1、Designation: E2147 01 (Reapproved 2013) An American National StandardStandard Specification forAudit and Disclosure Logs for Use in Health InformationSystems1This standard is issued under the fixed designation E2147; the number immediately following the designation indicates the year oforiginal adop
2、tion or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This specification is for the development and implemen-tation of securit
3、y audit/disclosure logs for health information.It specifies how to design an access audit log to record allaccess to patient identifiable information maintained in com-puter systems and includes principles for developing policies,procedures, and functions of health information logs to docu-ment all
4、disclosure of health information to external users foruse in manual and computer systems. The process of informa-tion disclosure and auditing should conform, where relevant,with the Privacy Act of 1974 (1).21.2 The first purpose of this specification is to define thenature, role, and function of sys
5、tem access audit logs and theiruse in health information systems as a technical and proceduraltool to help provide security oversight. In concert with orga-nizational confidentiality and security policies and procedures,permanent audit logs can clearly identify all system applicationusers who access
6、 patient identifiable information, record thenature of the patient information accessed, and maintain apermanent record of actions taken by the user. By providing aprecise method for an organization to monitor and review whohas accessed patient data, audit logs have the potential for moreeffective s
7、ecurity oversight than traditional paper record envi-ronments. This specification will identify functionality neededfor audit log management, the data to be recorded, and the useof audit logs as security and management tools by organiza-tional managers.1.3 In the absence of computerized logs, audit
8、log principlescan be implemented manually in the paper patient recordenvironment with respect to permanently monitoring paperpatient record access. Where the paper patient record and thecomputer-based patient record coexist in parallel, securityoversight and access management should address both env
9、i-ronments.1.4 The second purpose of this specification is to identifyprinciples for establishing a permanent record of disclosure ofhealth information to external users and the data to be recordedin maintaining it. Security management of health informationrequires a comprehensive framework that inc
10、orporates man-dates and criteria for disclosing patient health informationfound in federal and state laws, rules and regulations andethical statements of professional conduct. Accountability forsuch a framework should be established through a set ofstandard principles that are applicable to all heal
11、th care settingsand health information systems.1.5 Logs used to audit and oversee health informationaccess and disclosure are the responsibility of each health careorganization, data intermediary, data warehouse, clinical datarepository, third party payer, agency, organization or corpora-tion that m
12、aintains or provides, or has access to individually-identifiable data. Such logs are specified in and support policyon information access monitoring and are tied to disciplinarysanctions that satisfy legal, regulatory, accreditation and insti-tutional mandates.1.6 Organizations need to prescribe acc
13、ess requirements foraggregate data and to approve query tools that allow auditingcapability, or design data repositories that limit inclusion ofdata that provide potential keys to identifiable data. Inferencingpatient identifiable data through analysis of aggregate data thatcontains limited identify
14、ing data elements such as birth date,birth location, and family name, is possible using software thatmatches data elements across data bases. This allows aconsistent approach to linking records into longitudinal casesfor research purposes. Audit trails can be designed to workwith applications which
15、use these techniques if the queryfunctions are part of a defined retrieval application but oftenstandard query tools are not easily audited. This specificationapplies to the disclosure or transfer of health information(records) individually or in batches.1This specification is under the jurisdiction
16、 of ASTM Committee E31 onHealthcare Informatics and is the direct responsibility of Subcommittee E31.25 onHealthcare Data Management, Security, Confidentiality, and Privacy.Current edition approved March 1, 2013. Published March 2013. Originallyapproved in 2001. Last previous edition approved in 200
17、9 as E2147 01(2009).DOI: 10.1520/E2147-01R13.2The boldface numbers in parentheses refer to the list of references at the end ofthis standard.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States11.7 This specification responds to the need f
