6.5 6.3 Resource AuditEvent - Content Resource AuditEvent - Content

6.5.1 Scope and Usage 6.3.1 Scope and Usage The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by DICOM (see DICOM Part 15 Annex A5 ). ASTM E2147 – Setup the concept of security audit logs for healthcare including accounting of disclosures IETF RFC 3881 – Defined the Information Model (IETF rule forced this to be informative) DICOM Audit Log Message – Made the information model Normative, defined Vocabulary, Transport Binding, and Schema IHE ATNA – Defines the grouping with secure transport and access controls; and defined specific audit log records for specific IHE transactions. NIST SP800-92 – Shows how to do audit log management and reporting – consistent with our model HL7 PASS – Defined an Audit Service with responsibilities and a query interface for reporting use ISO 27789 – Defined the subset of audit events that an EHR would need This resource is managed collaboratively between HL7, DICOM, and IHE. The primary purpose of this resource is the maintenance of security audit log information. However, it can also be used for any audit logging needs and simple event-based notification. 6.5.2 Background and Context

The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by DICOM (see DICOM Part 15 Annex A5 All actors; such as applications, processes, and services; involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are the properly functioning across an enterprise's system-of-systems. Thus it is typical to get an auditable event recorded by both the application in a workflow process, and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detecting of, for example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary. Security relevant events are not limited to communications or RESTful events. They include software startup and shutdown; user login and logout; access control decisions; configuration events; software installation; policy rules changes; and manipulation of data that exposes the data to users. See Audit Event Sub-Type vocabulary for guidance on some security relevant events. The content of an AuditEvent is intended for use by Security System Administrators, Security and Privacy Information Managers, and Records Management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as Providers or Patients, although reports generated from the raw data would be useful. An example is a Patient centric Accounting of Disclosures or an Access Report. Servers that provide support for Audit Event resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access of the AuditEvent would typically be limited to e.g., security, privacy, or other system administration purposes. Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource, and may be persisted with the AuditEvent target resource. ).

• ASTM E2147 – Setup the concept of security audit logs for healthcare including accounting of disclosures
• IETF RFC 3881 – Defined the Information Model (IETF rule forced this to be informative)
• DICOM Audit Log Message – Made the information model Normative, defined Vocabulary, Transport Binding, and Schema
• IHE ATNA – Defines the grouping with secure transport and access controls; and defined specific audit log records for specific IHE transactions.
• NIST SP800-92 – Shows how to do audit log management and reporting – consistent with our model
• HL7 PASS – Defined an Audit Service with responsibilities and a query interface for reporting use
• ISO 27789 – Defined the subset of audit events that an EHR would need

This resource is managed collaboratively between HL7, DICOM, and IHE.

The primary purpose of this resource is the maintenance of security audit log information. However, it can also be used for any audit logging needs and simple event-based notification.

