Release 4 R6 Ballot (1st Full Ballot)

This page is part of the FHIR Specification (v4.0.1: R4 - Mixed Normative and STU v6.0.0-ballot4: Release 6 Ballot (1st Full Ballot) (see Ballot Notes ) in it's permanent home (it will always be available at this URL). ). The current version which supercedes this version is 5.0.0 . For a full list of available versions, see the Directory of published versions for published versions icon . Page versions: R5 R4B R4 R3 R2

6.4 Resource AuditEvent - Content

Responsible Owner: Security icon Work Group Maturity Level : 3   Trial Use Normative Security Category : Not Classified Compartments : Device , Group , Patient , Practitioner

A record of an event made relevant for purposes of maintaining a security log. Typical uses include detection of intrusion attempts such as operations, privacy, security, maintenance, and monitoring for inappropriate usage. performance analysis.

6.4.1 Scope and Usage

The audit event is based on the IHE-ATNA Audit record definitions, definitions icon, originally from RFC 3881 icon , and now managed by DICOM (see DICOM Part 15 Annex A5 icon ).

  • ASTM E2147 - Setup the concept of security audit logs for healthcare including accounting of disclosures
  • IETF RFC 3881 - Defined the Information Model (IETF rule forced this to be informative)
  • DICOM Audit Log Message - Made the information model Normative, defined Vocabulary, Transport Binding, and Schema
  • IHE ATNA - Defines the grouping with secure transport and access controls; and defined specific audit log records for specific IHE transactions.
  • NIST SP800-92 - Shows how to do audit log management and reporting - consistent with our model
  • HL7 PASS - Defined an Audit Service with responsibilities and a query interface for reporting use
  • ISO 27789 - Defined the subset of audit events that an EHR would need
  • ISO/HL7 10781 EHR System Functional Model Release 2
  • ISO 21089 Trusted End-to-End Information Flows

This resource is managed collaboratively between HL7, DICOM, and IHE.

The primary purpose of this resource is the maintenance A record of security audit log information. However, it can also be used an event relevant for any audit logging needs purposes such as operations, privacy, security, maintenance, and simple event-based notification. performance analysis.

6.4.2 Background and Context

All actors - such as applications, processes, and services - involved in an auditable event should SHOULD record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are properly functioning across an enterprise's system-of-systems. Thus, it is typical to get an auditable event recorded by both the application in a workflow process and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may MAY aid in the detection of. of security, privacy, or other operational problems. For example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may MAY be non-participating actors, such as trusted intermediary, that also detect a security security, privacy, or operational relevant event and thus would record an AuditEvent, such as a trusted intermediary. AuditEvent.

Security relevant events are not limited to communications or RESTful events. They include:

  • software start-up and shutdown;
  • user login and logout;
  • access control decisions;
  • configuration events;
  • software installation;
  • policy rules changes; and
  • manipulation of data that exposes the data to users.

See the Audit Event Sub-Type Category vocabulary for guidance on some security relevant events. event categories.

The AuditEvent resource holds the details of an event in terms of who, what, where, when, and why. Where the identification of the who participated is the agent. An agent can be a person, an organization, software, device, or other actors that MAY be ascribed responsibility. What objects were used/created/updated is recorded as the entity. An entity is an identifiable physical, digital, conceptual or other kind of thing; entities MAY be real or imaginary.

The content of an AuditEvent is primarily intended for use administrative use; used by security system administrators, security and privacy information managers, and records management personnel. personnel, etc. The AuditEvent MAY also inform the Patient about uses of their data. This content is not intended to can be accessible or used directly by other healthcare users, such as providers or patients, although reports generated from the raw data would be useful. An example is a patient-centric accounting of disclosures or an access report. Servers that provide support patients for gaining insight into who and what has been done. The AuditEvent resources would not generally accept update or delete operations on record includes very sensitive information so access to the resources, as this AuditEvent would compromise the integrity of the audit record. Access be highly privileged and controlled. For example, when providing AuditEvent to a patient the AuditEvent data feed would typically be limited to security, privacy, the Patient compartment, and the content MAY be subsetted or masked in order to meet privacy needs. The AuditEvent record is not intended to replace other system administration purposes. audit logs, but rather used to enhance them, or to be used as an API to many audit logs.

Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource and may MAY be persisted with the AuditEvent target resource.

6.4.3 References to this Resource

6.4.3 6.4.4 Resource Content

Structure

Type/identifier More specific type/id for the CodeableConcept 0..1 1..1 Coding Type of media Reason given Type of 0..1 What role Life-cycle stage for the entity Coding 0..1 0..1 Additional Information about the entity string base64Binary
Name Flags Card. Type Description & Constraints      Filter: Filters doco
. . AuditEvent TU N DomainResource Record of an event
Event record kept for security purposes
Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
. . . type Σ 1..1 Coding CodeableConcept High level categorization of audit event
Binding: Example Audit Event ID ( Extensible Example )
. . . subtype Σ 0..* Coding CodeableConcept Specific type of event
Binding: Example Audit Event Sub-Type ( Extensible Example )

. . . action Σ 0..1 code Type of action performed during the event
Binding: AuditEventAction Audit Event Action ( Required )
. . . occurred[x] 0..1 When the activity occurred
. . . . occurredPeriod Period
... . occurredDateTime dateTime
... recorded Σ 1..1 instant Time when the event was recorded
. . . outcome Σ 0..1 BackboneElement Whether the event succeeded or failed
.... code Σ 1..1 Coding Whether the event succeeded or failed
Binding: AuditEventOutcome Example Audit Event Outcome ( Required Preferred )
. . outcomeDesc . . detail Σ 0..* CodeableConcept 0..1 Additional outcome detail
Binding: Example Audit Event Outcome Detail ( Example )

string
. . . authorization Description of Σ 0..* CodeableConcept Authorization related to the event outcome
Binding: PurposeOfUse icon ( Example )

. . purposeOfEvent . basedOn 0..* Σ Reference ( Any ) Workflow authorization within which this event occurred

0..*
. . . patient Σ 0..1 Reference ( Patient ) The purposeOfUse patient is the subject of the event data used/created/updated/deleted during the activity
V3 Value SetPurposeOfUse
. . . encounter 0..1 Reference ( Extensible Encounter ) Encounter within which this event occurred or which the event is tightly associated
. . . agent Σ 1..* BackboneElement Actor involved in the event

. . . . type 0..1 CodeableConcept How agent participated
ParticipationRoleType Binding: Participation Role Type ( Extensible Preferred )
. . . . role 0..* CodeableConcept Agent role in the event
SecurityRoleType Binding: Example Security Role Type ( Example )

. . . . who Σ 1..1 Reference ( PractitionerRole | Practitioner | PractitionerRole | Organization | Device CareTeam | Patient | Device | DeviceDefinition | RelatedPerson | Group | HealthcareService ) Identifier of who altId 0..1 string
Alternative User identity
. . . . name 0..1 string Human friendly name for the agent requestor Σ 0..1 boolean Whether user is initiator
. . . . location 0..1 Reference ( Location ) The agent location when the event occurred
Where
. . . . policy 0..* uri Policy that authorized the agent participation in the event

. . . media . network[x] 0..1 This agent network location for the activity
Media Type Code ( Extensible )
. . network . . . networkReference 0..1 BackboneElement Reference ( Endpoint ) Logical network location for application activity
. . . . address . networkUri 0..1 string uri Identifier for the network access point of the user device
. . . . type . networkString 0..1 code string The type of network access point AuditEventAgentNetworkType ( Required )
. . . purposeOfUse . authorization 0..* CodeableConcept Allowable authorization for this user agent
Binding: PurposeOfUse icon V3 Value SetPurposeOfUse ( Extensible Example )

. . . source Σ 1..1 BackboneElement Audit Event Reporter
. . . . site 0..1 string Reference ( Location ) Logical source location within the enterprise
. . . . observer Σ 1..1 Reference ( PractitionerRole | Practitioner | PractitionerRole | Organization | Device CareTeam | Patient | Device | RelatedPerson ) The identity of source detecting the event
. . . . type 0..* Coding CodeableConcept The type of source where event originated
Binding: Audit Event Source Type ( Extensible Preferred )

