FHIR Release 3 (STU) Current Build
This page is part of FHIR STU 3 (v3.0.1) in it's permanent home (it will always be available at this URL). It has been superceded by R4 . For a full list of available versions, see the Directory of published versions .

6.4 Resource AuditEvent - Content

Security Work Group Maturity Level : 3   Trial Use Security Category : Not Classified Compartments : Device , Patient , Practitioner

A record of an event made relevant for purposes of maintaining a security log. Typical uses include detection of intrusion attempts such as operations, privacy, security, maintenance, and monitoring for inappropriate usage. performance analysis.

The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by DICOM (see DICOM Part 15 Annex A5 ).

  • ASTM E2147 – Setup the concept of security audit logs for healthcare including accounting of disclosures
  • IETF RFC 3881 – Defined the Information Model (IETF rule forced this to be informative)
  • DICOM Audit Log Message – Made the information model Normative, defined Vocabulary, Transport Binding, and Schema
  • IHE ATNA – Defines the grouping with secure transport and access controls; and defined specific audit log records for specific IHE transactions.
  • NIST SP800-92 – Shows how to do audit log management and reporting – consistent with our model
  • HL7 PASS – Defined an Audit Service with responsibilities and a query interface for reporting use
  • ISO 27789 – Defined the subset of audit events that an EHR would need
  • ISO/HL7 10781 EHR System Functional Model Release 2
  • ISO 21089 Trusted End-to-End Information Flows

This resource is managed collaboratively between HL7, DICOM, and IHE.

The primary purpose of this resource is the maintenance A record of security audit log information. However, it can also be used an event relevant for any audit logging needs purposes such as operations, privacy, security, maintenance, and simple event-based notification. performance analysis.

All actors - such as applications, processes, and services - involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are the properly functioning across an enterprise's system-of-systems. Thus, it is typical to get an auditable event recorded by both the application in a workflow process, process and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detecting of, for detection of. For example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors actors, such as trusted intermediary, that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary.

Security relevant events are not limited to communications or RESTful events. They include:

  • software start-up and shutdown;
  • user login and logout;
  • access control decisions;
  • configuration events;
  • software installation;
  • policy rules changes; and
  • manipulation of data that exposes the data to users.

See the Audit Event Sub-Type vocabulary for guidance on some security relevant events.

The content of an AuditEvent is intended for use by Security System Administrators, Security security system administrators, security and Privacy Information Managers, privacy information managers, and Records Management records management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as Providers providers or Patients, patients, although reports generated from the raw data would be useful. An example is a Patient-centric Accounting patient-centric accounting of Disclosures disclosures or an Access Report. access report. Servers that provide support for Audit Event AuditEvent resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access to the AuditEvent would typically be limited to security, privacy, or other system administration purposes.

Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource and may be persisted with the AuditEvent target resource.

No resources refer to this resource directly.

This resource implements the Event pattern.

Structure

Name Flags Card. Type Description & Constraints doco
. . AuditEvent TU DomainResource Event record kept for security purposes Record of an event
Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
. . . type Σ 1..1 Coding Type/identifier of event
Audit Event ID ( Extensible )
. . . subtype Σ 0..* Coding More specific type/id for the event
Audit Event Sub-Type ( Extensible )
. . . action Σ 0..1 code Type of action performed during the event
AuditEventAction ( Required )
. . . period 0..1 Period When the activity occurred
.. . recorded Σ 1..1 instant Time when the event occurred on source was recorded
. . . outcome Σ 0..1 code Whether the event succeeded or failed
AuditEventOutcome ( Required )
. . . outcomeDesc Σ 0..1 string Description of the event outcome
. . . purposeOfEvent Σ 0..* CodeableConcept The purposeOfUse of the event
PurposeOfUse V3 Value SetPurposeOfUse ( Extensible )
. . . agent 1..* BackboneElement Actor involved in the event
. . . . type 0..1 CodeableConcept How agent participated
ParticipationRoleType ( Extensible )
.... role 0..* CodeableConcept Agent role in the event
SecurityRoleType ( Extensible Example )
. . . . reference who Σ 0..1 Reference ( PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson ) Direct reference to resource userId Σ 0..1 Identifier Unique identifier for the user of who
. . . . altId 0..1 string Alternative User id e.g. authentication identity
. . . . name 0..1 string Human-meaningful Human friendly name for the agent
. . . . requestor Σ 1..1 boolean Whether user is initiator
. . . . location 0..1 Reference ( Location ) Where
. . . . policy 0..* uri Policy that authorized event
. . . . media 0..1 Coding Type of media
Media Type Code ( Extensible )
. . . . network 0..1 BackboneElement Logical network location for application activity
. . . . . address 0..1 string Identifier for the network access point of the user device
. . . . . type 0..1 code The type of network access point
AuditEventAgentNetworkType ( Required )
. . . . purposeOfUse 0..* CodeableConcept Reason given for this user
PurposeOfUse V3 Value SetPurposeOfUse ( Extensible )
. . . source 1..1 BackboneElement Audit Event Reporter
. . . . site 0..1 string Logical source location within the enterprise
. . . identifier . observer Σ 1..1 Identifier Reference ( PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson ) The identity of source detecting the event
. . . . type 0..* Coding The type of source where event originated
Audit Event Source Type ( Extensible )
. . . entity I 0..* BackboneElement Data or objects used
+ Rule: Either a name or a query (NOT both)
. . . identifier Σ 0..1 Identifier Specific instance of object . reference what Σ 0..1 Reference ( Any ) Specific instance of resource
. . . . type 0..1 Coding Type of entity involved
AuditEventEntityType Audit event entity type ( Extensible )
. . . . role 0..1 Coding What role the entity played
AuditEventEntityRole ( Extensible )
. . . . lifecycle 0..1 Coding Life-cycle stage for the entity
ObjectLifecycleEvents ( Extensible )
. . . . securityLabel 0..* Coding Security labels on the entity
All Security Labels SecurityLabels ( Extensible )
. . . . name Σ I 0..1 string Descriptor for entity
. . . . description 0..1 string Descriptive text
. . . . query Σ I 0..1 base64Binary Query parameters
. . . . detail 0..* BackboneElement Additional Information about the entity
. . . . . type 1..1 string Name of the property
. . . . value . value[x] 1..1 Property value
...... valueString string
...... valueBase64Binary base64Binary Property value