6.5.2.1 Open Issues and Request for Comments 6.3.2 Background and Context The AuditEvent Resource, like many of the FHIR Resources in DSTU, continues to be developed by the sponsoring HL7 Security Work Group. In particular, the Security WG continues to focus on refining the value sets used by both AuditEvent and its closely related Provenance Resource to ensure complete coverage of system and end user actions and action reasons that impact security objects (data, processes, applications, servers, etc.) The Security WG is particularly interested in implementer feedback on these focus areas, and at the same time cautions implementers to undertake due diligence in adapting these resources to their use cases. At this juncture, there are multiple standard vocabularies in use that reflect different perspectives and levels of granularity on the concepts used to convey actions and reasons for actions. Both the AuditEvent and Provenance Resources are making available a number of those vocabularies via resource element bindings. For example, AuditEvent has four elements that bind to "activity" vocabularies which could be used to convey the same concept where there’s no clear use case for doing so. E.g., a "read" action could be conveyed by AuditEvent.event.type, AuditEvent.event.subtype, AuditEvent.event.action, and AuditEvent.object.lifecycle. Only the AuditEvent.event.type is required, but is there a use case for including the others if the basic action is the same? However, there may be use cases in which both the high level CRUDE action value set is an important addition to a required code from AuditEvent.event.type. E.g., seems helpful where the required code = Audit event: Application Activity has taken place, and not so helpful if the required code = Audit Log has been used. The upshot is that implementers will need to carefully match the concepts in the value set bindings to their use cases to ensure that the level of granularity and concept selections are appropriate. The Security WG would appreciate comments on this, and in particular, how feasible or useful pre-coordination of these multiple activity value sets might be or whether collapsing these into one or two might be more appropriate. The Security WG would also appreciate feedback from the implementer community on how well they are able to discern and utilize the different contexts in which the rationale for actions is conveyed using the HL7 Purpose of Use vocabulary [V:PurposeOfUse:2.16.840.1.113883.1.11.20448]. At this juncture, AuditEvent binds to this value set in four places: As Purpose of Event – where it’s a machine that is the audited agent As Purpose of Use – which is the Human User’s asserted POU As a Security Label Element – see 3rd Detailed Description below As a Security Label Metadata value Meta.security (Extensible) The Security WG envisions use cases where these could be used in concert, but that would require system functionality that may not be feasible or beneficial to the implementer community. For example, Purpose of Event when the machine2machine is an EHR server and the user’s client supposedly being used for Treatment End User’s POU is Treatment and Research using e.g., DAF POU Security Label on the participant/target object of the AuditEvent = Legal, which is the POU for e.g., Legal Hold [i.e., no one but Records Management and Legal is supposed to have access but the Access Control System doesn’t do ABAC or the patient’s consent directive does not assent to POU = research, but the audited system has not implemented data segmentation to prevent End User from using the data to research Security Label on the AuditEvent Resource = System administration [because the only permitted use is for system administration/security] Note that the binding of the value sets discussed above are currently set to extensible rather than example. Concerns have been raised about constraining vocabulary choices during DSTU especially for other jurisdictions. For example, outside of the US, ISO 13606 Purpose of Use codes are more likely used. Security WG would also appreciate feedback on whether these bindings should be example or extensible.

All actors; such as applications, processes, and services; involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are the properly functioning across an enterprise's system-of-systems. Thus it is typical to get an auditable event recorded by both the application in a workflow process, and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detecting of, for example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary.

Security relevant events are not limited to communications or RESTful events. They include software startup and shutdown; user login and logout; access control decisions; configuration events; software installation; policy rules changes; and manipulation of data that exposes the data to users. See Audit Event Sub-Type vocabulary for guidance on some security relevant events.

The content of an AuditEvent is intended for use by Security System Administrators, Security and Privacy Information Managers, and Records Management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as Providers or Patients, although reports generated from the raw data would be useful. An example is a Patient centric Accounting of Disclosures or an Access Report. Servers that provide support for Audit Event resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access of the AuditEvent would typically be limited to e.g., security, privacy, or other system administration purposes.

Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource, and may be persisted with the AuditEvent target resource.

