1、Designation: E2147 01 (Reapproved 2013) An American National StandardStandard Specification forAudit and Disclosure Logs for Use in Health InformationSystems1This standard is issued under the fixed designation E2147; the number immediately following the designation indicates the year oforiginal adop
2、tion or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This specification is for the development and implemen-tation of securit
3、y audit/disclosure logs for health information.It specifies how to design an access audit log to record allaccess to patient identifiable information maintained in com-puter systems and includes principles for developing policies,procedures, and functions of health information logs to docu-ment all
4、disclosure of health information to external users foruse in manual and computer systems. The process of informa-tion disclosure and auditing should conform, where relevant,with the Privacy Act of 1974 (1).21.2 The first purpose of this specification is to define thenature, role, and function of sys
5、tem access audit logs and theiruse in health information systems as a technical and proceduraltool to help provide security oversight. In concert with orga-nizational confidentiality and security policies and procedures,permanent audit logs can clearly identify all system applicationusers who access
6、 patient identifiable information, record thenature of the patient information accessed, and maintain apermanent record of actions taken by the user. By providing aprecise method for an organization to monitor and review whohas accessed patient data, audit logs have the potential for moreeffective s
7、ecurity oversight than traditional paper record envi-ronments. This specification will identify functionality neededfor audit log management, the data to be recorded, and the useof audit logs as security and management tools by organiza-tional managers.1.3 In the absence of computerized logs, audit
8、log principlescan be implemented manually in the paper patient recordenvironment with respect to permanently monitoring paperpatient record access. Where the paper patient record and thecomputer-based patient record coexist in parallel, securityoversight and access management should address both env
9、i-ronments.1.4 The second purpose of this specification is to identifyprinciples for establishing a permanent record of disclosure ofhealth information to external users and the data to be recordedin maintaining it. Security management of health informationrequires a comprehensive framework that inc
10、orporates man-dates and criteria for disclosing patient health informationfound in federal and state laws, rules and regulations andethical statements of professional conduct. Accountability forsuch a framework should be established through a set ofstandard principles that are applicable to all heal
11、th care settingsand health information systems.1.5 Logs used to audit and oversee health informationaccess and disclosure are the responsibility of each health careorganization, data intermediary, data warehouse, clinical datarepository, third party payer, agency, organization or corpora-tion that m
12、aintains or provides, or has access to individually-identifiable data. Such logs are specified in and support policyon information access monitoring and are tied to disciplinarysanctions that satisfy legal, regulatory, accreditation and insti-tutional mandates.1.6 Organizations need to prescribe acc
13、ess requirements foraggregate data and to approve query tools that allow auditingcapability, or design data repositories that limit inclusion ofdata that provide potential keys to identifiable data. Inferencingpatient identifiable data through analysis of aggregate data thatcontains limited identify
14、ing data elements such as birth date,birth location, and family name, is possible using software thatmatches data elements across data bases. This allows aconsistent approach to linking records into longitudinal casesfor research purposes. Audit trails can be designed to workwith applications which
15、use these techniques if the queryfunctions are part of a defined retrieval application but oftenstandard query tools are not easily audited. This specificationapplies to the disclosure or transfer of health information(records) individually or in batches.1This specification is under the jurisdiction
16、 of ASTM Committee E31 onHealthcare Informatics and is the direct responsibility of Subcommittee E31.25 onHealthcare Data Management, Security, Confidentiality, and Privacy.Current edition approved March 1, 2013. Published March 2013. Originallyapproved in 2001. Last previous edition approved in 200
17、9 as E2147 01(2009).DOI: 10.1520/E2147-01R13.2The boldface numbers in parentheses refer to the list of references at the end ofthis standard.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United StatesNOTICE: This standard has either been supersed
