ImageVerifierCode 换一换
格式:PDF , 页数:6 ,大小:86.17KB ,
资源ID:287070      下载积分:5000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-287070.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ASTM E2147 - 01(2013) Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems (Withdrawn 2017).pdf)为本站会员(孙刚)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ASTM E2147 - 01(2013) Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems (Withdrawn 2017).pdf

1、Designation: E2147 01 (Reapproved 2013) An American National StandardStandard Specification forAudit and Disclosure Logs for Use in Health InformationSystems1This standard is issued under the fixed designation E2147; the number immediately following the designation indicates the year oforiginal adop

2、tion or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This specification is for the development and implemen-tation of securit

3、y audit/disclosure logs for health information.It specifies how to design an access audit log to record allaccess to patient identifiable information maintained in com-puter systems and includes principles for developing policies,procedures, and functions of health information logs to docu-ment all

4、disclosure of health information to external users foruse in manual and computer systems. The process of informa-tion disclosure and auditing should conform, where relevant,with the Privacy Act of 1974 (1).21.2 The first purpose of this specification is to define thenature, role, and function of sys

5、tem access audit logs and theiruse in health information systems as a technical and proceduraltool to help provide security oversight. In concert with orga-nizational confidentiality and security policies and procedures,permanent audit logs can clearly identify all system applicationusers who access

6、 patient identifiable information, record thenature of the patient information accessed, and maintain apermanent record of actions taken by the user. By providing aprecise method for an organization to monitor and review whohas accessed patient data, audit logs have the potential for moreeffective s

7、ecurity oversight than traditional paper record envi-ronments. This specification will identify functionality neededfor audit log management, the data to be recorded, and the useof audit logs as security and management tools by organiza-tional managers.1.3 In the absence of computerized logs, audit

8、log principlescan be implemented manually in the paper patient recordenvironment with respect to permanently monitoring paperpatient record access. Where the paper patient record and thecomputer-based patient record coexist in parallel, securityoversight and access management should address both env

9、i-ronments.1.4 The second purpose of this specification is to identifyprinciples for establishing a permanent record of disclosure ofhealth information to external users and the data to be recordedin maintaining it. Security management of health informationrequires a comprehensive framework that inc

10、orporates man-dates and criteria for disclosing patient health informationfound in federal and state laws, rules and regulations andethical statements of professional conduct. Accountability forsuch a framework should be established through a set ofstandard principles that are applicable to all heal

11、th care settingsand health information systems.1.5 Logs used to audit and oversee health informationaccess and disclosure are the responsibility of each health careorganization, data intermediary, data warehouse, clinical datarepository, third party payer, agency, organization or corpora-tion that m

12、aintains or provides, or has access to individually-identifiable data. Such logs are specified in and support policyon information access monitoring and are tied to disciplinarysanctions that satisfy legal, regulatory, accreditation and insti-tutional mandates.1.6 Organizations need to prescribe acc

13、ess requirements foraggregate data and to approve query tools that allow auditingcapability, or design data repositories that limit inclusion ofdata that provide potential keys to identifiable data. Inferencingpatient identifiable data through analysis of aggregate data thatcontains limited identify

14、ing data elements such as birth date,birth location, and family name, is possible using software thatmatches data elements across data bases. This allows aconsistent approach to linking records into longitudinal casesfor research purposes. Audit trails can be designed to workwith applications which

15、use these techniques if the queryfunctions are part of a defined retrieval application but oftenstandard query tools are not easily audited. This specificationapplies to the disclosure or transfer of health information(records) individually or in batches.1This specification is under the jurisdiction

16、 of ASTM Committee E31 onHealthcare Informatics and is the direct responsibility of Subcommittee E31.25 onHealthcare Data Management, Security, Confidentiality, and Privacy.Current edition approved March 1, 2013. Published March 2013. Originallyapproved in 2001. Last previous edition approved in 200

17、9 as E2147 01(2009).DOI: 10.1520/E2147-01R13.2The boldface numbers in parentheses refer to the list of references at the end ofthis standard.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United StatesNOTICE: This standard has either been supersed