• Structure
• UML
• XML
• JSON
• Turtle
• R2 Diff
• All

Structure

Name	Flags	Card.	Type	Description & Constraints Description & Constraints
AuditEvent			DomainResource	Event record kept for security purposes event 1..1 BackboneElement What was done Event record kept for security purposes
type	Σ	1..1	Coding	Type/identifier of event Type/identifier of event Audit Event ID ( Audit Event ID ( Extensible )
subtype	Σ	0..*	Coding	More specific type/id for the event More specific type/id for the event Audit Event Sub-Type ( Audit Event Sub-Type ( Extensible )
action	Σ	0..1	code	Type of action performed during the event Type of action performed during the event AuditEventAction ( ( Required )
dateTime recorded	Σ	1..1	instant	Time when the event occurred on source Time when the event occurred on source
outcome	Σ	0..1	code	Whether the event succeeded or failed Whether the event succeeded or failed AuditEventOutcome ( ( Required )
outcomeDesc	Σ	0..1	string	Description of the event outcome Description of the event outcome
purposeOfEvent	Σ	0..*	Coding	The purposeOfUse of the event The purposeOfUse of the event PurposeOfUse ( ( Extensible )
participant agent		1..*	BackboneElement	A person, a hardware device or software process Actor involved in the event
role		0..*	CodeableConcept	User roles (e.g. local RBAC codes) Agent role in the event Audit Active Participant Role ID Code ( Audit agent Role ID Code ( Extensible )
reference	Σ	0..1	Reference ( Practitioner | | Organization | | Device | | Patient | | RelatedPerson )	Direct reference to resource Direct reference to resource
userId	Σ	0..1	Identifier	Unique identifier for the user Unique identifier for the user
altId		0..1	string	Alternative User id e.g. authentication Alternative User id e.g. authentication
name		0..1	string	Human-meaningful name for the user Human-meaningful name for the agent
requestor		1..1	boolean	Whether user is initiator Whether user is initiator
location		0..1	Reference ( Location )	Where
policy		0..*	uri	Policy that authorized event Policy that authorized event
media		0..1	Coding	Type of media Type of media Media Type Code ( Media Type Code ( Extensible )
network		0..1	BackboneElement	Logical network location for application activity Logical network location for application activity
address		0..1	string	Identifier for the network access point of the user device Identifier for the network access point of the user device
type		0..1	code	The type of network access point The type of network access point AuditEventParticipantNetworkType ( AuditEventAgentNetworkType ( Required )
purposeOfUse		0..*	Coding	Reason given for this user Reason given for this user PurposeOfUse ( ( Extensible )
source		1..1	BackboneElement	Application systems and processes Audit Event Reporter
site		0..1	string	Logical source location within the enterprise Logical source location within the enterprise
identifier	Σ	1..1	Identifier	The identity of source detecting the event The identity of source detecting the event
type		0..*	Coding	The type of source where event originated The type of source where event originated Audit Event Source Type ( Audit Event Source Type ( Extensible )
object entity	I	0..*	BackboneElement	Specific instances of data or objects that have been accessed Data or objects used Either a name or a query (NOT both) Either a name or a query (NOT both)
identifier	Σ	0..1	Identifier	Specific instance of object (e.g. versioned) Specific instance of object
reference	Σ	0..1	Reference ( Any )	Specific instance of resource (e.g. versioned) Specific instance of resource
type		0..1	Coding	Type of object involved Type of entity involved AuditEventObjectType ( AuditEventEntityType ( Extensible )
role		0..1	Coding	What role the Object played What role the entity played AuditEventObjectRole ( AuditEventEntityRole ( Extensible )
lifecycle		0..1	Coding	Life-cycle stage for the object Life-cycle stage for the entity AuditEventObjectLifecycle ( AuditEventEntityLifecycle ( Extensible )
securityLabel		0..*	Coding	Security labels applied to the object Security labels on the entity All Security Labels ( All Security Labels ( Extensible )
name	Σ I	0..1	string	Instance-specific descriptor for Object Descriptor for entity
description		0..1	string	Descriptive text Descriptive text
query	Σ I	0..1	base64Binary	Actual query for object Query parameters
detail		0..*	BackboneElement	Additional Information about the Object Additional Information about the entity
type		1..1	string	Name of the property Name of the property
value		1..1	base64Binary	Property value Property value
Documentation for this format Documentation for this format

<AuditEvent xmlns="http://hl7.org/fhir"> 

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <
  <</type>
  <</subtype>
  <
  <
  <
  <
  <</purposeOfEvent>
 </event>
 <
  <</role>
  <|