18、ed and replaced by a new version or withdrawn.Contact ASTM International (www.astm.org) for the latest information11.7 This specification responds to the need for a standardaddressing privacy and confidentiality as noted in Public Law104191 (2), or the Health Insurance Portability and Account-abilit
19、y Act of 1996 (3).2. Referenced Documents2.1 ASTM Standards:3E1384 Practice for Content and Structure of the ElectronicHealth Record (EHR)E1633 Specification for Coded Values Used in the ElectronicHealth RecordE1762 Guide for Electronic Authentication of Health CareInformationE1869 Guide for Confide
20、ntiality, Privacy, Access, and DataSecurity Principles for Health Information Including Elec-tronic Health RecordsE1902 Specification for Management of the Confidentialityand Security of Dictation, Transcription, and TranscribedHealth Records (Withdrawn 2011)4E1986 Guide for Information Access Privi
21、leges to HealthInformation2.2 Other Health Informatics Standards:Health Level Seven (HL7) Version 2.25ANSI ASC X12 Version 3, Release 36ISO/TEC 154083. Terminology3.1 Definitions:3.1.1 access, nthe provision of an opportunity toapproach, inspect, review, retrieve, store, communicate with, ormake use
22、 of health information resources (for example,hardware, software, systems or structure) or patient identifiabledata and information, or both. (E1869)3.1.2 audit log, na record of actions, for example,creation, queries, views, additions, deletions, and changesperformed on data.3.1.3 audit trail, na r
23、ecord of users that is documentaryevidence of monitoring each operation of individuals on healthinformation. Audit trails may be comprehensive or specific tothe individual and information (4). For example, an audit trailmay be a record of all actions taken by anyone on a particularlysensitive file (
24、5).3.1.4 authentication, nthe provision of assurance of theclaimed identity of an entity, receiver or object.(E1762, E1869, CPRI)3.1.5 authorize, vthe granting to a user the right of accessto specified data and information, a program, a terminal or aprocess. (E1869)3.1.6 authorization, nthe mechanis
25、m for obtaining con-sent for the use and disclosure of health information.(CPRI, AHIMA)3.1.7 certificate, ncertificate means that a Certificate Au-thority (CA) states a given correlation or given properties ofpersons or IT-systems as true. If the certificate is used toconfirm that a key belongs to i
26、ts owner, it is called keycertificate. If the certificate is used to confirm roles(qualifications), it is called authentication certificate.3.1.8 confidential, nstatus accorded to data or informationindicating that it is sensitive for some reason, and therefore, itneeds to be protected against theft
27、, disclosure, or improper use,and must be disseminated only to authorized individuals ororganizations with an approved need to know. Privateinformation, which is entrusted to another with the confidencethat unauthorized disclosure which would be prejudicial to theindividual will not occur (6). (E186
28、9; CPRI)3.1.9 database, na collection of data organized for rapidsearch and retrieval. (Websters, 1993)3.1.10 database security, nrefers to the ability of thesystem to enforce security policy governing access, creation,modification, or destruction of information. Unauthorized cre-ation of informatio
29、n is an important threat.3.1.11 disclosure, nto access, release, transfer, or other-wise divulge health information to any internal or external useror entity other than the individual who is the subject of suchinformation. (E1869)3.1.12 health information, nany information, whether oralor recorded i
30、n any form or medium that is created or receivedby a health care provider, a health plan, health, researcher,public health authority, instructor, employer, school oruniversity, health information, service or other entity thatcreates, receives, obtains, maintains, uses or transmits healthinformation;
31、 a health oversight agency, a health informationservice organization; or, that relates to the past, present, orfuture physical or mental health or condition of an individual,the provision of health care to an individual, or the past, presentor future payments for the provision of health care to apro
32、tected individual; and, that identifies the individual withrespect to which there is a reasonable basis to believe that theinformation can be used to identify the individual (3).3.1.13 information, ndata to which meaning is assigned,according to context and assumed conventions. (E1869)3.1.14 transac
33、tion log, na record of changes to data,especially to a data base, that can be used to reconstruct thedata if there is a failure after the transaction occurs, in otherwords, a means of ensuring data integrity and availability.3.1.15 user, na person authorized to use the informationcontained in an inf
