1、Designation: E 2147 01An American National StandardStandard Specification forAudit and Disclosure Logs for Use in Health InformationSystems1This standard is issued under the fixed designation E 2147; the number immediately following the designation indicates the year oforiginal adoption or, in the c
2、ase of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon (e) indicates an editorial change since the last revision or reapproval.1. Scope1.1 This specification is for the development and implemen-tation of security audit/disclosu
3、re logs for health information.It specifies how to design an access audit log to record allaccess to patient identifiable information maintained in com-puter systems and includes principles for developing policies,procedures, and functions of health information logs to docu-ment all disclosure of he
4、alth information to external users foruse in manual and computer systems. The process of informa-tion disclosure and auditing should conform, where relevant,with the Privacy Act of 1974 (1).21.2 The first purpose of this specification is to define thenature, role, and function of system access audit
5、 logs and theiruse in health information systems as a technical and proceduraltool to help provide security oversight. In concert with orga-nizational confidentiality and security policies and procedures,permanent audit logs can clearly identify all system applicationusers who access patient identif
6、iable information, record thenature of the patient information accessed, and maintain apermanent record of actions taken by the user. By providing aprecise method for an organization to monitor and review whohas accessed patient data, audit logs have the potential for moreeffective security oversigh
7、t than traditional paper record envi-ronments. This specification will identify functionality neededfor audit log management, the data to be recorded, and the useof audit logs as security and management tools by organiza-tional managers.1.3 In the absence of computerized logs, audit log principlesca
8、n be implemented manually in the paper patient recordenvironment with respect to permanently monitoring paperpatient record access. Where the paper patient record and thecomputer-based patient record coexist in parallel, securityoversight and access management should address both envi-ronments.1.4 T
9、he second purpose of this specification is to identifyprinciples for establishing a permanent record of disclosure ofhealth information to external users and the data to be recordedin maintaining it. Security management of health informationrequires a comprehensive framework that incorporates man-da
10、tes and criteria for disclosing patient health informationfound in federal and state laws, rules and regulations andethical statements of professional conduct. Accountability forsuch a framework should be established through a set ofstandard principles that are applicable to all health care settings
11、and health information systems.1.5 Logs used to audit and oversee health informationaccess and disclosure are the responsibility of each health careorganization, data intermediary, data warehouse, clinical datarepository, third party payer, agency, organization or corpora-tion that maintains or prov
12、ides, or has access to individually-identifiable data. Such logs are specified in and support policyon information access monitoring and are tied to disciplinarysanctions that satisfy legal, regulatory, accreditation and insti-tutional mandates.1.6 Organizations need to prescribe access requirements
13、 foraggregate data and to approve query tools that allow auditingcapability, or design data repositories that limit inclusion ofdata that provide potential keys to identifiable data. Inferencingpatient identifiable data through analysis of aggregate data thatcontains limited identifying data element
14、s such as birth date,birth location, and family name, is possible using software thatmatches data elements across data bases. This allows aconsistent approach to linking records into longitudinal casesfor research purposes. Audit trails can be designed to workwith applications which use these techni
15、ques if the queryfunctions are part of a defined retrieval application but oftenstandard query tools are not easily audited. This specificationapplies to the disclosure or transfer of health information(records) individually or in batches.1This specification is under the jurisdiction of ASTM Committ
16、ee E31 onHealthcare Informatics and is the direct responsibility of Subcommittee E31.25 onHealthcare Data Management, Security, Confidentiality, and Privacy.Current edition approved Nov. 10, 2001. Published February 2002.2The boldface numbers in parentheses refer to the list of references at the end
17、 ofthis standard.1Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959, United States.1.7 This specification responds to the need for a standardaddressing privacy and confidentiality as noted in Public Law104191 (2), or the Health Insurance Portability a