 <type><!-- 1..1 Coding Type/identifier of event --></type>
 <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <recorded value="[instant]"/><!-- 1..1 Time when the event occurred on source -->
 <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
 <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
 <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent>
 <agent>  <!-- 1..* Actor involved in the event -->
  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <reference><!-- 0..1 Reference(Practitioner|Organization|Device|Patient|

    RelatedPerson) Direct reference to resource --></reference>
  <</userId>
  <
  <
  <
  <</location>
  <
  <</media>
  <
   <
   <

  <userId><!-- 0..1 Identifier Unique identifier for the user --></userId>
  <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication -->
  <name value="[string]"/><!-- 0..1 Human-meaningful name for the agent -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->

  </network>
  <</purposeOfUse>
 </participant>
 <
  <
  <</identifier>
  <</type>

  <purposeOfUse><!-- 0..* Coding Reason given for this user --></purposeOfUse>
 </agent>
 <source>  <!-- 1..1 Audit Event Reporter -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <identifier><!-- 1..1 Identifier The identity of source detecting the event --></identifier>
  <type><!-- 0..* Coding The type of source where event originated --></type>

 </source>
 <
  <</identifier>
  <</reference>
  <</type>
  <</role>
  <</lifecycle>
  <</securityLabel>
  <
  <
  <
  <
   <
   <

 <entity>  <!-- 0..* Data or objects used -->
  <identifier><!-- 0..1 Identifier Specific instance of object --></identifier>
  <reference><!-- 0..1 Reference(Any) Specific instance of resource --></reference>
  <type><!-- 0..1 Coding Type of entity involved --></type>
  <role><!-- 0..1 Coding What role the entity played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel>
  <name value="[string]"/><!--  0..1 Descriptor for entity -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!--  0..1 Query parameters -->
  <detail>  <!-- 0..* Additional Information about the entity -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value value="[base64Binary]"/><!-- 1..1 Property value -->

  </detail>
 </object>

 </entity>

</AuditEvent>

{
  "resourceType" : "AuditEvent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "
    "
    "
    "
    "
    "
    "
    "
  },
  "
    "
    "|

  "type" : { Coding }, // R!  Type/identifier of event
  "subtype" : [{ Coding }], // More specific type/id for the event
  "action" : "<code>", // Type of action performed during the event
  "recorded" : "<instant>", // R!  Time when the event occurred on source
  "outcome" : "<code>", // Whether the event succeeded or failed
  "outcomeDesc" : "<string>", // Description of the event outcome
  "purposeOfEvent" : [{ Coding }], // The purposeOfUse of the event
  "agent" : [{ // R!  Actor involved in the event
    "role" : [{ CodeableConcept }], // Agent role in the event
    "reference" : { Reference(Practitioner|Organization|Device|Patient|

    RelatedPerson) }, // Direct reference to resource
    "
    "
    "
    "
    "
    "
    "
    "
      "
      "

    "userId" : { Identifier }, // Unique identifier for the user
    "altId" : "<string>", // Alternative User id e.g. authentication
    "name" : "<string>", // Human-meaningful name for the agent
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point

    },
    "

    "purposeOfUse" : [{ Coding }] // Reason given for this user

  }],
  "
    "
    "
    "

  "source" : { // R!  Audit Event Reporter
    "site" : "<string>", // Logical source location within the enterprise
    "identifier" : { Identifier }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated

  },
  "
    "
    "
    "
    "
    "
    "
    "
    "
    "
    "
      "
      "

  "entity" : [{ // Data or objects used
    "identifier" : { Identifier }, // Specific instance of object
    "reference" : { Reference(Any) }, // Specific instance of resource
    "type" : { Coding }, // Type of entity involved
    "role" : { Coding }, // What role the entity played
    "lifecycle" : { Coding }, // Life-cycle stage for the entity
    "securityLabel" : [{ Coding }], // Security labels on the entity
    "name" : "<string>", // C? Descriptor for entity
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Query parameters
    "detail" : [{ // Additional Information about the entity
      "type" : "<string>", // R!  Name of the property
      "value" : "<base64Binary>" // R!  Property value

