who><!-- 0..1 Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) Identifier of who --></who> <altId value="[string]"/><!-- 0..1 Alternative User identity --> <name value="[string]"/><!-- 0..1 Human friendly name for the agent --> <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator --> <location><!-- 0..1 Reference(Location) Where --></location> <policy value="[uri]"/><!-- 0..* Policy that authorized event --> <media><!-- 0..1 Coding Type of media --></media> <network> <!-- 0..1 Logical network location for application activity --> <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device --> <type value="[code]"/><!-- 0..1 The type of network access point --> </network> <purposeOfUse><!-- 0..* CodeableConcept Reason given for this user --></purposeOfUse> </agent> <source> <!-- 1..1 Audit Event Reporter --> <site value="[string]"/><!-- 0..1 Logical source location within the enterprise --> <observer><!-- 1..1 Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) The identity of source detecting the event --></observer> <type><!-- 0..* Coding The type of source where event originated --></type> </source> <entity> <!-- 0..* Data or objects used --> <what><!-- 0..1 Reference(Any) Specific instance of resource --></what> <type><!-- 0..1 Coding Type of entity involved --></type> <role><!-- 0..1 Coding What role the entity played --></role> <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle> <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel> <name value="[string]"/><!-- 0..1 Descriptor for entity --> <query value="[base64Binary]"/><!-- 0..1 Query parameters --> <detail> <!-- 0..* Additional Information about the entity --> <type value="[string]"/><!-- 1..1 Name of the property --> <value[x]><!-- 1..1 string|base64Binary Property value --></value[x]> </detail> </entity> </AuditEvent>
JSON Template
{ "resourceType" : "AuditEvent", // from Resource: id, meta, implicitRules, and language // from DomainResource: text, contained, extension, and modifierExtension "type" : { Coding }, // R! Type/identifier of event "subtype" : [{ Coding }], // More specific type/id for the event "action" : "<code>", // Type of action performed during the event "severity" : "<code>", // emergency | alert | critical | error | warning | notice | informational | debug "period" : { Period }, // When the activity occurred "recorded" : "<instant>", // R! Time when the event was recorded "outcome" : { CodeableConcept }, // Whether the event succeeded or failed "purposeOfEvent" : [{ CodeableConcept }], // The purposeOfUse of the event "agent" : [{ // R! Actor involved in the event "type" : { CodeableConcept }, // How agent participated "role" : [{ CodeableConcept }], // Agent role in the event "who" : { Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) }, // Identifier of who "altId" : "<string>", // Alternative User identity "name" : "<string>", // Human friendly name for the agent "requestor" : <boolean>, // R! Whether user is initiator "location" : { Reference(Location) }, // Where "policy" : ["<uri>"], // Policy that authorized event "media" : { Coding }, // Type of media "network" : { // Logical network location for application activity "address" : "<string>", // Identifier for the network access point of the user device "type" : "<code>" // The type of network access point }, "purposeOfUse" : [{ CodeableConcept }] // Reason given for this user }], "source" : { // R! Audit Event Reporter "site" : "<string>", // Logical source location within the enterprise "observer" : { Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) }, // R! The identity of source detecting the event "type" : [{ Coding }] // The type of source where event originated }, "entity" : [{ // Data or objects used "what" : { Reference(Any) }, // Specific instance of resource "type" : { Coding }, // Type of entity involved "role" : { Coding }, // What role the entity played "lifecycle" : { Coding }, // Life-cycle stage for the entity "securityLabel" : [{ Coding }], // Security labels on the entity "name" : "<string>", // C? Descriptor for entity "query" : "<base64Binary>", // C? Query parameters "detail" : [{ // Additional Information about the entity "type" : "<string>", // R! Name of the property // value[x]: Property value. One of these 2: "valueString" : "<string>" "valueBase64Binary" : "<base64Binary>" }] }] }
Turtle Template