doco Documentation for this format

UML Diagram ( Legend )

AuditEvent ( DomainResource ) Identifier for a family of the event. For example, a menu item, program, rule, policy, function code, application name or URL. It identifies the performed function type : Coding [1..1] « Type of event. (Strength=Extensible) Audit Event ID AuditEventID + » Identifier for the category of event subtype : Coding [0..*] « Sub-type of event. (Strength=Extensible) Audit Event Sub-Type AuditEventSub-Type + » Indicator for type of action performed during the event that generated the audit action : code [0..1] « Indicator for type of action performed during the event that generated the event event. (Strength=Required) AuditEventAction ! » The period during which the activity occurred period : Period [0..1] The time when the event occurred on the source was recorded recorded : instant [1..1] Indicates whether the event succeeded or failed outcome : code [0..1] « Indicates whether the event succeeded or failed failed. (Strength=Required) AuditEventOutcome ! » A free text description of the outcome of the event outcomeDesc : string [0..1] The purposeOfUse (reason) that was used during the event being recorded purposeOfEvent : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) PurposeOfUse v3.PurposeOfUse + » Agent Specification of the participation type the user plays when performing the event type : CodeableConcept [0..1] « The Participation type of the agent to the event. (Strength=Extensible) ParticipationRoleType + » The security role that the user was acting under, that come from local codes defined by the access control security system (e.g. RBAC, ABAC) used in the local context role : CodeableConcept [0..*] « What security role enabled the agent to participate in the event (Strength=Extensible) event. (Strength=Example) SecurityRoleType + ?? » Direct reference Reference to a resource who this agent is that identifies was involved in the agent event reference who : Reference [0..1] « PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson » Unique identifier for the user actively participating in the event userId : Identifier [0..1] Alternative agent Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if available altId : string [0..1] Human-meaningful name for the agent name : string [0..1] Indicator that the user is or is not the requestor, or initiator, for the event being audited requestor : boolean [1..1] Where the event occurred location : Reference [0..1] « Location » The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token used policy : uri [0..*] Type of media involved. Used when the event is about exporting/importing onto media media : Coding [0..1] « Used when the event is about exporting/importing onto media. (Strength=Extensible) Media Type Code MediaTypeCode + » The reason (purpose of use), specific to this agent, that was used during the event being recorded purposeOfUse : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) PurposeOfUse v3.PurposeOfUse + » Network An identifier for the network access point of the user device for the audit event address : string [0..1] An identifier for the type of network access point that originated the audit event type : code [0..1] « The type of network access point of this agent in the audit event event. (Strength=Required) AuditEventAgentNetworkType ! » Source Logical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider group site : string [0..1] Identifier of the source where the event was detected identifier observer : Identifier Reference [1..1] « PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson » Code specifying the type of source where event originated type : Coding [0..*] « Code specifying the type of system that detected and recorded the event. (Strength=Extensible) Audit Event Source Type AuditEventSourceType + » Entity Identifies a specific instance of the entity. The reference should always be version specific identifier : Identifier [0..1] Identifies a specific instance of the entity. The reference should be version specific reference what : Reference [0..1] « Any » The type of the object that was involved in this audit event type : Coding [0..1] « Code for the entity type involved in the audit event event. (Strength=Extensible) AuditEventEntityType + » Code representing the role the entity played in the event being audited role : Coding [0..1] « Code representing the role the entity played in the audit event event. (Strength=Extensible) AuditEventEntityRole + » Identifier for the data life-cycle stage for the entity lifecycle : Coding [0..1] « Identifier for the data life-cycle stage for the entity entity. (Strength=Extensible) ObjectLifecycleEvents + » Security labels for the identified entity securityLabel : Coding [0..*] « Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible) All Security Labels + » A name of the entity in the audit event name : string [0..1] Text that describes the entity in more detail description : string [0..1] The query parameters for a query-type entities query : base64Binary [0..1] Detail The type of extra detail provided in the value type : string [1..1] The details, base64 encoded. Used to carry bulk information value of the extra detail value[x] : base64Binary Type [1..1] « string | base64Binary » Logical network location for application activity, if the activity has a network location network [0..1] An actor taking an active role in the event or activity that is logged agent [1..*] The system that is reporting the event source [1..1] Tagged value pairs for conveying additional information about the entity detail [0..*] Specific instances of data or objects that have been accessed entity [0..*]