18、ed and replaced by a new version or withdrawn.Contact ASTM International (www.astm.org) for the latest information11.7 This specification responds to the need for a standardaddressing privacy and confidentiality as noted in Public Law104191 (2), or the Health Insurance Portability and Account-abilit

19、y Act of 1996 (3).2. Referenced Documents2.1 ASTM Standards:3E1384 Practice for Content and Structure of the ElectronicHealth Record (EHR)E1633 Specification for Coded Values Used in the ElectronicHealth RecordE1762 Guide for Electronic Authentication of Health CareInformationE1869 Guide for Confide

20、ntiality, Privacy, Access, and DataSecurity Principles for Health Information Including Elec-tronic Health RecordsE1902 Specification for Management of the Confidentialityand Security of Dictation, Transcription, and TranscribedHealth Records (Withdrawn 2011)4E1986 Guide for Information Access Privi

21、leges to HealthInformation2.2 Other Health Informatics Standards:Health Level Seven (HL7) Version 2.25ANSI ASC X12 Version 3, Release 36ISO/TEC 154083. Terminology3.1 Definitions:3.1.1 access, nthe provision of an opportunity toapproach, inspect, review, retrieve, store, communicate with, ormake use

22、 of health information resources (for example,hardware, software, systems or structure) or patient identifiabledata and information, or both. (E1869)3.1.2 audit log, na record of actions, for example,creation, queries, views, additions, deletions, and changesperformed on data.3.1.3 audit trail, na r

23、ecord of users that is documentaryevidence of monitoring each operation of individuals on healthinformation. Audit trails may be comprehensive or specific tothe individual and information (4). For example, an audit trailmay be a record of all actions taken by anyone on a particularlysensitive file (

24、5).3.1.4 authentication, nthe provision of assurance of theclaimed identity of an entity, receiver or object.(E1762, E1869, CPRI)3.1.5 authorize, vthe granting to a user the right of accessto specified data and information, a program, a terminal or aprocess. (E1869)3.1.6 authorization, nthe mechanis

25、m for obtaining con-sent for the use and disclosure of health information.(CPRI, AHIMA)3.1.7 certificate, ncertificate means that a Certificate Au-thority (CA) states a given correlation or given properties ofpersons or IT-systems as true. If the certificate is used toconfirm that a key belongs to i

26、ts owner, it is called keycertificate. If the certificate is used to confirm roles(qualifications), it is called authentication certificate.3.1.8 confidential, nstatus accorded to data or informationindicating that it is sensitive for some reason, and therefore, itneeds to be protected against theft

27、, disclosure, or improper use,and must be disseminated only to authorized individuals ororganizations with an approved need to know. Privateinformation, which is entrusted to another with the confidencethat unauthorized disclosure which would be prejudicial to theindividual will not occur (6). (E186

28、9; CPRI)3.1.9 database, na collection of data organized for rapidsearch and retrieval. (Websters, 1993)3.1.10 database security, nrefers to the ability of thesystem to enforce security policy governing access, creation,modification, or destruction of information. Unauthorized cre-ation of informatio

29、n is an important threat.3.1.11 disclosure, nto access, release, transfer, or other-wise divulge health information to any internal or external useror entity other than the individual who is the subject of suchinformation. (E1869)3.1.12 health information, nany information, whether oralor recorded i

30、n any form or medium that is created or receivedby a health care provider, a health plan, health, researcher,public health authority, instructor, employer, school oruniversity, health information, service or other entity thatcreates, receives, obtains, maintains, uses or transmits healthinformation;

31、 a health oversight agency, a health informationservice organization; or, that relates to the past, present, orfuture physical or mental health or condition of an individual,the provision of health care to an individual, or the past, presentor future payments for the provision of health care to apro

32、tected individual; and, that identifies the individual withrespect to which there is a reasonable basis to believe that theinformation can be used to identify the individual (3).3.1.13 information, ndata to which meaning is assigned,according to context and assumed conventions. (E1869)3.1.14 transac