@prefix fhir: <http://hl7.org/fhir/> . [ a fhir:AuditEvent; fhir:nodeRole fhir:treeRoot; # if this is the parser root # from Resource: .id, .meta, .implicitRules, and .language # from DomainResource: .text, .contained, .extension, and .modifierExtension fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event fhir:AuditEvent.severity [ code ]; # 0..1 emergency | alert | critical | error | warning | notice | informational | debug fhir:AuditEvent.period [ Period ]; # 0..1 When the activity occurred fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event was recorded fhir:AuditEvent.outcome [ CodeableConcept ]; # 0..1 Whether the event succeeded or failed fhir:AuditEvent.purposeOfEvent [ CodeableConcept ], ... ; # 0..* The purposeOfUse of the event fhir:AuditEvent.agent [ # 1..* Actor involved in the event fhir:AuditEvent.agent.type [ CodeableConcept ]; # 0..1 How agent participated fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event fhir:AuditEvent.agent.who [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 0..1 Identifier of who fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User identity fhir:AuditEvent.agent.name [ string ]; # 0..1 Human friendly name for the agent fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point ]; fhir:AuditEvent.agent.purposeOfUse [ CodeableConcept ], ... ; # 0..* Reason given for this user ], ...; fhir:AuditEvent.source [ # 1..1 Audit Event Reporter fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise fhir:AuditEvent.source.observer [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 1..1 The identity of source detecting the event fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated ]; fhir:AuditEvent.entity [ # 0..* Data or objects used fhir:AuditEvent.entity.what [ Reference(Any) ]; # 0..1 Specific instance of resource fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property # AuditEvent.entity.detail.value[x] : 1..1 Property value. One of these 2 fhir:AuditEvent.entity.detail.valueString [ string ] fhir:AuditEvent.entity.detail.valueBase64Binary [ base64Binary ] ], ...; ], ...; ]
Changes since R3
AuditEvent | |
AuditEvent.action |
|
AuditEvent.severity |
|
AuditEvent.outcome |
|
AuditEvent.agent.media |
|
AuditEvent.agent.network.type |
|
AuditEvent.outcomeDesc |
|
AuditEvent.entity.description |
|
See the Full Difference for further information
This analysis is available as XML or JSON.
See R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.)
Structure
Name | Flags | Card. | Type | Description & Constraints |
---|---|---|---|---|
AuditEvent | TU | DomainResource | Record of an event Elements defined in Ancestors: id, meta, implicitRules, language, text, contained, extension, modifierExtension | |
type | Σ | 1..1 | Coding | Type/identifier of event Audit Event ID (Extensible) |
subtype | Σ | 0..* | Coding | More specific type/id for the event Audit Event Sub-Type (Extensible) |
action | Σ | 0..1 | code | Type of action performed during the event AuditEventAction (Required) |
severity | Σ | 0..1 | code | emergency | alert | critical | error | warning | notice | informational | debug AuditEventSeverity (Required) |
period | 0..1 | Period | When the activity occurred | |
recorded | Σ | 1..1 | instant | Time when the event was recorded |
outcome | Σ | 0..1 | CodeableConcept | Whether the event succeeded or failed AuditEventOutcome (Extensible) |
purposeOfEvent | Σ | 0..* | CodeableConcept | The purposeOfUse of the event PurposeOfUse (Extensible) |
agent | 1..* | BackboneElement | Actor involved in the event | |
type | 0..1 | CodeableConcept | How agent participated ParticipationRoleType (Extensible) | |
role | 0..* | CodeableConcept | Agent role in the event SecurityRoleType (Example) | |
who | Σ | 0..1 | Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson) | Identifier of who |
altId | 0..1 | string | Alternative User identity | |
name | 0..1 | string | Human friendly name for the agent | |
requestor | Σ | 1..1 | boolean | Whether user is initiator |
location | 0..1 | Reference(Location) | Where | |
policy | 0..* | uri | Policy that authorized event | |
media | 0..1 | Coding | Type of media Audit Agent Media Type (Extensible) | |
network | 0..1 | BackboneElement | Logical network location for application activity | |
address | 0..1 | string | Identifier for the network access point of the user device | |
type | 0..1 | code | The type of network access point AuditEventAgentNetworkType (Required) | |
purposeOfUse | 0..* | CodeableConcept | Reason given for this user PurposeOfUse (Extensible) | |
source | 1..1 | BackboneElement | Audit Event Reporter | |
site | 0..1 | string | Logical source location within the enterprise | |