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <type><!-- 1..1 Coding Type/identifier of event --></type>
 <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <

 <period><!-- 0..1 Period When the activity occurred --></period>
 <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded -->

 <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
 <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
 <purposeOfEvent><!-- 0..* CodeableConcept The purposeOfUse of the event --></purposeOfEvent>
 <agent>  <!-- 1..* Actor involved in the event -->
  <type><!-- 0..1 CodeableConcept How agent participated --></type>

  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <|
    </reference>
  <</userId>
  <
  <

  <who><!-- 0..1 Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) Identifier of who --></who>
  <altId value="[string]"/><!-- 0..1 Alternative User identity -->
  <name value="[string]"/><!-- 0..1 Human friendly name for the agent -->

  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* CodeableConcept Reason given for this user --></purposeOfUse>
 </agent>
 <source>  <!-- 1..1 Audit Event Reporter -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <</identifier>

  <observer><!-- 1..1 Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) The identity of source detecting the event --></observer>
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <entity>  <!-- 0..* Data or objects used -->
  <</identifier>
  <</reference>

  <what><!-- 0..1 Reference(Any) Specific instance of resource --></what>

  <type><!-- 0..1 Coding Type of entity involved --></type>
  <role><!-- 0..1 Coding What role the entity played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel>
  <name value="[string]"/><!-- ?? 0..1 Descriptor for entity -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!-- ?? 0..1 Query parameters -->
  <detail>  <!-- 0..* Additional Information about the entity -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <

   <value[x]><!-- 1..1 string|base64Binary Property value --></value[x]>

  </detail>
 </entity>
</AuditEvent>

JSON Template

{doco
  "resourceType" : "",

  "resourceType" : "AuditEvent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "type" : { Coding }, // R!  Type/identifier of event
  "subtype" : [{ Coding }], // More specific type/id for the event
  "action" : "<code>", // Type of action performed during the event
  "

  "period" : { Period }, // When the activity occurred
  "recorded" : "<instant>", // R!  Time when the event was recorded

  "outcome" : "<code>", // Whether the event succeeded or failed
  "outcomeDesc" : "<string>", // Description of the event outcome
  "purposeOfEvent" : [{ CodeableConcept }], // The purposeOfUse of the event
  "agent" : [{ // R!  Actor involved in the event
    "type" : { CodeableConcept }, // How agent participated

    "role" : [{ CodeableConcept }], // Agent role in the event
    "|
    
    "
    "
    "

    "who" : { Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) }, // Identifier of who
    "altId" : "<string>", // Alternative User identity
    "name" : "<string>", // Human friendly name for the agent

    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ CodeableConcept }] // Reason given for this user
  }],
  "source" : { // R!  Audit Event Reporter
    "site" : "<string>", // Logical source location within the enterprise
    "

    "observer" : { Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated
  },
  "entity" : [{ // Data or objects used
    "
    "

    "what" : { Reference(Any) }, // Specific instance of resource

    "type" : { Coding }, // Type of entity involved
    "role" : { Coding }, // What role the entity played
    "lifecycle" : { Coding }, // Life-cycle stage for the entity
    "securityLabel" : [{ Coding }], // Security labels on the entity
    "name" : "<string>", // C? Descriptor for entity
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Query parameters
    "detail" : [{ // Additional Information about the entity
      "type" : "<string>", // R!  Name of the property
      "

      // value[x]: Property value. One of these 2:
      "valueString" : "<string>"
      "valueBase64Binary" : "<base64Binary>"

    }]
  }]
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .doco
[ a fhir:;

[ a fhir:AuditEvent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root
  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event
  fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event
  fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event
  fhir:

  fhir:AuditEvent.period [ Period ]; # 0..1 When the activity occurred
  fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event was recorded

  fhir:AuditEvent.outcome [ code ]; # 0..1 Whether the event succeeded or failed
  fhir:AuditEvent.outcomeDesc [ string ]; # 0..1 Description of the event outcome
  fhir:AuditEvent.purposeOfEvent [ CodeableConcept ], ... ; # 0..* The purposeOfUse of the event
  fhir:AuditEvent.agent [ # 1..* Actor involved in the event
    fhir:AuditEvent.agent.type [ CodeableConcept ]; # 0..1 How agent participated

    fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event
    fhir:
    fhir:
    fhir:
    fhir:

    fhir:AuditEvent.agent.who [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 0..1 Identifier of who
    fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User identity
    fhir:AuditEvent.agent.name [ string ]; # 0..1 Human friendly name for the agent

    fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator
    fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where
    fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event
    fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media
    fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity
      fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device
      fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point
    ];
    fhir:AuditEvent.agent.purposeOfUse [ CodeableConcept ], ... ; # 0..* Reason given for this user
  ], ...;
  fhir:AuditEvent.source [ # 1..1 Audit Event Reporter
    fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise
    fhir:

    fhir:AuditEvent.source.observer [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 1..1 The identity of source detecting the event

    fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated
  ];
  fhir:AuditEvent.entity [ # 0..* Data or objects used
    fhir:
    fhir:

    fhir:AuditEvent.entity.what [ Reference(Any) ]; # 0..1 Specific instance of resource

    fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved
    fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played
    fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity
    fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity
    fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity
    fhir:AuditEvent.entity.description [ string ]; # 0..1 Descriptive text
    fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters
    fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity
      fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property
      fhir:

      # AuditEvent.entity.detail.value[x] : 1..1 Property value. One of these 2
        fhir:AuditEvent.entity.detail.valueString [ string ]
        fhir:AuditEvent.entity.detail.valueBase64Binary [ base64Binary ]

    ], ...;
  ], ...;
]

Changes since DSTU2 R3

AuditEvent AuditEvent.type Added Element AuditEvent.subtype Added Element AuditEvent.action Added Element AuditEvent.recorded Added Element AuditEvent.outcome Added Element AuditEvent.outcomeDesc Added Element AuditEvent.purposeOfEvent Added Element AuditEvent.agent Renamed from participant to agent
AuditEvent.agent.role AuditEvent.action
  • Change value set from http://hl7.org/fhir/ValueSet/dicm-402-roleid to http://hl7.org/fhir/ValueSet/security-role-type AuditEvent.agent.purposeOfUse Type changed from Coding to CodeableConcept AuditEvent.entity Renamed from object http://hl7.org/fhir/ValueSet/audit-event-action|4.0.0 to entity http://hl7.org/fhir/ValueSet/audit-event-action|4.1.0
AuditEvent.entity.type AuditEvent.outcome
  • Change value set from http://hl7.org/fhir/ValueSet/object-type http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.0 to http://hl7.org/fhir/ValueSet/audit-entity-type http://hl7.org/fhir/ValueSet/audit-event-outcome|4.1.0
AuditEvent.entity.lifecycle AuditEvent.agent.network.type
  • Change value set from http://hl7.org/fhir/ValueSet/object-lifecycle http://hl7.org/fhir/ValueSet/network-type|4.0.0 to http://hl7.org/fhir/ValueSet/object-lifecycle-events AuditEvent.event deleted http://hl7.org/fhir/ValueSet/network-type|4.1.0

See the Full Difference for further information

This analysis is available as XML or JSON .

See R2 <--> R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.). valid.)

Structure

Name Flags Card. Type Description & Constraints doco
. . AuditEvent TU DomainResource Event record kept for security purposes Record of an event
Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
. . . type Σ 1..1 Coding Type/identifier of event
Audit Event ID ( Extensible )
. . . subtype Σ 0..* Coding More specific type/id for the event
Audit Event Sub-Type ( Extensible )
. . . action Σ 0..1 code Type of action performed during the event
AuditEventAction ( Required )
. . . period 0..1 Period When the activity occurred
.. . recorded Σ 1..1 instant Time when the event occurred on source was recorded
. . . outcome Σ 0..1 code Whether the event succeeded or failed
AuditEventOutcome ( Required )
. . . outcomeDesc Σ 0..1 string Description of the event outcome
. . . purposeOfEvent Σ 0..* CodeableConcept The purposeOfUse of the event
PurposeOfUse V3 Value SetPurposeOfUse ( Extensible )
. . . agent 1..* BackboneElement Actor involved in the event
. . . . type 0..1 CodeableConcept How agent participated
ParticipationRoleType ( Extensible )
.... role 0..* CodeableConcept Agent role in the event
SecurityRoleType ( Extensible Example )
. . . . reference who Σ 0..1 Reference ( PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson ) Direct reference to resource userId Σ 0..1 Identifier Unique identifier for the user of who
. . . . altId 0..1 string Alternative User id e.g. authentication identity
. . . . name 0..1 string Human-meaningful Human friendly name for the agent
. . . . requestor Σ 1..1 boolean Whether user is initiator
. . . . location 0..1 Reference ( Location ) Where
. . . . policy 0..* uri Policy that authorized event
. . . . media 0..1 Coding Type of media
Media Type Code ( Extensible )
. . . . network 0..1 BackboneElement Logical network location for application activity
. . . . . address 0..1 string Identifier for the network access point of the user device
. . . . . type 0..1 code The type of network access point
AuditEventAgentNetworkType ( Required )
. . . . purposeOfUse 0..* CodeableConcept Reason given for this user
PurposeOfUse V3 Value SetPurposeOfUse ( Extensible )
. . . source 1..1 BackboneElement Audit Event Reporter
. . . . site 0..1 string Logical source location within the enterprise
. . . identifier . observer Σ 1..1 Identifier Reference ( PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson ) The identity of source detecting the event
. . . . type 0..* Coding The type of source where event originated
Audit Event Source Type ( Extensible )
. . . entity I 0..* BackboneElement Data or objects used
+ Rule: Either a name or a query (NOT both)
. . . identifier Σ 0..1 Identifier Specific instance of object . reference what Σ 0..1 Reference ( Any ) Specific instance of resource
. . . . type 0..1 Coding Type of entity involved
AuditEventEntityType Audit event entity type ( Extensible )
. . . . role 0..1 Coding What role the entity played
AuditEventEntityRole ( Extensible )
. . . . lifecycle 0..1 Coding Life-cycle stage for the entity
ObjectLifecycleEvents ( Extensible )
. . . . securityLabel 0..* Coding Security labels on the entity
All Security Labels SecurityLabels ( Extensible )
. . . . name Σ I 0..1 string Descriptor for entity
. . . . description 0..1 string Descriptive text
. . . . query Σ I 0..1 base64Binary Query parameters
. . . . detail 0..* BackboneElement Additional Information about the entity
. . . . . type 1..1 string Name of the property
. . . . value . value[x] 1..1 Property value
...... valueString string
...... valueBase64Binary base64Binary Property value