34、ormation system as specified by their jobfunction. The patient may be designated an authorized user bystatute or institutional policy. A user also may refer to internaland external systems that draw data from an application.3.1.16 user identification (user ID), nthe combinationname/number biometric
35、assigned and maintained in securityprocedures for identifying and tracking individual user activity.3For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Do
36、cument Summary page onthe ASTM website.4The last approved version of this historical standard is referenced onwww.astm.org.5Available from HL7, Mark McDougall, Executive Director, 900 Victors Way,Suite 122, Ann Arbor, MI 48108.6Available from American National Standards Institute (ANSI), 25 W. 43rd
37、St.,4th Floor, New York, NY 10036, http:/www.ansi.org.E2147 01 (2013)23.1.17 viewa designated configuration for data/information extracted from information system(s) and pre-sented through a workstation.4. Significance and Use4.1 Data that document health services in health careorganizations are bus
38、iness records and must be archived to asecondary but retrievable medium. Audit logs should beretained, at a minimum, according to the statute governingmedical records in the geographic area.4.2 The purpose of audit access and disclosure logs is todocument and maintain a permanent record of all autho
39、rizedand unauthorized access to and disclosure of confidentialhealth care information in order that health care providers,organizations, and patients and others can retrieve evidence ofthat access to meet multiple needs. Examples are clinical,organizational, risk management, and patient rights needs
40、.4.3 Audit logs designed for system access provide a precisecapability for organizations to see who has accessed patientinformation. Due to the significant risk in computing environ-ments by authorized and unauthorized users, the audit log is animportant management tool to monitor, access retrospect
41、ively.In addition, the access and disclosure log becomes a powerfulsupport document for disciplinary action. Audit logs areessential components to comprehensive security programs inhealth care.4.4 Organizations are accountable for managing the disclo-sure of health information in a way that meets le
42、gal, regulatory,accreditation and licensing requirements and growing patientexpectations for accountable privacy practices. Basic audit trailprocedures should be applied, manually if necessary, in paperpatient record systems to the extent feasible. Security in healthinformation systems is an essenti
43、al component to makingprogress in building and linking patient information. Success-ful implementation of large scale systems, the use of networksto transmit data, growing technical capability to addresssecurity issues and concerns about the confidentiality, andsecurity provisions of patient informa
44、tion drive the focus onthis topic. (See Guide E1384.)4.5 Consumer fears about confidentiality of health informa-tion and legal initiatives underscore disclosure practices. Pa-tients and health care providers want assurance that theirinformation is protected. Technology exists to incorporate auditfun
45、ctions in health information systems. Advances in securityaudit expert systems can be applied to the health care industry.Emerging off-the-shelf products will be able to use audit logsto enable the detection of inappropriate use of health informa-tion. Institutions are accountable for implementing c
46、omprehen-sive confidentiality and security programs that combine socialelements, management, and technology.5. Audit Functions in Health Information Systems5.1 An audit log is a record of actions (queries, views,additions, deletions, changes) performed on data by users.Actions should be recorded at
47、the time they occur. Theseactions include user authentication, user or system-directedsignoff, health record access to view, and receipt of patienthealth record content from external provider/practitioner.5.1.1 Health record content (transformation/translation viainterfaces, interface engines, gatew
48、ays between heterogeneousapplications) should be maintained in the “before” and “after”form. For example, laboratory reports/data translated fromlaboratory forwarded to clinical repository storage.5.2 Other database tables are needed to link the items in 5.1and 5.1.1 to satisfy inquiries and to prod
49、uce useful reports.Including unique user identification, for example, number, username, work location, and employee status (permanent,contract, temporary) provides essential user information. Whilethe audit log is a complete entity, data may be extracted fromother systems for use in the audit log application.5.3 The following functions should be performed whenauditing:5.3.1 Audits should identify and track individual usersaccess, including authentication and signoff, to a specificpatients or providers data. This function should be done inreal time a