observer | Σ | 1..1 | Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson) | The identity of source detecting the event |
type | 0..* | Coding | The type of source where event originated Audit Event Source Type (Extensible) | |
entity | I | 0..* | BackboneElement | Data or objects used + Rule: Either a name or a query (NOT both) |
what | Σ | 0..1 | Reference(Any) | Specific instance of resource |
type | 0..1 | Coding | Type of entity involved Audit event entity type (Extensible) | |
role | 0..1 | Coding | What role the entity played AuditEventEntityRole (Extensible) | |
lifecycle | 0..1 | Coding | Life-cycle stage for the entity ObjectLifecycleEvents (Extensible) | |
securityLabel | 0..* | Coding | Security labels on the entity SecurityLabels (Extensible) | |
name | ΣI | 0..1 | string | Descriptor for entity |
query | ΣI | 0..1 | base64Binary | Query parameters |
detail | 0..* | BackboneElement | Additional Information about the entity | |
type | 1..1 | string | Name of the property | |
value[x] | 1..1 | Property value | ||
valueString | string | |||
valueBase64Binary | base64Binary | |||
Documentation for this format |
XML Template
<AuditEvent xmlns="http://hl7.org/fhir"> <!-- from Resource: id, meta, implicitRules, and language --> <!-- from DomainResource: text, contained, extension, and modifierExtension --> <type><!-- 1..1 Coding Type/identifier of event --></type> <subtype><!-- 0..* Coding More specific type/id for the event --></subtype> <action value="[code]"/><!-- 0..1 Type of action performed during the event --> <severity value="[code]"/><!-- 0..1 emergency | alert | critical | error | warning | notice | informational | debug --> <period><!-- 0..1 Period When the activity occurred --></period> <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded --> <outcome><!-- 0..1 CodeableConcept Whether the event succeeded or failed --></outcome> <purposeOfEvent><!-- 0..* CodeableConcept The purposeOfUse of the event --></purposeOfEvent> <agent> <!-- 1..* Actor involved in the event --> <type><!-- 0..1 CodeableConcept How agent participated --></type> <role><!-- 0..* CodeableConcept Agent role in the event --></role> <who><!-- 0..1 Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) Identifier of who --></who> <altId value="[string]"/><!-- 0..1 Alternative User identity --> <name value="[string]"/><!-- 0..1 Human friendly name for the agent --> <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator --> <location><!-- 0..1 Reference(Location) Where --></location> <policy value="[uri]"/><!-- 0..* Policy that authorized event --> <media><!-- 0..1 Coding Type of media --></media> <network> <!-- 0..1 Logical network location for application activity --> <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device --> <type value="[code]"/><!-- 0..1 The type of network access point --> </network> <purposeOfUse><!-- 0..* CodeableConcept Reason given for this user --></purposeOfUse> </agent> <source> <!-- 1..1 Audit Event Reporter --> <site value="[string]"/><!-- 0..1 Logical source location within the enterprise --> <observer><!-- 1..1 Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) The identity of source detecting the event --></observer> <type><!-- 0..* Coding The type of source where event originated --></type> </source> <entity> <!-- 0..* Data or objects used --> <what><!-- 0..1 Reference(Any) Specific instance of resource --></what> <type><!-- 0..1 Coding Type of entity involved --></type> <role><!-- 0..1 Coding What role the entity played --></role> <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle> <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel> <name value="[string]"/><!-- 0..1 Descriptor for entity --> <query value="[base64Binary]"/><!-- 0..1 Query parameters --> <detail> <!-- 0..* Additional Information about the entity --> <type value="[string]"/><!-- 1..1 Name of the property --> <value[x]><!-- 1..1 string|base64Binary Property value --></value[x]> </detail> </entity> </AuditEvent>
JSON Template