18、nd Account-ability Act of 1996 (3).2. Referenced Documents2.1 ASTM Standards:E 1384 Guide for Content and Structure of the ElectronicHealth Record (EHR)3E 1633 Specification for Coded Values Used in the Elec-tronic Health Record3E 1762 Guide for Electronic Authentication of Health CareInformation3E
19、1869 Guide for Confidentiality, Privacy, Access and DataSecurity Principles for Health Information Including Com-puter Based Patient Records3E 1902 Guide for Management of the Confidentiality andSecurity of Dictation, Transcription, and TranscribedHealth Records3E 1986 Guide for Information Access P
20、rivileges to HealthInformation32.2 Other Health Informatics Standards:Health Level Seven (HL7) Version 2.24ANSI ASC X12 Version 3, Release 35ISO/TEC 154083. Terminology3.1 Definitions:3.1.1 access, nthe provision of an opportunity to ap-proach, inspect, review, retrieve, store, communicate with, orm
21、ake use of health information resources (for example, hard-ware, software, systems or structure) or patient identifiable dataand information, or both. (E 1869)3.1.2 audit log, na record of actions, for example, cre-ation, queries, views, additions, deletions, and changes per-formed on data.3.1.3 aud
22、it trail, na record of users that is documentaryevidence of monitoring each operation of individuals on healthinformation. Audit trails may be comprehensive or specific tothe individual and information (4). For example, an audit trailmay be a record of all actions taken by anyone on a particularlyse
23、nsitive file (5).3.1.4 authentication, nthe provision of assurance of theclaimed identity of an entity, receiver or object.(E 1762, E 1869, CPRI)3.1.5 authorize, vthe granting to a user the right of accessto specified data and information, a program, a terminal or aprocess. (E 1869)3.1.6 authorizati
24、on, nthe mechanism for obtaining con-sent for the use and disclosure of health information.(CPRI, AHIMA)3.1.7 certificate, ncertificate means that a Certificate Au-thority (CA) states a given correlation or given properties ofpersons or IT-systems as true. If the certificate is used toconfirm that a
25、 key belongs to its owner, it is called keycertificate. If the certificate is used to confirm roles (qualifica-tions), it is called authentication certificate.3.1.8 confidential, nstatus accorded to data or informationindicating that it is sensitive for some reason, and therefore, itneeds to be prot
26、ected against theft, disclosure, or improper use,and must be disseminated only to authorized individuals ororganizations with an approved need to know. Private infor-mation, which is entrusted to another with the confidence thatunauthorized disclosure which would be prejudicial to theindividual will
27、 not occur (6). (E 1869; CPRI)3.1.9 database, na collection of data organized for rapidsearch and retrieval. (Websters, 1993)3.1.10 database security, nrefers to the ability of thesystem to enforce security policy governing access, creation,modification, or destruction of information. Unauthorized c
28、re-ation of information is an important threat.3.1.11 disclosure, nto access, release, transfer, or other-wise divulge health information to any internal or external useror entity other than the individual who is the subject of suchinformation. (E 1869)3.1.12 health information, nany information, wh
29、etheroral or recorded in any form or medium that is created orreceived by a health care provider, a health plan, health,researcher, public health authority, instructor, employer, schoolor university, health information, service or other entity thatcreates, receives, obtains, maintains, uses or trans
30、mits healthinformation; a health oversight agency, a health informationservice organization; or, that relates to the past, present, orfuture physical or mental health or condition of an individual,the provision of health care to an individual, or the past, presentor future payments for the provision
31、 of health care to aprotected individual; and, that identifies the individual withrespect to which there is a reasonable basis to believe that theinformation can be used to identify the individual (3).3.1.13 information, ndata to which meaning is assigned,according to context and assumed conventions
32、. (E 1869)3.1.14 transaction log, na record of changes to data,especially to a data base, that can be used to reconstruct thedata if there is a failure after the transaction occurs, in otherwords, a means of ensuring data integrity and availability.3.1.15 user, na person authorized to use the inform
33、ationcontained in an information system as specified by their jobfunction. The patient may be designated an authorized user bystatute or institutional policy. A user also may refer to internaland external systems that draw data from an application.3.1.16 user identification (user ID), nthe combinati