. . . entity I Σ 0..* BackboneElement Data or objects used
+ Rule: Either a name or a query (NOT both)
. . . . what Σ 0..1 Reference ( Any ) Specific instance of resource
. . . type . role 0..1 Coding CodeableConcept What role the entity involved played
Binding: Example Audit event entity type Event Entity Role ( Extensible Example )
. . . role . securityLabel 0..* Coding CodeableConcept Security labels on the entity played
AuditEventEntityRole Binding: Example set of Security Labels ( Extensible Example )

. . . lifecycle . description 0..1 Coding string Descriptive text
ObjectLifecycleEvents ( Extensible )
. . . securityLabel . query Σ 0..1 base64Binary 0..* Query parameters
. . . . detail Security labels on 0..* BackboneElement Additional Information about the entity
SecurityLabels ( Extensible )
. . . . name . type 1..1 Σ CodeableConcept I The name of the extra detail property
Binding: Example value set Audit Event Entity Detail Type ( Example )
string . . . . . value[x] 1..1 Property value
Descriptor for entity
. . . . . description . valueQuantity Quantity
. . . . . . valueCodeableConcept 0..1 string CodeableConcept Descriptive text
. . . . . . query valueString Σ string I
. . . . . . valueBoolean base64Binary boolean Query parameters
. . detail . . . . valueInteger 0..* BackboneElement integer
. . . . . type . valueRange Range
. . . . . . valueRatio 1..1 string Ratio Name of the property
. . . . value[x] . . valueTime 1..1 time Property value
. . . . . . valueString valueDateTime dateTime
. . . . . . valuePeriod Period
. . . . . . valueBase64Binary base64Binary
. . . . agent 0..* see agent Entity is attributed to this agent


doco Documentation for this format icon

See the Extensions for this resource

UML Diagram ( Legend )

