1、Designation: E 2147 01 (Reapproved 2009)An American National StandardStandard Specification forAudit and Disclosure Logs for Use in Health InformationSystems1This standard is issued under the fixed designation E 2147; the number immediately following the designation indicates the year oforiginal ado
2、ption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This specification is for the development and implemen-tation of securi
3、ty audit/disclosure logs for health information.It specifies how to design an access audit log to record allaccess to patient identifiable information maintained in com-puter systems and includes principles for developing policies,procedures, and functions of health information logs to docu-ment all
4、 disclosure of health information to external users foruse in manual and computer systems. The process of informa-tion disclosure and auditing should conform, where relevant,with the Privacy Act of 1974 (1).21.2 The first purpose of this specification is to define thenature, role, and function of sy
5、stem access audit logs and theiruse in health information systems as a technical and proceduraltool to help provide security oversight. In concert with orga-nizational confidentiality and security policies and procedures,permanent audit logs can clearly identify all system applicationusers who acces
6、s patient identifiable information, record thenature of the patient information accessed, and maintain apermanent record of actions taken by the user. By providing aprecise method for an organization to monitor and review whohas accessed patient data, audit logs have the potential for moreeffective
7、security oversight than traditional paper record envi-ronments. This specification will identify functionality neededfor audit log management, the data to be recorded, and the useof audit logs as security and management tools by organiza-tional managers.1.3 In the absence of computerized logs, audit
8、 log principlescan be implemented manually in the paper patient recordenvironment with respect to permanently monitoring paperpatient record access. Where the paper patient record and thecomputer-based patient record coexist in parallel, securityoversight and access management should address both en
9、vi-ronments.1.4 The second purpose of this specification is to identifyprinciples for establishing a permanent record of disclosure ofhealth information to external users and the data to be recordedin maintaining it. Security management of health informationrequires a comprehensive framework that in
10、corporates man-dates and criteria for disclosing patient health informationfound in federal and state laws, rules and regulations andethical statements of professional conduct. Accountability forsuch a framework should be established through a set ofstandard principles that are applicable to all hea
11、lth care settingsand health information systems.1.5 Logs used to audit and oversee health informationaccess and disclosure are the responsibility of each health careorganization, data intermediary, data warehouse, clinical datarepository, third party payer, agency, organization or corpora-tion that
12、maintains or provides, or has access to individually-identifiable data. Such logs are specified in and support policyon information access monitoring and are tied to disciplinarysanctions that satisfy legal, regulatory, accreditation and insti-tutional mandates.1.6 Organizations need to prescribe ac
13、cess requirements foraggregate data and to approve query tools that allow auditingcapability, or design data repositories that limit inclusion ofdata that provide potential keys to identifiable data. Inferencingpatient identifiable data through analysis of aggregate data thatcontains limited identif
14、ying data elements such as birth date,birth location, and family name, is possible using software thatmatches data elements across data bases. This allows a1This specification is under the jurisdiction of ASTM Committee E31 onHealthcare Informatics and is the direct responsibility of Subcommittee E3
15、1.25 onHealthcare Data Management, Security, Confidentiality, and Privacy.Current edition approved Sept. 1, 2009. Published September 2009. Originallyapproved in 2001. Last previous edition approved in 2001 as E 2147 01.2The boldface numbers in parentheses refer to the list of references at the end
16、ofthis standard.1Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959, United States.consistent approach to linking records into longitudinal casesfor research purposes. Audit trails can be designed to workwith applications which use these techniques if
17、the queryfunctions are part of a defined retrieval application but oftenstandard query tools are not easily audited. This specificationapplies to the disclosure or transfer of health information(records) individually or in batches.1.7 This specification responds to the need for a standardaddressing