doco Documentation for this format

UML Diagram ( Legend )

AuditEvent ( DomainResource ) Identifier for a family of the event. For example, a menu item, program, rule, policy, function code, application name or URL. It identifies the performed function type : Coding [1..1] « Type of event. (Strength=Extensible) Audit Event ID AuditEventID + » Identifier for the category of event subtype : Coding [0..*] « Sub-type of event. (Strength=Extensible) Audit Event Sub-Type AuditEventSub-Type + » Indicator for type of action performed during the event that generated the audit action : code [0..1] « Indicator for type of action performed during the event that generated the event event. (Strength=Required) AuditEventAction ! » The period during which the activity occurred period : Period [0..1] The time when the event occurred on the source was recorded recorded : instant [1..1] Indicates whether the event succeeded or failed outcome : code [0..1] « Indicates whether the event succeeded or failed failed. (Strength=Required) AuditEventOutcome ! » A free text description of the outcome of the event outcomeDesc : string [0..1] The purposeOfUse (reason) that was used during the event being recorded purposeOfEvent : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) PurposeOfUse v3.PurposeOfUse + » Agent Specification of the participation type the user plays when performing the event type : CodeableConcept [0..1] « The Participation type of the agent to the event. (Strength=Extensible) ParticipationRoleType + » The security role that the user was acting under, that come from local codes defined by the access control security system (e.g. RBAC, ABAC) used in the local context role : CodeableConcept [0..*] « What security role enabled the agent to participate in the event (Strength=Extensible) event. (Strength=Example) SecurityRoleType + ?? » Direct reference Reference to a resource who this agent is that identifies was involved in the agent event reference who : Reference [0..1] « PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson » Unique identifier for the user actively participating in the event userId : Identifier [0..1] Alternative agent Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if available altId : string [0..1] Human-meaningful name for the agent name : string [0..1] Indicator that the user is or is not the requestor, or initiator, for the event being audited requestor : boolean [1..1] Where the event occurred location : Reference [0..1] « Location » The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token used policy : uri [0..*] Type of media involved. Used when the event is about exporting/importing onto media media : Coding [0..1] « Used when the event is about exporting/importing onto media. (Strength=Extensible) Media Type Code MediaTypeCode + » The reason (purpose of use), specific to this agent, that was used during the event being recorded purposeOfUse : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) PurposeOfUse v3.PurposeOfUse + » Network An identifier for the network access point of the user device for the audit event address : string [0..1] An identifier for the type of network access point that originated the audit event type : code [0..1] « The type of network access point of this agent in the audit event event. (Strength=Required) AuditEventAgentNetworkType ! » Source Logical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider group site : string [0..1] Identifier of the source where the event was detected identifier observer : Identifier Reference [1..1] « PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson » Code specifying the type of source where event originated type : Coding [0..*] « Code specifying the type of system that detected and recorded the event. (Strength=Extensible) Audit Event Source Type AuditEventSourceType + » Entity Identifies a specific instance of the entity. The reference should always be version specific identifier : Identifier [0..1] Identifies a specific instance of the entity. The reference should be version specific reference what : Reference [0..1] « Any » The type of the object that was involved in this audit event type : Coding [0..1] « Code for the entity type involved in the audit event event. (Strength=Extensible) AuditEventEntityType + » Code representing the role the entity played in the event being audited role : Coding [0..1] « Code representing the role the entity played in the audit event event. (Strength=Extensible) AuditEventEntityRole + » Identifier for the data life-cycle stage for the entity lifecycle : Coding [0..1] « Identifier for the data life-cycle stage for the entity entity. (Strength=Extensible) ObjectLifecycleEvents + » Security labels for the identified entity securityLabel : Coding [0..*] « Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible) All Security Labels + » A name of the entity in the audit event name : string [0..1] Text that describes the entity in more detail description : string [0..1] The query parameters for a query-type entities query : base64Binary [0..1] Detail The type of extra detail provided in the value type : string [1..1] The details, base64 encoded. Used to carry bulk information value of the extra detail value[x] : base64Binary Type [1..1] « string | base64Binary » Logical network location for application activity, if the activity has a network location network [0..1] An actor taking an active role in the event or activity that is logged agent [1..*] The system that is reporting the event source [1..1] Tagged value pairs for conveying additional information about the entity detail [0..*] Specific instances of data or objects that have been accessed entity [0..*]