AuditEvent ( DomainResource ) Identifier for a family of Partitions the event. For example, a menu item, program, rule, policy, function code, application name audit event into one or URL. It identifies the performed function more categories that can be used to filter searching, to govern access control and/or to guide system behavior type : Coding CodeableConcept [1..1] « Type of event. (Strength=Extensible) null (Strength=Example) AuditEventID AuditEventIDExample + ?? » Identifier Describes what happened. The most specific codes for the category of event subtype : Coding CodeableConcept [0..*] « Sub-type of event. (Strength=Extensible) null (Strength=Example) AuditEventSub-Type AuditEventSubTypeExample + ?? » Indicator for type of action performed during the event that generated the audit action : code [0..1] « Indicator for type of action performed during the event that generated the event. (Strength=Required) AuditEventAction ! » Indicates and enables segmentation of various severity including debugging from critical severity : code [0..1] « The severity of the audit entry. (Strength=Required) AuditEventSeverity ! » The time or period during which the activity occurred period occurred[x] : Period DataType [0..1] « Period | dateTime » The time when the event was recorded recorded : instant [1..1] Indicates whether The authorization (e.g., PurposeOfUse) that was used during the event succeeded or failed being recorded outcome authorization : code CodeableConcept [0..1] [0..*] « Indicates whether null (Strength=Example) PurposeOfUse ?? » Allows tracing of authorization for the event succeeded or failed. (Strength=Required) events and tracking whether proposals/recommendations were acted upon AuditEventOutcome ! basedOn : Reference [0..*] « Any » A free text description The patient element is available to enable deterministic tracking of activities that involve the outcome patient as the subject of the data used in an activity patient : Reference [0..1] « Patient » This will typically be the encounter the event occurred, but some events MAY be initiated prior to or after the official completion of an encounter but still be tied to the context of the encounter (e.g. pre-admission lab tests) outcomeDesc encounter : string Reference [0..1] « Encounter » Outcome The purposeOfUse (reason) that was used during Indicates whether the event being recorded succeeded or failed purposeOfEvent code : Coding [1..1] « Indicates whether the event succeeded or failed. (Strength=Preferred) AuditEventOutcomeExample ? » Additional details about the error. This MAY be a text description of the error or a system code that identifies the error detail : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) null (Strength=Example) v3.PurposeOfUse AuditEventOutcomeDetailExample + ?? » Agent Specification The Functional Role of the participation type the user plays when performing the event type : CodeableConcept [0..1] « The Participation type of the agent to the event. (Strength=Extensible) null (Strength=Preferred) ParticipationRoleType + ? » The security role that structural roles of the user was acting under, that come from local codes defined by agent indicating the access control agent's competency. The security system (e.g. RBAC, ABAC) used in role enabling the local context agent with respect to the activity role : CodeableConcept [0..*] « What security role enabled the agent to participate in the event. null (Strength=Example) SecurityRoleType SecurityRoleTypeExamples ?? » Reference to who this agent is that was involved in the event who : Reference [0..1] [1..1] « PractitionerRole Practitioner | Practitioner PractitionerRole | Organization | Device CareTeam | Patient | RelatedPerson Device » Alternative agent Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if available altId | DeviceDefinition : string | RelatedPerson [0..1] | Group | Human-meaningful name for the agent name : string HealthcareService [0..1] » Indicator that the user is or is not the requestor, or initiator, for the event being audited requestor : boolean [1..1] [0..1] Where the agent location is known, the agent location when the event occurred location : Reference [0..1] « Location » The policy or plan Where the policy(ies) are known that authorized the activity being recorded. agent participation in the event. Typically, a single activity may MAY have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token used policy : uri [0..*] Type of media involved. Used when When the event is about exporting/importing onto media utilizes a network there SHOULD be an agent describing the local system, and an agent describing remote system, with the network interface details media network[x] : Coding DataType [0..1] « Used when the event is about exporting/importing onto media. (Strength=Extensible) MediaTypeCode Reference ( Endpoint )| uri | string + » The reason (purpose of use), specific to this agent, authorization (e.g., PurposeOfUse) that was used during the event being recorded purposeOfUse authorization : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) v3.PurposeOfUse + » Network An identifier for the network access point of the user device for the audit event address : string [0..1] An identifier for the type of network access point that originated the audit event null (Strength=Example) type : code PurposeOfUse [0..1] « The type of network access point of this agent in the audit event. (Strength=Required) AuditEventAgentNetworkType ! ?? » Source Logical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider group site : string Reference [0..1] « Location » Identifier of the source where the event was detected observer : Reference [1..1] « PractitionerRole Practitioner | Practitioner PractitionerRole | Organization | Device CareTeam | Patient | Device | RelatedPerson » Code specifying the type of source where event originated type : Coding CodeableConcept [0..*] « Code specifying the type of system that detected and recorded the event. (Strength=Extensible) null (Strength=Preferred) AuditEventSourceType + ? » Entity Identifies a specific instance of the entity. The reference should SHOULD be version specific specific. This is allowed to be a Parameters resource what : Reference [0..1] « Any » The type of the object that was involved in this audit event type : Coding [0..1] « Code for the entity type involved in the audit event. (Strength=Extensible) AuditEventEntityType + » Code representing the role the entity played in the event being audited role : Coding CodeableConcept [0..1] « Code representing the role the entity played in the audit event. (Strength=Extensible) AuditEventEntityRole + » Identifier for the data life-cycle stage for the entity lifecycle : Coding [0..1] « Identifier for the data life-cycle stage for the entity. (Strength=Extensible) (Strength=Example) ObjectLifecycleEvents AuditEventEntityRoleExample + ?? » Security labels for the identified entity securityLabel : Coding CodeableConcept [0..*] « Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible) null (Strength=Example) All Security Labels SecurityLabelExamples + ?? » A name of the entity in the audit event name : string [0..1] Text that describes the entity in more detail description : string [0..1] The query parameters for a query-type entities query : base64Binary [0..1] Detail The type name of extra detail provided in the value value. This element is the tag for the value. Where a simple string is used for the tag name, use the CodeableConcept.display element type : string CodeableConcept [1..1] « null (Strength=Example) AuditEventEntityDetailTypeExa... ?? » The value of the extra detail value[x] : Type DataType [1..1] « Quantity | CodeableConcept | string | boolean | integer | Range | Ratio | time | dateTime | Period | base64Binary » Logical network location for application activity, if Indicates whether the activity has a network location event succeeded or failed. A free text descripiton can be given in outcome.text network outcome [0..1] An actor taking an active role in the event or activity that is logged agent [1..*] The system actor that is reporting the event source [1..1] Tagged value pairs for conveying additional information about the entity detail [0..*] The entity is attributed to an agent to express the agent's responsibility for that entity in the activity. This is most used to indicate when persistence media (the entity) are used by an agent. For example when importing data from a device, the device would be described in an entity, and the user importing data from that media would be indicated as the entity.agent agent [0..*] Specific instances of data or objects that have been accessed entity [0..*]

