AuditEvent

A record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage.

Schema
Usage
Background and Context

Elements

Name	Required	Type	Description
type	✓	Coding	Type/identifier of event Details Identifier for a family of the event. For example, a menu item, program, rule, policy, function code, application name or URL. It identifies the performed function.
subtype		Coding[]	More specific type/id for the event Details Identifier for the category of event.
action		code	Type of action performed during the event Details Indicator for type of action performed during the event that generated the audit.
period		Period	When the activity occurred Details The period during which the activity occurred. The period can be a little arbitrary; where possible, the time should correspond to human assessment of the activity time.
recorded	✓	instant	Time when the event was recorded Details The time when the event was recorded. In a distributed system, some sort of common time base (e.g. an NTP [RFC1305] server) is a good implementation tactic.
outcome		code	Whether the event succeeded or failed Details Indicates whether the event succeeded or failed. In some cases a "success" may be partial, for example, an incomplete or interrupted transfer of a radiological study. For the purpose of establishing accountability, these distinctions are not relevant.
outcomeDesc		string	Description of the event outcome Details A free text description of the outcome of the event.
purposeOfEvent		CodeableConcept[]	The purposeOfUse of the event Details The purposeOfUse (reason) that was used during the event being recorded. Use AuditEvent.agent.purposeOfUse when you know that it is specific to the agent, otherwise use AuditEvent.purposeOfEvent. For example, during a machine-to-machine transfer it might not be obvious to the audit system who caused the event, but it does know why.
agent	✓	AuditEventAgent[]	Actor involved in the event Details An actor taking an active role in the event or activity that is logged. Several agents may be associated (i.e. have some responsibility for an activity) with an event or activity. For example, an activity may be initiated by one user for other users or involve more than one user. However, only one user may be the initiator/requestor for the activity.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
type		CodeableConcept	How agent participated Details Specification of the participation type the user plays when performing the event.
role		CodeableConcept[]	Agent role in the event Details The security role that the user was acting under, that come from local codes defined by the access control security system (e.g. RBAC, ABAC) used in the local context. Should be roles relevant to the event. Should not be an exhaustive list of roles.
who		Reference< PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson >	Identifier of who Details Reference to who this agent is that was involved in the event. Where a User ID is available it will go into who.identifier.
altId		string	Alternative User identity Details Alternative agent Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if available.
name		string	Human friendly name for the agent Details Human-meaningful name for the agent.
requestor	✓	boolean	Whether user is initiator Details Indicator that the user is or is not the requestor, or initiator, for the event being audited. There can only be one initiator. If the initiator is not clear, then do not choose any one agent as the initiator.
location		Reference<Location>	Where Details Where the event occurred.
policy		uri[]	Policy that authorized event Details The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token used. For example: Where an OAuth token authorizes, the unique identifier from the OAuth token is placed into the policy element Where a policy engine (e.g. XACML) holds policy logic, the unique policy identifier is placed into the policy element.
media		Coding	Type of media Details Type of media involved. Used when the event is about exporting/importing onto media.
network		AuditEventAgentNetwork	Logical network location for application activity Details Logical network location for application activity, if the activity has a network location.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
address		string	Identifier for the network access point of the user device Details An identifier for the network access point of the user device for the audit event. This could be a device id, IP address or some other identifier associated with a device.
type		code	The type of network access point Details An identifier for the type of network access point that originated the audit event.
purposeOfUse		CodeableConcept[]	Reason given for this user Details The reason (purpose of use), specific to this agent, that was used during the event being recorded. Use AuditEvent.agent.purposeOfUse when you know that is specific to the agent, otherwise use AuditEvent.purposeOfEvent. For example, during a machine-to-machine transfer it might not be obvious to the audit system who caused the event, but it does know why.
source	✓	AuditEventSource	Audit Event Reporter Details The system that is reporting the event. Since multi-tier, distributed, or composite applications make source identification ambiguous, this collection of fields may repeat for each application or process actively involved in the event. For example, multiple value-sets can identify participating web servers, application processes, and database server threads in an n-tier distributed application. Passive event participants (e.g. low-level network transports) need not be identified.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
site		string	Logical source location within the enterprise Details Logical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider group.
observer	✓	Reference< PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson >	The identity of source detecting the event Details Identifier of the source where the event was detected.
type		Coding[]	The type of source where event originated Details Code specifying the type of source where event originated.
entity		AuditEventEntity[]	Data or objects used Details Specific instances of data or objects that have been accessed. Required unless the values for event identification, agent identification, and audit source identification are sufficient to document the entire auditable event. Because events may have more than one entity, this group can be a repeating set of values.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
what		Reference<Resource>	Specific instance of resource Details Identifies a specific instance of the entity. The reference should be version specific.
type		Coding	Type of entity involved Details The type of the object that was involved in this audit event. This value is distinct from the user's role or any user relationship to the entity.
role		Coding	What role the entity played Details Code representing the role the entity played in the event being audited.
lifecycle		Coding	Life-cycle stage for the entity Details Identifier for the data life-cycle stage for the entity. This can be used to provide an audit trail for data, over time, as it passes through the system.
securityLabel		Coding[]	Security labels on the entity Details Security labels for the identified entity. Copied from entity meta security tags.
name		string	Descriptor for entity Details A name of the entity in the audit event. This field may be used in a query/report to identify audit events for a specific person. For example, where multiple synonymous entity identifiers (patient number, medical record number, encounter number, etc.) have been used.
description		string	Descriptive text Details Text that describes the entity in more detail.
query		base64Binary	Query parameters Details The query parameters for a query-type entities. The meaning and secondary-encoding of the content of base64 encoded blob is specific to the AuditEvent.type, AuditEvent.subtype, AuditEvent.entity.type, and AuditEvent.entity.role. The base64 is a general-use and safe container for event specific data blobs regardless of the encoding used by the transaction being recorded. An AuditEvent consuming application must understand the event it is consuming and the formats used by the event. For example, if auditing an Oracle network database access, the Oracle formats must be understood as they will be simply encoded in the base64binary blob.
detail		AuditEventEntityDetail[]	Additional Information about the entity Details Tagged value pairs for conveying additional information about the entity.
id		string	Unique id for inter-element referencing Details Unique id for the element within a resource (for internal references). This may be any string value that does not contain spaces.
extension		Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the element. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension		Extension[]	Extensions that cannot be ignored even if unrecognized Details May be used to represent additional information that is not part of the basic definition of the element and that modifies the understanding of the element in which it is contained and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
type	✓	string	Name of the property Details The type of extra detail provided in the value.
value[x]	✓	string, base64Binary	Property value Details The value of the extra detail. The value can be string when known to be a string, else base64 encoding should be used to protect binary or undefined content. The meaning and secondary-encoding of the content of base64 encoded blob is specific to the AuditEvent.type, AuditEvent.subtype, AuditEvent.entity.type, and AuditEvent.entity.role. The base64 is a general-use and safe container for event specific data blobs regardless of the encoding used by the transaction being recorded. An AuditEvent consuming application must understand the event it is consuming and the formats used by the event. For example if auditing an Oracle network database access, the Oracle formats must be understood as they will be simply encoded in the base64binary blob.