34、onname/number biometric assigned and maintained in securityprocedures for identifying and tracking individual user activity.3.1.17 viewa designated configuration for data/information extracted from information system(s) and pre-sented through a workstation.4. Significance and Use4.1 Data that docume
35、nt health services in health careorganizations are business records and must be archived to asecondary but retrievable medium. Audit logs should be3Annual Book of ASTM Standards, Vol 14.01.4Available from HL7, Mark McDougall, Executive Director, 900 Victors Way,Suite 122, Ann Arbor, MI 48108.5Availa
36、ble from American National Standards Institute, 11 W. 42nd St., 13thFloor, New York, NY 10036.E2147012retained, at a minimum, according to the statute governingmedical records in the geographic area.4.2 The purpose of audit access and disclosure logs is todocument and maintain a permanent record of
37、all authorizedand unauthorized access to and disclosure of confidentialhealth care information in order that health care providers,organizations, and patients and others can retrieve evidence ofthat access to meet multiple needs. Examples are clinical,organizational, risk management, and patient rig
38、hts needs.4.3 Audit logs designed for system access provide a precisecapability for organizations to see who has accessed patientinformation. Due to the significant risk in computing environ-ments by authorized and unauthorized users, the audit log is animportant management tool to monitor, access r
39、etrospectively.In addition, the access and disclosure log becomes a powerfulsupport document for disciplinary action. Audit logs areessential components to comprehensive security programs inhealth care.4.4 Organizations are accountable for managing the disclo-sure of health information in a way that
40、 meets legal, regulatory,accreditation and licensing requirements and growing patientexpectations for accountable privacy practices. Basic audit trailprocedures should be applied, manually if necessary, in paperpatient record systems to the extent feasible. Security in healthinformation systems is a
41、n essential component to makingprogress in building and linking patient information. Success-ful implementation of large scale systems, the use of networksto transmit data, growing technical capability to addresssecurity issues and concerns about the confidentiality, andsecurity provisions of patien
42、t information drive the focus onthis topic. (See Guide E 1384.)4.5 Consumer fears about confidentiality of health informa-tion and legal initiatives underscore disclosure practices. Pa-tients and health care providers want assurance that theirinformation is protected. Technology exists to incorporat
43、e auditfunctions in health information systems. Advances in securityaudit expert systems can be applied to the health care industry.Emerging off-the-shelf products will be able to use audit logsto enable the detection of inappropriate use of health informa-tion. Institutions are accountable for impl
44、ementing comprehen-sive confidentiality and security programs that combine socialelements, management, and technology.5. Audit Functions in Health Information Systems5.1 An audit log is a record of actions (queries, views,additions, deletions, changes) performed on data by users.Actions should be re
45、corded at the time they occur. Theseactions include user authentication, user or system-directedsignoff, health record access to view, and receipt of patienthealth record content from external provider/practitioner.5.1.1 Health record content (transformation/translation viainterfaces, interface engi
46、nes, gateways between heterogeneousapplications) should be maintained in the “before” and “after”form. For example, laboratory reports/data translated fromlaboratory forwarded to clinical repository storage.5.2 Other database tables are needed to link the items in 5.1and 5.1.1 to satisfy inquiries a
47、nd to produce useful reports.Including unique user identification, for example, number, username, work location, and employee status (permanent, con-tract, temporary) provides essential user information. While theaudit log is a complete entity, data may be extracted from othersystems for use in the
48、audit log application.5.3 The following functions should be performed whenauditing:5.3.1 Audits should identify and track individual usersaccess, including authentication and signoff, to a specificpatients or providers data. This function should be done inreal time and captured in audit logs. In the
49、 paper patient record,at a minimum, keep a permanent charge copy of all externalreleases. For example, an audit can be authorized by the patientor guardian, provided by law, or granted in an emergency. Thismay be a computer file.5.3.2 Record or report type of access (authentication, si-gnoff, queries, views, additions, deletions, changes). Completerecords of the type of access and all actions performed on thedata should be maintained. All changes to an individualpatients or providers computer based health informationshould be retrievable. Changes, additions, and d