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <type><!-- 1..1 Coding Type/identifier of event --></type>
 <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <

 <period><!-- 0..1 Period When the activity occurred --></period>
 <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded -->

 <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
 <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
 <purposeOfEvent><!-- 0..* CodeableConcept The purposeOfUse of the event --></purposeOfEvent>
 <agent>  <!-- 1..* Actor involved in the event -->
  <type><!-- 0..1 CodeableConcept How agent participated --></type>

  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <|
    </reference>
  <</userId>
  <
  <

  <who><!-- 0..1 Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) Identifier of who --></who>
  <altId value="[string]"/><!-- 0..1 Alternative User identity -->
  <name value="[string]"/><!-- 0..1 Human friendly name for the agent -->

  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* CodeableConcept Reason given for this user --></purposeOfUse>
 </agent>
 <source>  <!-- 1..1 Audit Event Reporter -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <</identifier>

  <observer><!-- 1..1 Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) The identity of source detecting the event --></observer>
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <entity>  <!-- 0..* Data or objects used -->
  <</identifier>
  <</reference>

  <what><!-- 0..1 Reference(Any) Specific instance of resource --></what>

  <type><!-- 0..1 Coding Type of entity involved --></type>
  <role><!-- 0..1 Coding What role the entity played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel>
  <name value="[string]"/><!-- ?? 0..1 Descriptor for entity -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!-- ?? 0..1 Query parameters -->
  <detail>  <!-- 0..* Additional Information about the entity -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <

   <value[x]><!-- 1..1 string|base64Binary Property value --></value[x]>

  </detail>
 </entity>
</AuditEvent>

JSON Template

{doco
  "resourceType" : "",

  "resourceType" : "AuditEvent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "type" : { Coding }, // R!  Type/identifier of event
  "subtype" : [{ Coding }], // More specific type/id for the event
  "action" : "<code>", // Type of action performed during the event
  "

  "period" : { Period }, // When the activity occurred
  "recorded" : "<instant>", // R!  Time when the event was recorded

  "outcome" : "<code>", // Whether the event succeeded or failed
  "outcomeDesc" : "<string>", // Description of the event outcome
  "purposeOfEvent" : [{ CodeableConcept }], // The purposeOfUse of the event
  "agent" : [{ // R!  Actor involved in the event
    "type" : { CodeableConcept }, // How agent participated

    "role" : [{ CodeableConcept }], // Agent role in the event
    "|
    
    "
    "
    "

    "who" : { Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) }, // Identifier of who
    "altId" : "<string>", // Alternative User identity
    "name" : "<string>", // Human friendly name for the agent

    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ CodeableConcept }] // Reason given for this user
  }],
  "source" : { // R!  Audit Event Reporter
    "site" : "<string>", // Logical source location within the enterprise
    "

    "observer" : { Reference(Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated
  },
  "entity" : [{ // Data or objects used
    "
    "

    "what" : { Reference(Any) }, // Specific instance of resource

    "type" : { Coding }, // Type of entity involved
    "role" : { Coding }, // What role the entity played
    "lifecycle" : { Coding }, // Life-cycle stage for the entity
    "securityLabel" : [{ Coding }], // Security labels on the entity
    "name" : "<string>", // C? Descriptor for entity
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Query parameters
    "detail" : [{ // Additional Information about the entity
      "type" : "<string>", // R!  Name of the property
      "

      // value[x]: Property value. One of these 2:
      "valueString" : "<string>"
      "valueBase64Binary" : "<base64Binary>"

    }]
  }]
}

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .doco
[ a fhir:;

[ a fhir:AuditEvent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root
  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event
  fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event
  fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event
  fhir:

  fhir:AuditEvent.period [ Period ]; # 0..1 When the activity occurred
  fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event was recorded

  fhir:AuditEvent.outcome [ code ]; # 0..1 Whether the event succeeded or failed
  fhir:AuditEvent.outcomeDesc [ string ]; # 0..1 Description of the event outcome
  fhir:AuditEvent.purposeOfEvent [ CodeableConcept ], ... ; # 0..* The purposeOfUse of the event
  fhir:AuditEvent.agent [ # 1..* Actor involved in the event
    fhir:AuditEvent.agent.type [ CodeableConcept ]; # 0..1 How agent participated

    fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event
    fhir:
    fhir:
    fhir:
    fhir:

    fhir:AuditEvent.agent.who [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 0..1 Identifier of who
    fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User identity
    fhir:AuditEvent.agent.name [ string ]; # 0..1 Human friendly name for the agent

    fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator
    fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where
    fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event
    fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media
    fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity
      fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device
      fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point
    ];
    fhir:AuditEvent.agent.purposeOfUse [ CodeableConcept ], ... ; # 0..* Reason given for this user
  ], ...;
  fhir:AuditEvent.source [ # 1..1 Audit Event Reporter
    fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise
    fhir:

    fhir:AuditEvent.source.observer [ Reference(Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ]; # 1..1 The identity of source detecting the event

    fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated
  ];
  fhir:AuditEvent.entity [ # 0..* Data or objects used
    fhir:
    fhir:

    fhir:AuditEvent.entity.what [ Reference(Any) ]; # 0..1 Specific instance of resource

    fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved
    fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played
    fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity
    fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity
    fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity
    fhir:AuditEvent.entity.description [ string ]; # 0..1 Descriptive text
    fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters
    fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity
      fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property
      fhir:

      # AuditEvent.entity.detail.value[x] : 1..1 Property value. One of these 2
        fhir:AuditEvent.entity.detail.valueString [ string ]
        fhir:AuditEvent.entity.detail.valueBase64Binary [ base64Binary ]

    ], ...;
  ], ...;
]

Changes since DSTU2 Release 3

AuditEvent AuditEvent.type Added Element AuditEvent.subtype Added Element AuditEvent.action Added Element AuditEvent.recorded Added Element AuditEvent.outcome Added Element AuditEvent.outcomeDesc Added Element AuditEvent.purposeOfEvent Added Element AuditEvent.agent Renamed from participant to agent
AuditEvent.agent.role AuditEvent.action
  • Change value set from http://hl7.org/fhir/ValueSet/dicm-402-roleid to http://hl7.org/fhir/ValueSet/security-role-type AuditEvent.agent.purposeOfUse Type changed from Coding to CodeableConcept AuditEvent.entity Renamed from object http://hl7.org/fhir/ValueSet/audit-event-action|4.0.0 to entity http://hl7.org/fhir/ValueSet/audit-event-action|4.1.0
AuditEvent.entity.type AuditEvent.outcome
  • Change value set from http://hl7.org/fhir/ValueSet/object-type http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.0 to http://hl7.org/fhir/ValueSet/audit-entity-type http://hl7.org/fhir/ValueSet/audit-event-outcome|4.1.0
AuditEvent.entity.lifecycle AuditEvent.agent.network.type
  • Change value set from http://hl7.org/fhir/ValueSet/object-lifecycle http://hl7.org/fhir/ValueSet/network-type|4.0.0 to http://hl7.org/fhir/ValueSet/object-lifecycle-events AuditEvent.event deleted http://hl7.org/fhir/ValueSet/network-type|4.1.0

See the Full Difference for further information

This analysis is available as XML or JSON .

See R2 <--> R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.). valid.)

 

Alternate See the Profiles & Extensions and the alternate definitions: Master Definition ( XML , + JSON ), , XML Schema / Schematron (for ) + JSON Schema , ShEx (for Turtle ) + see the extensions , the spreadsheet version & the dependency analysis a

Path Definition Type Reference
AuditEvent.type Type of event. Extensible Audit Event ID AuditEventID
AuditEvent.subtype Sub-type of event. Extensible Audit Event Sub-Type AuditEventSub-Type
AuditEvent.action Indicator for type of action performed during the event that generated the event event. Required AuditEventAction
AuditEvent.outcome Indicates whether the event succeeded or failed failed. Required AuditEventOutcome
AuditEvent.purposeOfEvent
AuditEvent.agent.purposeOfUse
The reason the activity took place. Extensible PurposeOfUse v3.PurposeOfUse
AuditEvent.agent.type The Participation type of the agent to the event. Extensible ParticipationRoleType
AuditEvent.agent.role What security role enabled the agent to participate in the event event. Extensible Example SecurityRoleType
AuditEvent.agent.media Used when the event is about exporting/importing onto media. Extensible Media Type Code MediaTypeCode
AuditEvent.agent.network.type The type of network access point of this agent in the audit event event. Required AuditEventAgentNetworkType
AuditEvent.source.type Code specifying the type of system that detected and recorded the event. Extensible Audit Event Source Type AuditEventSourceType
AuditEvent.entity.type Code for the entity type involved in the audit event event. Extensible AuditEventEntityType
AuditEvent.entity.role Code representing the role the entity played in the audit event event. Extensible AuditEventEntityRole
AuditEvent.entity.lifecycle Identifier for the data life-cycle stage for the entity entity. Extensible ObjectLifecycleEvents
AuditEvent.entity.securityLabel Security Labels from the Healthcare Privacy and Security Classification System. Extensible All Security Labels

id Level Location Description Expression
sev-1 : On AuditEvent.entity: Rule AuditEvent.entity Either a name or a query (NOT both) ( expression on AuditEvent.entity: name.empty() or query.empty() )

The AuditEvent resource and the ATNA Audit record are used in many contexts throughout healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who defined these codes to meet very specific use cases. These codes should be used when they are suitable. When needed, other codes can be defined.