Search Parameters

Name	Type	Description	Expression
action	token	Type of action performed during the event	AuditEvent.action
address	string	Identifier for the network access point of the user device	AuditEvent.agent.network.address
agent	reference	Identifier of who	AuditEvent.agent.who
agent-name	string	Human friendly name for the agent	AuditEvent.agent.name
agent-role	token	Agent role in the event	AuditEvent.agent.role
altid	token	Alternative User identity	AuditEvent.agent.altId
date	date	Time when the event was recorded	AuditEvent.recorded
entity	reference	Specific instance of resource	AuditEvent.entity.what
entity-name	string	Descriptor for entity	AuditEvent.entity.name
entity-role	token	What role the entity played	AuditEvent.entity.role
entity-type	token	Type of entity involved	AuditEvent.entity.type
outcome	token	Whether the event succeeded or failed	AuditEvent.outcome
patient	reference	Identifier of who	AuditEvent.agent.who.where(resolve() is Patient) \| AuditEvent.entity.what.where(resolve() is Patient)
policy	uri	Policy that authorized event	AuditEvent.agent.policy
site	token	Logical source location within the enterprise	AuditEvent.source.site
source	reference	The identity of source detecting the event	AuditEvent.source.observer
subtype	token	More specific type/id for the event	AuditEvent.subtype
type	token	Type/identifier of event	AuditEvent.type