    }]
  }]
}

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:AuditEvent;
  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event
  fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event
  fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event
  fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event occurred on source
  fhir:AuditEvent.outcome [ code ]; # 0..1 Whether the event succeeded or failed
  fhir:AuditEvent.outcomeDesc [ string ]; # 0..1 Description of the event outcome
  fhir:AuditEvent.purposeOfEvent [ Coding ], ... ; # 0..* The purposeOfUse of the event
  fhir:AuditEvent.agent [ # 1..* Actor involved in the event
    fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event
    fhir:AuditEvent.agent.reference [ Reference(Practitioner|Organization|Device|Patient|RelatedPerson) ]; # 0..1 Direct reference to resource
    fhir:AuditEvent.agent.userId [ Identifier ]; # 0..1 Unique identifier for the user
    fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User id e.g. authentication
    fhir:AuditEvent.agent.name [ string ]; # 0..1 Human-meaningful name for the agent
    fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator
    fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where
    fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event
    fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media
    fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity
      fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device
      fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point
    ];
    fhir:AuditEvent.agent.purposeOfUse [ Coding ], ... ; # 0..* Reason given for this user
  ], ...;
  fhir:AuditEvent.source [ # 1..1 Audit Event Reporter
    fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise
    fhir:AuditEvent.source.identifier [ Identifier ]; # 1..1 The identity of source detecting the event
    fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated
  ];
  fhir:AuditEvent.entity [ # 0..* Data or objects used
    fhir:AuditEvent.entity.identifier [ Identifier ]; # 0..1 Specific instance of object
    fhir:AuditEvent.entity.reference [ Reference(Any) ]; # 0..1 Specific instance of resource
    fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved
    fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played
    fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity
    fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity
    fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity
    fhir:AuditEvent.entity.description [ string ]; # 0..1 Descriptive text
    fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters
    fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity
      fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property
      fhir:AuditEvent.entity.detail.value [ base64Binary ]; # 1..1 Property value
    ], ...;
  ], ...;
]