18、privacy and confidentiality as noted in Public Law104191 (2), or the Health Insurance Portability and Account-ability Act of 1996 (3).2. Referenced Documents2.1 ASTM Standards:3E 1384 Practice for Content and Structure of the ElectronicHealth Record (EHR)E 1633 Specification for Coded Values Used in
19、 the Elec-tronic Health RecordE 1762 Guide for Electronic Authentication of Health CareInformationE 1869 Guide for Confidentiality, Privacy,Access, and DataSecurity Principles for Health Information Including Elec-tronic Health RecordsE 1902 Specification for Management of the Confidentialityand Sec
20、urity of Dictation, Transcription, and TranscribedHealth RecordsE 1986 Guide for Information Access Privileges to HealthInformation2.2 Other Health Informatics Standards:Health Level Seven (HL7) Version 2.24ANSI ASC X12 Version 3, Release 35ISO/TEC 154083. Terminology3.1 Definitions:3.1.1 access, nt
21、he provision of an opportunity to ap-proach, inspect, review, retrieve, store, communicate with, ormake use of health information resources (for example, hard-ware, software, systems or structure) or patient identifiable dataand information, or both. (E 1869)3.1.2 audit log, na record of actions, fo
22、r example, cre-ation, queries, views, additions, deletions, and changes per-formed on data.3.1.3 audit trail, na record of users that is documentaryevidence of monitoring each operation of individuals on healthinformation. Audit trails may be comprehensive or specific tothe individual and informatio
23、n (4). For example, an audit trailmay be a record of all actions taken by anyone on a particularlysensitive file (5).3.1.4 authentication, nthe provision of assurance of theclaimed identity of an entity, receiver or object.(E 1762, E 1869, CPRI)3.1.5 authorize, vthe granting to a user the right of a
24、ccessto specified data and information, a program, a terminal or aprocess. (E 1869)3.1.6 authorization, nthe mechanism for obtaining con-sent for the use and disclosure of health information.(CPRI, AHIMA)3.1.7 certificate, ncertificate means that a Certificate Au-thority (CA) states a given correlat
25、ion or given properties ofpersons or IT-systems as true. If the certificate is used toconfirm that a key belongs to its owner, it is called keycertificate. If the certificate is used to confirm roles (qualifica-tions), it is called authentication certificate.3.1.8 confidential, nstatus accorded to d
26、ata or informationindicating that it is sensitive for some reason, and therefore, itneeds to be protected against theft, disclosure, or improper use,and must be disseminated only to authorized individuals ororganizations with an approved need to know. Private infor-mation, which is entrusted to anot
27、her with the confidence thatunauthorized disclosure which would be prejudicial to theindividual will not occur (6). (E 1869; CPRI)3.1.9 database, na collection of data organized for rapidsearch and retrieval. (Websters, 1993)3.1.10 database security, nrefers to the ability of thesystem to enforce se
28、curity policy governing access, creation,modification, or destruction of information. Unauthorized cre-ation of information is an important threat.3.1.11 disclosure, nto access, release, transfer, or other-wise divulge health information to any internal or external useror entity other than the indiv
29、idual who is the subject of suchinformation. (E 1869)3.1.12 health information, nany information, whetheroral or recorded in any form or medium that is created orreceived by a health care provider, a health plan, health,researcher, public health authority, instructor, employer, schoolor university,
30、health information, service or other entity thatcreates, receives, obtains, maintains, uses or transmits healthinformation; a health oversight agency, a health informationservice organization; or, that relates to the past, present, orfuture physical or mental health or condition of an individual,the
31、 provision of health care to an individual, or the past, presentor future payments for the provision of health care to aprotected individual; and, that identifies the individual withrespect to which there is a reasonable basis to believe that theinformation can be used to identify the individual (3)
32、.3.1.13 information, ndata to which meaning is assigned,according to context and assumed conventions. (E 1869)3.1.14 transaction log, na record of changes to data,especially to a data base, that can be used to reconstruct thedata if there is a failure after the transaction occurs, in otherwords, a m
33、eans of ensuring data integrity and availability.3.1.15 user, na person authorized to use the informationcontained in an information system as specified by their jobfunction. The patient may be designated an authorized user bystatute or institutional policy. A user also may refer to internaland exte