{ "resourceType" : "AuditEvent", // from Resource: id, meta, implicitRules, and language // from DomainResource: text, contained, extension, and modifierExtension "type" : { Coding }, // R! Type/identifier of event "subtype" : [{ Coding }], // More specific type/id for the event "action" : "<code>", // Type of action performed during the event "severity" : "<code>", // emergency | alert | critical | error | warning | notice | informational | debug "period" : { Period }, // When the activity occurred "recorded" : "<instant>", // R! Time when the event was recorded "outcome" : { CodeableConcept }, // Whether the event succeeded or failed "purposeOfEvent" : [{ CodeableConcept }], // The purposeOfUse of the event "agent" : [{ // R! Actor involved in the event "type" : { CodeableConcept }, // How agent participated "role" : [{ CodeableConcept }], // Agent role in the event "who" : { Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) }, // Identifier of who "altId" : "<string>", // Alternative User identity "name" : "<string>", // Human friendly name for the agent "requestor" : <boolean>, // R! Whether user is initiator "location" : { Reference(Location) }, // Where "policy" : ["<uri>"], // Policy that authorized event "media" : { Coding }, // Type of media "network" : { // Logical network location for application activity "address" : "<string>", // Identifier for the network access point of the user device "type" : "<code>" // The type of network access point }, "purposeOfUse" : [{ CodeableConcept }] // Reason given for this user }], "source" : { // R! Audit Event Reporter "site" : "<string>", // Logical source location within the enterprise "observer" : { Reference(Device|Organization|Patient|Practitioner| PractitionerRole|RelatedPerson) }, // R! The identity of source detecting the event "type" : [{ Coding }] // The type of source where event originated }, "entity" : [{ // Data or objects used "what" : { Reference(Any) }, // Specific instance of resource "type" : { Coding }, // Type of entity involved "role" : { Coding }, // What role the entity played "lifecycle" : { Coding }, // Life-cycle stage for the entity "securityLabel" : [{ Coding }], // Security labels on the entity "name" : "<string>", // C? Descriptor for entity "query" : "<base64Binary>", // C? Query parameters "detail" : [{ // Additional Information about the entity "type" : "<string>", // R! Name of the property // value[x]: Property value. One of these 2: "valueString" : "<string>" "valueBase64Binary" : "<base64Binary>" }] }] }
Turtle Template
@prefix fhir: <http://hl7.org/fhir/> . [ a fhir:AuditEvent; fhir:nodeRole fhir:treeRoot; # if this is the parser root # from Resource: .id, .meta, .implicitRules, and .language # from DomainResource: .text, .contained, .extension, and .modifierExtension fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event fhir:AuditEvent.severity [ code ]; # 0..1 emergency | alert | critical | error | warning | notice | informational | debug fhir:AuditEvent.period [ Period ]; # 0..1 When the activity occurred fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event was recorded fhir:AuditEvent.outcome [ CodeableConcept ]; # 0..1 Whether the event succeeded or failed fhir:AuditEvent.purposeOfEvent [ CodeableConcept ], ... ; # 0..* The purposeOfUse of the event fhir:AuditEvent.agent [ # 1..* Actor involved in the event fhir:AuditEvent.agent.type [ CodeableConcept ]; # 0..1 How agent participated fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event fhir:AuditEvent.agent.who [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 0..1 Identifier of who fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User identity fhir:AuditEvent.agent.name [ string ]; # 0..1 Human friendly name for the agent fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point ]; fhir:AuditEvent.agent.purposeOfUse [ CodeableConcept ], ... ; # 0..* Reason given for this user ], ...; fhir:AuditEvent.source [ # 1..1 Audit Event Reporter fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise fhir:AuditEvent.source.observer [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 1..1 The identity of source detecting the event fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated ]; fhir:AuditEvent.entity [ # 0..* Data or objects used fhir:AuditEvent.entity.what [ Reference(Any) ]; # 0..1 Specific instance of resource fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property # AuditEvent.entity.detail.value[x] : 1..1 Property value. One of these 2 fhir:AuditEvent.entity.detail.valueString [ string ] fhir:AuditEvent.entity.detail.valueBase64Binary [ base64Binary ] ], ...; ], ...; ]
Changes since Release 3
AuditEvent | |
AuditEvent.action |
|
AuditEvent.severity |
|
AuditEvent.outcome |
|
AuditEvent.agent.media |
|
AuditEvent.agent.network.type |
|
AuditEvent.outcomeDesc |
|
AuditEvent.entity.description |
|
See the Full Difference for further information
This analysis is available as XML or JSON.
See R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.)