Structure

Name	Flags	Card.	Type	Description & Constraints Description & Constraints
AuditEvent			DomainResource	Event record kept for security purposes event 1..1 BackboneElement What was done Event record kept for security purposes
type	Σ	1..1	Coding	Type/identifier of event Type/identifier of event Audit Event ID ( Audit Event ID ( Extensible )
subtype	Σ	0..*	Coding	More specific type/id for the event More specific type/id for the event Audit Event Sub-Type ( Audit Event Sub-Type ( Extensible )
action	Σ	0..1	code	Type of action performed during the event Type of action performed during the event AuditEventAction ( ( Required )
dateTime recorded	Σ	1..1	instant	Time when the event occurred on source Time when the event occurred on source
outcome	Σ	0..1	code	Whether the event succeeded or failed Whether the event succeeded or failed AuditEventOutcome ( ( Required )
outcomeDesc	Σ	0..1	string	Description of the event outcome Description of the event outcome
purposeOfEvent	Σ	0..*	Coding	The purposeOfUse of the event The purposeOfUse of the event PurposeOfUse ( ( Extensible )
participant agent		1..*	BackboneElement	A person, a hardware device or software process Actor involved in the event
role		0..*	CodeableConcept	User roles (e.g. local RBAC codes) Agent role in the event Audit Active Participant Role ID Code ( Audit agent Role ID Code ( Extensible )
reference	Σ	0..1	Reference ( Practitioner | | Organization | | Device | | Patient | | RelatedPerson )	Direct reference to resource Direct reference to resource
userId	Σ	0..1	Identifier	Unique identifier for the user Unique identifier for the user
altId		0..1	string	Alternative User id e.g. authentication Alternative User id e.g. authentication
name		0..1	string	Human-meaningful name for the user Human-meaningful name for the agent
requestor		1..1	boolean	Whether user is initiator Whether user is initiator
location		0..1	Reference ( Location )	Where
policy		0..*	uri	Policy that authorized event Policy that authorized event
media		0..1	Coding	Type of media Type of media Media Type Code ( Media Type Code ( Extensible )
network		0..1	BackboneElement	Logical network location for application activity Logical network location for application activity
address		0..1	string	Identifier for the network access point of the user device Identifier for the network access point of the user device
type		0..1	code	The type of network access point The type of network access point AuditEventParticipantNetworkType ( AuditEventAgentNetworkType ( Required )
purposeOfUse		0..*	Coding	Reason given for this user Reason given for this user PurposeOfUse ( ( Extensible )
source		1..1	BackboneElement	Application systems and processes Audit Event Reporter
site		0..1	string	Logical source location within the enterprise Logical source location within the enterprise
identifier	Σ	1..1	Identifier	The identity of source detecting the event The identity of source detecting the event
type		0..*	Coding	The type of source where event originated The type of source where event originated Audit Event Source Type ( Audit Event Source Type ( Extensible )
object entity	I	0..*	BackboneElement	Specific instances of data or objects that have been accessed Data or objects used Either a name or a query (NOT both) Either a name or a query (NOT both)
identifier	Σ	0..1	Identifier	Specific instance of object (e.g. versioned) Specific instance of object
reference	Σ	0..1	Reference ( Any )	Specific instance of resource (e.g. versioned) Specific instance of resource
type		0..1	Coding	Type of object involved Type of entity involved AuditEventObjectType ( AuditEventEntityType ( Extensible )
role		0..1	Coding	What role the Object played What role the entity played AuditEventObjectRole ( AuditEventEntityRole ( Extensible )
lifecycle		0..1	Coding	Life-cycle stage for the object Life-cycle stage for the entity AuditEventObjectLifecycle ( AuditEventEntityLifecycle ( Extensible )
securityLabel		0..*	Coding	Security labels applied to the object Security labels on the entity All Security Labels ( All Security Labels ( Extensible )
name	Σ I	0..1	string	Instance-specific descriptor for Object Descriptor for entity
description		0..1	string	Descriptive text Descriptive text
query	Σ I	0..1	base64Binary	Actual query for object Query parameters
detail		0..*	BackboneElement	Additional Information about the Object Additional Information about the entity
type		1..1	string	Name of the property Name of the property
value		1..1	base64Binary	Property value Property value
Documentation for this format Documentation for this format

UML Diagram UML Diagram ( Legend )

XML Template XML Template <

<AuditEvent xmlns="http://hl7.org/fhir"> 

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <
  <</type>
  <</subtype>
  <
  <
  <
  <
  <</purposeOfEvent>
 </event>
 <
  <</role>
  <|

 <type><!-- 1..1 Coding Type/identifier of event --></type>
 <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <recorded value="[instant]"/><!-- 1..1 Time when the event occurred on source -->
 <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
 <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
 <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent>
 <agent>  <!-- 1..* Actor involved in the event -->
  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <reference><!-- 0..1 Reference(Practitioner|Organization|Device|Patient|

    RelatedPerson) Direct reference to resource --></reference>
  <</userId>
  <
  <
  <
  <</location>
  <
  <</media>
  <
   <
   <

  <userId><!-- 0..1 Identifier Unique identifier for the user --></userId>
  <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication -->
  <name value="[string]"/><!-- 0..1 Human-meaningful name for the agent -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->

  </network>
  <</purposeOfUse>
 </participant>
 <
  <
  <</identifier>
  <</type>

  <purposeOfUse><!-- 0..* Coding Reason given for this user --></purposeOfUse>
 </agent>
 <source>  <!-- 1..1 Audit Event Reporter -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <identifier><!-- 1..1 Identifier The identity of source detecting the event --></identifier>
  <type><!-- 0..* Coding The type of source where event originated --></type>