34、rnal systems that draw data from an application.3For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Document Summary page onthe ASTM website.4Available fr
35、om HL7, Mark McDougall, Executive Director, 900 Victors Way,Suite 122, Ann Arbor, MI 48108.5Available from American National Standards Institute (ANSI), 25 W. 43rd St.,4th Floor, New York, NY 10036, http:/www.ansi.org.E 2147 01 (2009)23.1.16 user identification (user ID), nthe combinationname/number
36、 biometric assigned and maintained in securityprocedures for identifying and tracking individual user activity.3.1.17 viewa designated configuration for data/information extracted from information system(s) and pre-sented through a workstation.4. Significance and Use4.1 Data that document health ser
37、vices in health careorganizations are business records and must be archived to asecondary but retrievable medium. Audit logs should beretained, at a minimum, according to the statute governingmedical records in the geographic area.4.2 The purpose of audit access and disclosure logs is todocument and
38、 maintain a permanent record of all authorizedand unauthorized access to and disclosure of confidentialhealth care information in order that health care providers,organizations, and patients and others can retrieve evidence ofthat access to meet multiple needs. Examples are clinical,organizational,
39、risk management, and patient rights needs.4.3 Audit logs designed for system access provide a precisecapability for organizations to see who has accessed patientinformation. Due to the significant risk in computing environ-ments by authorized and unauthorized users, the audit log is animportant mana
40、gement tool to monitor, access retrospectively.In addition, the access and disclosure log becomes a powerfulsupport document for disciplinary action. Audit logs areessential components to comprehensive security programs inhealth care.4.4 Organizations are accountable for managing the disclo-sure of
41、health information in a way that meets legal, regulatory,accreditation and licensing requirements and growing patientexpectations for accountable privacy practices. Basic audit trailprocedures should be applied, manually if necessary, in paperpatient record systems to the extent feasible. Security i
42、n healthinformation systems is an essential component to makingprogress in building and linking patient information. Success-ful implementation of large scale systems, the use of networksto transmit data, growing technical capability to addresssecurity issues and concerns about the confidentiality,
43、andsecurity provisions of patient information drive the focus onthis topic. (See Guide E 1384.)4.5 Consumer fears about confidentiality of health informa-tion and legal initiatives underscore disclosure practices. Pa-tients and health care providers want assurance that theirinformation is protected.
44、 Technology exists to incorporate auditfunctions in health information systems. Advances in securityaudit expert systems can be applied to the health care industry.Emerging off-the-shelf products will be able to use audit logsto enable the detection of inappropriate use of health informa-tion. Insti
45、tutions are accountable for implementing comprehen-sive confidentiality and security programs that combine socialelements, management, and technology.5. Audit Functions in Health Information Systems5.1 An audit log is a record of actions (queries, views,additions, deletions, changes) performed on da
46、ta by users.Actions should be recorded at the time they occur. Theseactions include user authentication, user or system-directedsignoff, health record access to view, and receipt of patienthealth record content from external provider/practitioner.5.1.1 Health record content (transformation/translati
47、on viainterfaces, interface engines, gateways between heterogeneousapplications) should be maintained in the “before” and “after”form. For example, laboratory reports/data translated fromlaboratory forwarded to clinical repository storage.5.2 Other database tables are needed to link the items in 5.1
48、and 5.1.1 to satisfy inquiries and to produce useful reports.Including unique user identification, for example, number, username, work location, and employee status (permanent, con-tract, temporary) provides essential user information. While theaudit log is a complete entity, data may be extracted f
49、rom othersystems for use in the audit log application.5.3 The following functions should be performed whenauditing:5.3.1 Audits should identify and track individual usersaccess, including authentication and signoff, to a specificpatients or providers data. This function should be done inreal time and captured in audit logs. In the paper patient record,at a minimum, keep a permanent charge copy of all externalreleases. For example, an audit can be authorized by the patientor guardian, provided by law, or granted in an emergency. Thismay be a computer file.5.3.