18、or a standardaddressing privacy and confidentiality as noted in Public Law104191 (2), or the Health Insurance Portability and Account-ability Act of 1996 (3).2. Referenced Documents2.1 ASTM Standards:3E1384 Practice for Content and Structure of the ElectronicHealth Record (EHR)E1633 Specification fo
19、r Coded Values Used in the ElectronicHealth RecordE1762 Guide for Electronic Authentication of Health CareInformationE1869 Guide for Confidentiality, Privacy, Access, and DataSecurity Principles for Health Information Including Elec-tronic Health RecordsE1902 Specification for Management of the Conf
20、identialityand Security of Dictation, Transcription, and TranscribedHealth Records (Withdrawn 2011)4E1986 Guide for Information Access Privileges to HealthInformation2.2 Other Health Informatics Standards:Health Level Seven (HL7) Version 2.25ANSI ASC X12 Version 3, Release 36ISO/TEC 154083. Terminol
21、ogy3.1 Definitions:3.1.1 access, nthe provision of an opportunity toapproach, inspect, review, retrieve, store, communicate with, ormake use of health information resources (for example,hardware, software, systems or structure) or patient identifiabledata and information, or both. (E1869)3.1.2 audit
22、 log, na record of actions, for example,creation, queries, views, additions, deletions, and changesperformed on data.3.1.3 audit trail, na record of users that is documentaryevidence of monitoring each operation of individuals on healthinformation. Audit trails may be comprehensive or specific tothe
23、 individual and information (4). For example, an audit trailmay be a record of all actions taken by anyone on a particularlysensitive file (5).3.1.4 authentication, nthe provision of assurance of theclaimed identity of an entity, receiver or object.(E1762, E1869, CPRI)3.1.5 authorize, vthe granting
24、to a user the right of accessto specified data and information, a program, a terminal or aprocess. (E1869)3.1.6 authorization, nthe mechanism for obtaining con-sent for the use and disclosure of health information.(CPRI, AHIMA)3.1.7 certificate, ncertificate means that a Certificate Au-thority (CA)
25、states a given correlation or given properties ofpersons or IT-systems as true. If the certificate is used toconfirm that a key belongs to its owner, it is called keycertificate. If the certificate is used to confirm roles(qualifications), it is called authentication certificate.3.1.8 confidential,
26、nstatus accorded to data or informationindicating that it is sensitive for some reason, and therefore, itneeds to be protected against theft, disclosure, or improper use,and must be disseminated only to authorized individuals ororganizations with an approved need to know. Privateinformation, which i
27、s entrusted to another with the confidencethat unauthorized disclosure which would be prejudicial to theindividual will not occur (6). (E1869; CPRI)3.1.9 database, na collection of data organized for rapidsearch and retrieval. (Websters, 1993)3.1.10 database security, nrefers to the ability of thesy
28、stem to enforce security policy governing access, creation,modification, or destruction of information. Unauthorized cre-ation of information is an important threat.3.1.11 disclosure, nto access, release, transfer, or other-wise divulge health information to any internal or external useror entity ot
29、her than the individual who is the subject of suchinformation. (E1869)3.1.12 health information, nany information, whether oralor recorded in any form or medium that is created or receivedby a health care provider, a health plan, health, researcher,public health authority, instructor, employer, scho
30、ol oruniversity, health information, service or other entity thatcreates, receives, obtains, maintains, uses or transmits healthinformation; a health oversight agency, a health informationservice organization; or, that relates to the past, present, orfuture physical or mental health or condition of
31、an individual,the provision of health care to an individual, or the past, presentor future payments for the provision of health care to aprotected individual; and, that identifies the individual withrespect to which there is a reasonable basis to believe that theinformation can be used to identify t
32、he individual (3).3.1.13 information, ndata to which meaning is assigned,according to context and assumed conventions. (E1869)3.1.14 transaction log, na record of changes to data,especially to a data base, that can be used to reconstruct thedata if there is a failure after the transaction occurs, in
33、 otherwords, a means of ensuring data integrity and availability.3.1.15 user, na person authorized to use the informationcontained in an information system as specified by their jobfunction. The patient may be designated an authorized user bystatute or institutional policy. A user also may refer to
34、internaland external systems that draw data from an application.3.1.16 user identification (user ID), nthe combinationname/number biometric assigned and maintained in securityprocedures for identifying and tracking individual user activity.3For referenced ASTM standards, visit the ASTM website, www.
