United States Health Information Knowledgebase

Release Package:

2013 Format

Requirement ID:

Req-275

Title:

Auditable Records

Description:

STATEMENT: Provide audit capabilities for system access and usage indicating the author, the modification (where pertinent), and the date and time at which a record was created, modified, viewed, extracted, or deleted. Date and Time stamping implies the ability to indicate the time zone where it was recorded (time zones are described in ISO 8601 Standard Time Reference). Auditable records extend to information exchange, to audit of consent status management (to support Req-256 (HL7 ID: DC.1.3.3)) and to entity authentication attempts. Audit functionality includes the ability to generate audit reports and to interactively view change history for individual health records or for an EHR-S.
DESCRIPTION: Audit functionality extends to security audits, data audits, audits of data exchange, and the ability to generate audit reports. Audit capability settings should be configurable to meet the needs of local policies. Examples of audited areas include:
- Security audit, which logs access attempts and resource usage including user login, file access, other various activities, and whether any actual or attempted security violations occurred
- Data audit, which records who, when, and by which system an EHR record was created, updated, translated, viewed, extracted, or (if local policy permits) deleted. Audit-data may refer to system setup data or to clinical and patient management data
- Information exchange audit, which records data exchanges between EHR-S applications (for example, sending application; the nature, history, and content of the information exchanged); and information about data transformations (for example, vocabulary translations, reception event details, etc.)
- Audit reports should be flexible and address various users' needs. For example, a legal authority may want to know how many patients a given healthcare provider treated while the provider's license was suspended. Similarly, in some cases a report detailing all those who modified or viewed a certain patient record
- Security audit trails and data audit trails are used to verify enforcement of business, data integrity, security, and access-control rules
-There is a requirement for system audit trails for the following events:
>Loading new versions of, or changes to, the clinical system;
>Loading new versions of codes and knowledge bases;
>Taking and restoring of backup;
>Changing the date and time where the clinical system allows this to be done;
>Archiving any data;
>Re-activating of an archived patient record;
>Entry to and exiting from the clinical system;
>Remote access connections including those for system support and maintenance activities

Related Requirements:

Topic Area(s):

Provenance:

Achievability:

Requirement Type:

Shall/Should/May:

Critical/Core:

Status:

Released

Links:

See Also:

Comments:

Additional Information:

Not Provided