Note: When using codes from a vocabulary, the displayName display element for the code can be left off to keep the AuditEvent size small and minimize impact of a large audit log of similar entries.

The set of codes defined for this resource is expected to grow over time, and additional codes may be proposed / requested using the "Propose a change" link above below.

This table summarizes common event scenarios, and the codes that should be used for each case.

Scenario type subtype action Other Other
User Login ( example ) 110114 User Authentication 110122 User Authentication E Execute One participant agent which contains the details of the logged-in user.
User Logout ( example ) 110114 User Authentication 110123 User Logout E Execute One participant agent which contains the details of the logged-out user.
REST operation logged on server ( example ) rest RESTful Operation [code] defined for operation * (see below) Participant Agent for logged in user, if available, and one object with a reference, if at least the type is known as part of the operation. Reference.url should be provided to the granularity known. available.
Search operation logged on server ( example ) rest RESTful Operation [code] defined for operation E Execute Participant Agent for logged in user, if available, and one object with a query element.

Audit Event Actions for RESTful operations:

Operation Action
create C
read, vread, history-instance, history-type, history-system R
update U
delete D
transaction, operation, conformance, validate, search, search-type, search-system E

FHIR interactions can result in a rich description of the outcome using the OperationOutcome . The OperationOutcome Resource is a collection of error, warning or information messages that result from a system action. This describes in detail the outcome of some operation, such as when a RESTful operation fails.

When recording into an AuditEvent that some FHIR interaction has happened, the AuditEvent should include the OperationOutcome from that FHIR interaction. This is done by placing the OperationOutcome into an AuditEvent.entity. Likely as a contained resource, given that OperationOutcome resources often are not persisted.

entity.who is the OperationOutcome -- Likely contained

entity.type is code OperationOutcome

entity.description explains why this OperationOutcome was included.

See transaction failure example : When a client attempts to post (create) an Observation Resource, using a server Patient endpoint; this would result in an error with an OperationOutcome.

The audit event AuditEvent provides the element purposeOfEvent to convey the purpose of the event and purposeOfUse to convey the reason that a particular actor (machine, person, software) was involved in the event.

purposeOfEvent is an element at the level of AuditEvent and can convey the purpose of the activity that resulted in the event. This will occur when the system that is reporting the event is be aware of the purpose of the event. A specific example would be a radiology reporting system where a radiologist has created and is sending a finished report. This system likely knows the purpose, e.g., "treatment". It is multi-valued because the one event may be related to multiple purposes.

It is also commonplace that the reporting system does not have information about the purpose of the event. In these cases, the event report would not have a purposeOfEvent.

It is also likely that the same event will be reported from different perspectives, e.g., by both the sender and recipient of a communication. These two different perspectives can have different knowledge regarding the purposeOfEvent .

purposeOfUse is an element at the level of agent within AuditEvent. This describes the reason that this person, machine, or software is participating in the activity that resulted in the event. For example, an individual person participating in the event may assert a purpose of use from their perspective. It is also possible that they are participating for multiple reasons, reasons and report multiple purposeOfUse.

The reporting system might not have knowledge regarding why a particular machine or person was involved, involved and would omit this element in those cases.

When the same event is reported from multiple perspectives, the reports can have different knowledge regarding the purpose.

Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.

user token Unique identifier for the user AuditEvent.agent.userId
Name Type Description Expression In Common
action token Type of action performed during the event AuditEvent.action
address string Identifier for the network access point of the user device AuditEvent.agent.network.address
agent reference Direct reference to resource Identifier of who AuditEvent.agent.reference AuditEvent.agent.who
( Practitioner , Organization , Device , Patient , PractitionerRole , RelatedPerson )
agent-name string Human-meaningful Human friendly name for the agent AuditEvent.agent.name
agent-role token Agent role in the event AuditEvent.agent.role
altid token Alternative User id e.g. authentication identity AuditEvent.agent.altId
date date Time when the event occurred on source was recorded AuditEvent.recorded
entity reference Specific instance of resource AuditEvent.entity.reference AuditEvent.entity.what
(Any)
entity-id token Specific instance of object AuditEvent.entity.identifier entity-name string Descriptor for entity AuditEvent.entity.name
entity-role token What role the entity played AuditEvent.entity.role
entity-type token Type of entity involved AuditEvent.entity.type
outcome token Whether the event succeeded or failed AuditEvent.outcome
patient reference Direct reference to resource Identifier of who AuditEvent.agent.reference AuditEvent.agent.who.where(resolve() is Patient) | AuditEvent.entity.reference AuditEvent.entity.what.where(resolve() is Patient)
( Patient )
policy uri Policy that authorized event AuditEvent.agent.policy
purpose token The purposeOfUse of the event AuditEvent.purposeOfEvent | AuditEvent.agent.purposeOfUse
site token Logical source location within the enterprise AuditEvent.source.site
source token reference The identity of source detecting the event AuditEvent.source.identifier AuditEvent.source.observer
( Practitioner , Organization , Device , Patient , PractitionerRole , RelatedPerson )
subtype token More specific type/id for the event AuditEvent.subtype
type token Type/identifier of event AuditEvent.type