35、astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Document Summary page onthe ASTM website.4The last approved version of this historical standard is referenced onwww.astm.org.5Available from HL7, Mark McDougall,
36、Executive Director, 900 Victors Way,Suite 122, Ann Arbor, MI 48108.6Available from American National Standards Institute (ANSI), 25 W. 43rd St.,4th Floor, New York, NY 10036, http:/www.ansi.org.E2147 01 (2013)23.1.17 viewa designated configuration for data/information extracted from information syst
37、em(s) and pre-sented through a workstation.4. Significance and Use4.1 Data that document health services in health careorganizations are business records and must be archived to asecondary but retrievable medium. Audit logs should beretained, at a minimum, according to the statute governingmedical r
38、ecords in the geographic area.4.2 The purpose of audit access and disclosure logs is todocument and maintain a permanent record of all authorizedand unauthorized access to and disclosure of confidentialhealth care information in order that health care providers,organizations, and patients and others
39、 can retrieve evidence ofthat access to meet multiple needs. Examples are clinical,organizational, risk management, and patient rights needs.4.3 Audit logs designed for system access provide a precisecapability for organizations to see who has accessed patientinformation. Due to the significant risk
40、 in computing environ-ments by authorized and unauthorized users, the audit log is animportant management tool to monitor, access retrospectively.In addition, the access and disclosure log becomes a powerfulsupport document for disciplinary action. Audit logs areessential components to comprehensive
41、 security programs inhealth care.4.4 Organizations are accountable for managing the disclo-sure of health information in a way that meets legal, regulatory,accreditation and licensing requirements and growing patientexpectations for accountable privacy practices. Basic audit trailprocedures should b
42、e applied, manually if necessary, in paperpatient record systems to the extent feasible. Security in healthinformation systems is an essential component to makingprogress in building and linking patient information. Success-ful implementation of large scale systems, the use of networksto transmit da
43、ta, growing technical capability to addresssecurity issues and concerns about the confidentiality, andsecurity provisions of patient information drive the focus onthis topic. (See Guide E1384.)4.5 Consumer fears about confidentiality of health informa-tion and legal initiatives underscore disclosure
44、 practices. Pa-tients and health care providers want assurance that theirinformation is protected. Technology exists to incorporate auditfunctions in health information systems. Advances in securityaudit expert systems can be applied to the health care industry.Emerging off-the-shelf products will b
45、e able to use audit logsto enable the detection of inappropriate use of health informa-tion. Institutions are accountable for implementing comprehen-sive confidentiality and security programs that combine socialelements, management, and technology.5. Audit Functions in Health Information Systems5.1
46、An audit log is a record of actions (queries, views,additions, deletions, changes) performed on data by users.Actions should be recorded at the time they occur. Theseactions include user authentication, user or system-directedsignoff, health record access to view, and receipt of patienthealth record
47、 content from external provider/practitioner.5.1.1 Health record content (transformation/translation viainterfaces, interface engines, gateways between heterogeneousapplications) should be maintained in the “before” and “after”form. For example, laboratory reports/data translated fromlaboratory forw
48、arded to clinical repository storage.5.2 Other database tables are needed to link the items in 5.1and 5.1.1 to satisfy inquiries and to produce useful reports.Including unique user identification, for example, number, username, work location, and employee status (permanent,contract, temporary) provi
49、des essential user information. Whilethe audit log is a complete entity, data may be extracted fromother systems for use in the audit log application.5.3 The following functions should be performed whenauditing:5.3.1 Audits should identify and track individual usersaccess, including authentication and signoff, to a specificpatients or providers data. This function should be done inreal time and captured in audit logs. In the paper patient record,at a minimum, keep a permanent charge copy of all externalreleases. For example, an audit can be authorized by the