 </source>
 <
  <</identifier>
  <</reference>
  <</type>
  <</role>
  <</lifecycle>
  <</securityLabel>
  <
  <
  <
  <
   <
   <

 <entity>  <!-- 0..* Data or objects used -->
  <identifier><!-- 0..1 Identifier Specific instance of object --></identifier>
  <reference><!-- 0..1 Reference(Any) Specific instance of resource --></reference>
  <type><!-- 0..1 Coding Type of entity involved --></type>
  <role><!-- 0..1 Coding What role the entity played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the entity --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels on the entity --></securityLabel>
  <name value="[string]"/><!--  0..1 Descriptor for entity -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!--  0..1 Query parameters -->
  <detail>  <!-- 0..* Additional Information about the entity -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value value="[base64Binary]"/><!-- 1..1 Property value -->

  </detail>
 </object>

 </entity>

</AuditEvent>

JSON Template JSON Template { "resourceType" : "",

{
  "resourceType" : "AuditEvent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "
    "
    "
    "
    "
    "
    "
    "
  },
  "
    "
    "|

  "type" : { Coding }, // R!  Type/identifier of event
  "subtype" : [{ Coding }], // More specific type/id for the event
  "action" : "<code>", // Type of action performed during the event
  "recorded" : "<instant>", // R!  Time when the event occurred on source
  "outcome" : "<code>", // Whether the event succeeded or failed
  "outcomeDesc" : "<string>", // Description of the event outcome
  "purposeOfEvent" : [{ Coding }], // The purposeOfUse of the event
  "agent" : [{ // R!  Actor involved in the event
    "role" : [{ CodeableConcept }], // Agent role in the event
    "reference" : { Reference(Practitioner|Organization|Device|Patient|

    RelatedPerson) }, // Direct reference to resource
    "
    "
    "
    "
    "
    "
    "
    "
      "
      "

    "userId" : { Identifier }, // Unique identifier for the user
    "altId" : "<string>", // Alternative User id e.g. authentication
    "name" : "<string>", // Human-meaningful name for the agent
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point

    },
    "

    "purposeOfUse" : [{ Coding }] // Reason given for this user

  }],
  "
    "
    "
    "

  "source" : { // R!  Audit Event Reporter
    "site" : "<string>", // Logical source location within the enterprise
    "identifier" : { Identifier }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated

  },
  "
    "
    "
    "
    "
    "
    "
    "
    "
    "
    "
      "
      "

  "entity" : [{ // Data or objects used
    "identifier" : { Identifier }, // Specific instance of object
    "reference" : { Reference(Any) }, // Specific instance of resource
    "type" : { Coding }, // Type of entity involved
    "role" : { Coding }, // What role the entity played
    "lifecycle" : { Coding }, // Life-cycle stage for the entity
    "securityLabel" : [{ Coding }], // Security labels on the entity
    "name" : "<string>", // C? Descriptor for entity
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Query parameters
    "detail" : [{ // Additional Information about the entity
      "type" : "<string>", // R!  Name of the property
      "value" : "<base64Binary>" // R!  Property value

    }]
  }]
}
 
Alternate
definitions:

Turtle Template

@prefix fhir: <http://hl7.org/fhir/> .