See the Profiles & Extensions and the alternate definitions: Master Definition XML + JSON, XML Schema/Schematron + JSON Schema, ShEx (for Turtle) + see the extensions, the spreadsheet version & the dependency analysis a
Path | Definition | Type | Reference |
---|---|---|---|
AuditEvent.type | Type of event. | Extensible | AuditEventID |
AuditEvent.subtype | Sub-type of event. | Extensible | AuditEventSub-Type |
AuditEvent.action | Indicator for type of action performed during the event that generated the event. | Required | AuditEventAction |
AuditEvent.severity | The severity of the audit entry. | Required | AuditEventSeverity |
AuditEvent.outcome | Indicates whether the event succeeded or failed. | Extensible | AuditEventOutcome |
AuditEvent.purposeOfEvent AuditEvent.agent.purposeOfUse | The reason the activity took place. | Extensible | PurposeOfUse |
AuditEvent.agent.type | The Participation type of the agent to the event. | Extensible | ParticipationRoleType |
AuditEvent.agent.role | What security role enabled the agent to participate in the event. | Example | SecurityRoleType |
AuditEvent.agent.media | Used when the event is about exporting/importing onto media. | Extensible | AuditMediaType |
AuditEvent.agent.network.type | The type of network access point of this agent in the audit event. | Required | AuditEventAgentNetworkType |
AuditEvent.source.type | Code specifying the type of system that detected and recorded the event. | Extensible | AuditEventSourceType |
AuditEvent.entity.type | Code for the entity type involved in the audit event. | Extensible | AuditEventEntityType |
AuditEvent.entity.role | Code representing the role the entity played in the audit event. | Extensible | AuditEventEntityRole |
AuditEvent.entity.lifecycle | Identifier for the data life-cycle stage for the entity. | Extensible | ObjectLifecycleEvents |
AuditEvent.entity.securityLabel | Security Labels from the Healthcare Privacy and Security Classification System. | Extensible | All Security Labels |
id | Level | Location | Description | Expression |
sev-1 | Rule | AuditEvent.entity | Either a name or a query (NOT both) | name.empty() or query.empty() |
The AuditEvent resource and the ATNA Audit record are used in many contexts throughout healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who defined these codes to meet very specific use cases. These codes should be used when they are suitable. When needed, other codes can be defined.
Note: When using codes from a vocabulary, the display
element for the code can be left off to keep the
AuditEvent size small and minimize impact of a large audit log of similar entries.
The set of codes defined for this resource is expected to grow over time, and additional codes may be proposed / requested using the "Propose a change" link above below.
This table summarizes common event scenarios, and the codes that should be used for each case.
Scenario | type | subtype | action | Other |
User Login (example) | 110114 User Authentication | 110122 User Authentication | E Execute | One agent which contains the details of the logged-in user. |
User Logout (example) | 110114 User Authentication | 110123 User Logout | E Execute | One agent which contains the details of the logged-out user. |
REST operation logged on server (example) | rest RESTful Operation | [code] defined for operation | * (see below) | Agent for logged in user, if available. |
Search operation logged on server (example) | rest RESTful Operation | [code] defined for operation | E Execute | Agent for logged in user, if available, and one object with a query element. The Execute action is used as the server must execute the search parameters to get the results, whereas a Read action identifies a specific object. |
Break-Glass started (example) | 110113 Security Alert | 110127 Emergency Override Started | E Execute | Agent is the user who is authorized to break-glass and has declared an emergency override. Note there is an Emergency Override Stopped subtype that can be used to indicate the closing of the break-glass event, when it is known. |
Audit Event Actions for RESTful operations:
Operation | Action |
create | C |
read, vread, history-instance, history-type, history-system | R |
update | U |
delete | D |
transaction, operation, conformance, validate, search, search-type, search-system | E |
FHIR interactions can result in a rich description of the outcome using the OperationOutcome. The OperationOutcome Resource is a collection of error, warning or information messages that result from a system action. This describes in detail the outcome of some operation, such as when a RESTful operation fails.
When recording into an AuditEvent that some FHIR interaction has happened, the AuditEvent should include the OperationOutcome from that FHIR interaction. This is done by placing the OperationOutcome into an AuditEvent.entity. Likely as a contained resource, given that OperationOutcome resources often are not persisted.
entity.who
is the OperationOutcome -- Likely contained
entity.type
is code
OperationOutcome
entity.description
explains why this OperationOutcome was included.
See transaction failure example: When a client attempts to post (create) an Observation
Resource,
using a server Patient
endpoint;
this would result in an error with an OperationOutcome.