33、tion log, na record of changes to data,especially to a data base, that can be used to reconstruct thedata if there is a failure after the transaction occurs, in otherwords, a means of ensuring data integrity and availability.3.1.15 user, na person authorized to use the informationcontained in an inf

34、ormation system as specified by their jobfunction. The patient may be designated an authorized user bystatute or institutional policy. A user also may refer to internaland external systems that draw data from an application.3.1.16 user identification (user ID), nthe combinationname/number biometric

35、assigned and maintained in securityprocedures for identifying and tracking individual user activity.3For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Do

36、cument Summary page onthe ASTM website.4The last approved version of this historical standard is referenced onwww.astm.org.5Available from HL7, Mark McDougall, Executive Director, 900 Victors Way,Suite 122, Ann Arbor, MI 48108.6Available from American National Standards Institute (ANSI), 25 W. 43rd

37、St.,4th Floor, New York, NY 10036, http:/www.ansi.org.E2147 01 (2013)23.1.17 viewa designated configuration for data/information extracted from information system(s) and pre-sented through a workstation.4. Significance and Use4.1 Data that document health services in health careorganizations are bus

38、iness records and must be archived to asecondary but retrievable medium. Audit logs should beretained, at a minimum, according to the statute governingmedical records in the geographic area.4.2 The purpose of audit access and disclosure logs is todocument and maintain a permanent record of all autho

39、rizedand unauthorized access to and disclosure of confidentialhealth care information in order that health care providers,organizations, and patients and others can retrieve evidence ofthat access to meet multiple needs. Examples are clinical,organizational, risk management, and patient rights needs

40、.4.3 Audit logs designed for system access provide a precisecapability for organizations to see who has accessed patientinformation. Due to the significant risk in computing environ-ments by authorized and unauthorized users, the audit log is animportant management tool to monitor, access retrospect

41、ively.In addition, the access and disclosure log becomes a powerfulsupport document for disciplinary action. Audit logs areessential components to comprehensive security programs inhealth care.4.4 Organizations are accountable for managing the disclo-sure of health information in a way that meets le

42、gal, regulatory,accreditation and licensing requirements and growing patientexpectations for accountable privacy practices. Basic audit trailprocedures should be applied, manually if necessary, in paperpatient record systems to the extent feasible. Security in healthinformation systems is an essenti

43、al component to makingprogress in building and linking patient information. Success-ful implementation of large scale systems, the use of networksto transmit data, growing technical capability to addresssecurity issues and concerns about the confidentiality, andsecurity provisions of patient informa

44、tion drive the focus onthis topic. (See Guide E1384.)4.5 Consumer fears about confidentiality of health informa-tion and legal initiatives underscore disclosure practices. Pa-tients and health care providers want assurance that theirinformation is protected. Technology exists to incorporate auditfun

45、ctions in health information systems. Advances in securityaudit expert systems can be applied to the health care industry.Emerging off-the-shelf products will be able to use audit logsto enable the detection of inappropriate use of health informa-tion. Institutions are accountable for implementing c

46、omprehen-sive confidentiality and security programs that combine socialelements, management, and technology.5. Audit Functions in Health Information Systems5.1 An audit log is a record of actions (queries, views,additions, deletions, changes) performed on data by users.Actions should be recorded at

47、the time they occur. Theseactions include user authentication, user or system-directedsignoff, health record access to view, and receipt of patienthealth record content from external provider/practitioner.5.1.1 Health record content (transformation/translation viainterfaces, interface engines, gatew

48、ays between heterogeneousapplications) should be maintained in the “before” and “after”form. For example, laboratory reports/data translated fromlaboratory forwarded to clinical repository storage.5.2 Other database tables are needed to link the items in 5.1and 5.1.1 to satisfy inquiries and to prod

49、uce useful reports.Including unique user identification, for example, number, username, work location, and employee status (permanent,contract, temporary) provides essential user information. Whilethe audit log is a complete entity, data may be extracted fromother systems for use in the audit log application.5.3 The following functions should be performed whenauditing:5.3.1 Audits should identify and track individual usersaccess, including authentication and signoff, to a specificpatients or providers data. This function should be done inreal time a

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1