Inherited Elements

Name	Type	Description
id	string	Logical id of this artifact Details The logical id of the resource, as used in the URL for the resource. Once assigned, this value never changes. The only time that a resource does not have an id is when it is being submitted to the server using a create operation.
meta	Meta	Metadata about the resource Details The metadata about the resource. This is content that is maintained by the infrastructure. Changes to the content might not always be associated with version changes to the resource.
implicitRules	uri	A set of rules under which this content was created Details A reference to a set of rules that were followed when the resource was constructed, and which must be understood when processing the content. Often, this is a reference to an implementation guide that defines the special rules along with other profiles etc. Asserting this rule set restricts the content to be only understood by a limited set of trading partners. This inherently limits the usefulness of the data in the long term. However, the existing health eco-system is highly fractured, and not yet ready to define, collect, and exchange data in a generally computable sense. Wherever possible, implementers and/or specification writers should avoid using this element. Often, when used, the URL is a reference to an implementation guide that defines these special rules as part of it's narrative along with other profiles, value sets, etc.
language	code	Language of the resource content Details The base language in which the resource is written. Language is provided to support indexing and accessibility (typically, services such as text to speech use the language tag). The html language tag in the narrative applies to the narrative. The language tag on the resource may be used to specify the language of other presentations generated from the data in the resource. Not all the content has to be in the base language. The Resource.language should not be assumed to apply to the narrative automatically. If a language is specified, it should it also be specified on the div element in the html (see rules in HTML5 for information about the relationship between xml:lang and the html lang attribute).
text	Narrative	Text summary of the resource, for human interpretation Details A human-readable narrative that contains a summary of the resource and can be used to represent the content of the resource to a human. The narrative need not encode all the structured data, but is required to contain sufficient detail to make it "clinically safe" for a human to just read the narrative. Resource definitions may define what content should be represented in the narrative to ensure clinical safety. Contained resources do not have narrative. Resources that are not contained SHOULD have a narrative. In some cases, a resource may only have text with little or no additional discrete data (as long as all minOccurs=1 elements are satisfied). This may be necessary for data from legacy systems where information is captured as a "text blob" or where text is additionally entered raw or narrated and encoded information is added later.
contained	Resource[]	Contained, inline Resources Details These resources do not have an independent existence apart from the resource that contains them - they cannot be identified independently, and nor can they have their own independent transaction scope. This should never be done when the content can be identified properly, as once identification is lost, it is extremely difficult (and context dependent) to restore it again. Contained resources may have profiles and tags In their meta elements, but SHALL NOT have security labels.
extension	Extension[]	Additional content defined by implementations Details May be used to represent additional information that is not part of the basic definition of the resource. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.
modifierExtension	Extension[]	Extensions that cannot be ignored Details May be used to represent additional information that is not part of the basic definition of the resource and that modifies the understanding of the element that contains it and/or the understanding of the containing element's descendants. Usually modifier elements provide negation or qualification. To make the use of extensions safe and manageable, there is a strict set of governance applied to the definition and use of extensions. Though any implementer is allowed to define an extension, there is a set of requirements that SHALL be met as part of the definition of the extension. Applications processing a resource are required to check for modifier extensions. Modifier extensions SHALL NOT change the meaning of any elements on Resource or DomainResource (including cannot change the meaning of modifierExtension itself). There can be no stigma associated with the use of extensions by any application, project, or standard - regardless of the institution or jurisdiction that uses or defines the extensions. The use of extensions is what allows the FHIR specification to retain a core level of simplicity for everyone.

All actors - such as applications, processes, and services - involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are properly functioning across an enterprise's system-of-systems. Thus, it is typical to get an auditable event recorded by both the application in a workflow process and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detection of. For example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors, such as trusted intermediary, that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary.

Security relevant events are not limited to communications or RESTful events. They include:

software start-up and shutdown;
user login and logout;
access control decisions;
configuration events;
software installation;
policy rules changes; and
manipulation of data that exposes the data to users.

See the Audit Event Sub-Type vocabulary for guidance on some security relevant events.

The content of an AuditEvent is intended for use by security system administrators, security and privacy information managers, and records management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as providers or patients, although reports generated from the raw data would be useful. An example is a patient-centric accounting of disclosures or an access report. Servers that provide support for AuditEvent resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access to the AuditEvent would typically be limited to security, privacy, or other system administration purposes.

Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource and may be persisted with the AuditEvent target resource.

AuditEvent

Elements​

Search Parameters​

Inherited Elements​

Elements

Search Parameters

Inherited Elements