[ a fhir:AuditEvent;
  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from Resource: .id, .meta, .implicitRules, and .language
  # from DomainResource: .text, .contained, .extension, and .modifierExtension
  fhir:AuditEvent.type [ Coding ]; # 1..1 Type/identifier of event
  fhir:AuditEvent.subtype [ Coding ], ... ; # 0..* More specific type/id for the event
  fhir:AuditEvent.action [ code ]; # 0..1 Type of action performed during the event
  fhir:AuditEvent.recorded [ instant ]; # 1..1 Time when the event occurred on source
  fhir:AuditEvent.outcome [ code ]; # 0..1 Whether the event succeeded or failed
  fhir:AuditEvent.outcomeDesc [ string ]; # 0..1 Description of the event outcome
  fhir:AuditEvent.purposeOfEvent [ Coding ], ... ; # 0..* The purposeOfUse of the event
  fhir:AuditEvent.agent [ # 1..* Actor involved in the event
    fhir:AuditEvent.agent.role [ CodeableConcept ], ... ; # 0..* Agent role in the event
    fhir:AuditEvent.agent.reference [ Reference(Practitioner|Organization|Device|Patient|RelatedPerson) ]; # 0..1 Direct reference to resource
    fhir:AuditEvent.agent.userId [ Identifier ]; # 0..1 Unique identifier for the user
    fhir:AuditEvent.agent.altId [ string ]; # 0..1 Alternative User id e.g. authentication
    fhir:AuditEvent.agent.name [ string ]; # 0..1 Human-meaningful name for the agent
    fhir:AuditEvent.agent.requestor [ boolean ]; # 1..1 Whether user is initiator
    fhir:AuditEvent.agent.location [ Reference(Location) ]; # 0..1 Where
    fhir:AuditEvent.agent.policy [ uri ], ... ; # 0..* Policy that authorized event
    fhir:AuditEvent.agent.media [ Coding ]; # 0..1 Type of media
    fhir:AuditEvent.agent.network [ # 0..1 Logical network location for application activity
      fhir:AuditEvent.agent.network.address [ string ]; # 0..1 Identifier for the network access point of the user device
      fhir:AuditEvent.agent.network.type [ code ]; # 0..1 The type of network access point
    ];
    fhir:AuditEvent.agent.purposeOfUse [ Coding ], ... ; # 0..* Reason given for this user
  ], ...;
  fhir:AuditEvent.source [ # 1..1 Audit Event Reporter
    fhir:AuditEvent.source.site [ string ]; # 0..1 Logical source location within the enterprise
    fhir:AuditEvent.source.identifier [ Identifier ]; # 1..1 The identity of source detecting the event
    fhir:AuditEvent.source.type [ Coding ], ... ; # 0..* The type of source where event originated
  ];
  fhir:AuditEvent.entity [ # 0..* Data or objects used
    fhir:AuditEvent.entity.identifier [ Identifier ]; # 0..1 Specific instance of object
    fhir:AuditEvent.entity.reference [ Reference(Any) ]; # 0..1 Specific instance of resource
    fhir:AuditEvent.entity.type [ Coding ]; # 0..1 Type of entity involved
    fhir:AuditEvent.entity.role [ Coding ]; # 0..1 What role the entity played
    fhir:AuditEvent.entity.lifecycle [ Coding ]; # 0..1 Life-cycle stage for the entity
    fhir:AuditEvent.entity.securityLabel [ Coding ], ... ; # 0..* Security labels on the entity
    fhir:AuditEvent.entity.name [ string ]; # 0..1 Descriptor for entity
    fhir:AuditEvent.entity.description [ string ]; # 0..1 Descriptive text
    fhir:AuditEvent.entity.query [ base64Binary ]; # 0..1 Query parameters
    fhir:AuditEvent.entity.detail [ # 0..* Additional Information about the entity
      fhir:AuditEvent.entity.detail.type [ string ]; # 1..1 Name of the property
      fhir:AuditEvent.entity.detail.value [ base64Binary ]; # 1..1 Property value
    ], ...;
  ], ...;
]

Changes since DSTU2

AuditEvent
AuditEvent.type	added
AuditEvent.subtype	added
AuditEvent.action	added
AuditEvent.recorded	added
AuditEvent.outcome	added
AuditEvent.outcomeDesc	added
AuditEvent.purposeOfEvent	added
AuditEvent.agent	Renamed from participant to agent
AuditEvent.entity	Renamed from object to entity
AuditEvent.event	deleted

See the Full Difference for further information