The AuditEvent provides the element purposeOfEvent
to convey the purpose of the event and purposeOfUse
to convey the reason that a particular actor (machine, person, software) was involved in the event.
purposeOfEvent
is an element at the level of AuditEvent and can convey the purpose of the activity
that resulted in the event. This will occur when the system that is reporting the event is aware
of the purpose of the event. A specific example would be a radiology reporting system where a
radiologist has created and is sending a finished report. This system likely knows the purpose,
e.g., "treatment". It is multi-valued because the one event may be related to multiple purposes.
It is also commonplace that the reporting system does not have information about the purpose of the event. In these cases, the event report would not have a purposeOfEvent.
It is also likely that the same event will be reported from different perspectives, e.g., by both the
sender and recipient of a communication. These two different perspectives can have different
knowledge regarding the purposeOfEvent
.
purposeOfUse
is an element at the level of agent
within AuditEvent. This describes the reason that this
person, machine, or software is participating in the activity that resulted in the event. For
example, an individual person participating in the event may assert a purpose of use from their perspective.
It is also possible that they are participating for multiple reasons and report multiple purposeOfUse.
The reporting system might not have knowledge regarding why a particular machine or person was involved and would omit this element in those cases.
When the same event is reported from multiple perspectives, the reports can have different knowledge regarding the purpose.
It is a best practice to include a reference to the Patient/Subject affected by any auditable event, in order to enable Privacy Accounting of Disclosures and Access Logs, and to enable privacy office and security office audit log analysis. Reasonable efforts should be taken to assure the Patient/Subject is recorded, but it is recognized that there are times when this is not reasonable.
The Patient/Subject of an activity is indicated in an .entity element; with the .entity.who indicating the Patient reference, and the .entity.type indicating “1” Person, and the .entity.role indicating “1” patient. No other elements in this .entity need to be filled out. The indicator of the .entity.who, .entity.type, and .entity.role are enough to indicate that this AuditEvent activity has a subject as indicated.
Where an activity impacts more than one Patient/Subject; multiple AuditEvent resources should be recorded, one for each Patient/Subject. This best enables segmentation of the AuditEvent details so as to limit the Privacy impact. The use of multiple AuditEvent is a best-practice and should be driven by a Policy. There will be cases where the use of multiple AuditEvent resources are not necessary, such as public health reporting.
To record a REST interaction or $operation, it is often necessary to complete the transaction in order to determine the Patient/Subject. Inspection of the potential returned results may be necessary. Some REST and $operations include parameters limiting the results to a specific Patient, in these cases this parameter informs the inclusion of the Patient reference.
Implementation Guides may make the AuditEvent requirements more clear given the workflow or security context mandated by the Implementation Guide.
Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.
Name | Type | Description | Expression | In Common |
action N | token | Type of action performed during the event | AuditEvent.action | |
address N | string | Identifier for the network access point of the user device | AuditEvent.agent.network.address | |
agent | reference | Identifier of who | AuditEvent.agent.who (Practitioner, Organization, Device, Patient, PractitionerRole, RelatedPerson) | |
agent-name N | string | Human friendly name for the agent | AuditEvent.agent.name | |
agent-role | token | Agent role in the event | AuditEvent.agent.role | |
altid N | token | Alternative User identity | AuditEvent.agent.altId | |
date N | date | Time when the event was recorded | AuditEvent.recorded | |
entity | reference | Specific instance of resource | AuditEvent.entity.what (Any) | |
entity-name N | string | Descriptor for entity | AuditEvent.entity.name | |
entity-role | token | What role the entity played | AuditEvent.entity.role | |
entity-type | token | Type of entity involved | AuditEvent.entity.type | |
outcome | token | Whether the event succeeded or failed | AuditEvent.outcome | |
patient | reference | Identifier of who | AuditEvent.agent.who.where(resolve() is Patient) | AuditEvent.entity.what.where(resolve() is Patient) (Patient) | |
policy N | uri | Policy that authorized event | AuditEvent.agent.policy | |
purpose | token | The purposeOfUse of the event | AuditEvent.purposeOfEvent | AuditEvent.agent.purposeOfUse | |
site N | token | Logical source location within the enterprise | AuditEvent.source.site | |
source | reference | The identity of source detecting the event | AuditEvent.source.observer (Practitioner, Organization, Device, Patient, PractitionerRole, RelatedPerson) | |
subtype | token | More specific type/id for the event | AuditEvent.subtype | |
type | token | Type/identifier of event | AuditEvent.type |