XML Template 

<

<AuditEvent xmlns="http://hl7.org/fhir"> doco

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <</type>
 <</subtype>

 <type><!-- 1..1 CodeableConcept High level categorization of audit event --></type>
 <subtype><!-- 0..* CodeableConcept Specific type of event --></subtype>

 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <</period>

 <severity value="[code]"/><!-- 0..1 emergency | alert | critical | error | warning | notice | informational | debug -->
 <occurred[x]><!-- 0..1 Period|dateTime When the activity occurred --></occurred[x]>

 <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded -->
 <
 <
 <</purposeOfEvent>

 <outcome>  <!-- 0..1 Whether the event succeeded or failed -->
  <code><!-- 1..1 Coding Whether the event succeeded or failed --></code>
  <detail><!-- 0..* CodeableConcept Additional outcome detail --></detail>
 </outcome>
 <authorization><!-- 0..* CodeableConcept Authorization related to the event icon --></authorization>
 <basedOn><!-- 0..* Reference(Any) Workflow authorization within which this event occurred --></basedOn>
 <patient><!-- 0..1 Reference(Patient) The patient is the subject of the data used/created/updated/deleted during the activity --></patient>
 <encounter><!-- 0..1 Reference(Encounter) Encounter within which this event occurred or which the event is tightly associated --></encounter>

 <agent>  <!-- 1..* Actor involved in the event -->
  <</type>
  <</role>
  <|
    </who>
  <
  <
  <
  <</location>
  <
  <</media>
  <
   <
   <
  </network>
  <</purposeOfUse>

  <type><!-- 0..1 CodeableConcept How agent participated --></type>
  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <who><!-- 1..1 Reference(CareTeam|Device|DeviceDefinition|Group|
    HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
    RelatedPerson) Identifier of who --></who>

  <requestor value="[boolean]"/><!-- 0..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) The agent location when the event occurred --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized the agent participation in the event -->
  <network[x]><!-- 0..1 Reference(Endpoint)|uri|string This agent network location for the activity --></network[x]>
  <authorization><!-- 0..* CodeableConcept Allowable authorization for this agent icon --></authorization>

 </agent>
 <
  <
  <|
    </observer>
  <</type>

 <source>  <!-- 1..1 Audit Event Reporter -->
  <site><!-- 0..1 Reference(Location) Logical source location within the enterprise --></site>
  <observer><!-- 1..1 Reference(CareTeam|Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) The identity of source detecting the event --></observer>

  <type><!-- 0..* CodeableConcept The type of source where event originated --></type>

 </source>
 <entity>  <!-- 0..* Data or objects used -->
  <</what>
  <</type>
  <</role>
  <</lifecycle>
  <</securityLabel>
  <

  <what><!-- 0..1 Reference(Any) Specific instance of resource --></what>
  <role><!-- 0..1 CodeableConcept What role the entity played --></role>
  <securityLabel><!-- 0..* CodeableConcept Security labels on the entity --></securityLabel>

  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <

  <query value="[base64Binary]"/><!-- 0..1 Query parameters -->

  <detail>  <!-- 0..* Additional Information about the entity -->
   <
   <</value[x]>

   <type><!-- 1..1 CodeableConcept The name of the extra detail property --></type>
   <value[x]><!-- 1..1 Quantity|CodeableConcept|string|boolean|integer|Range|
     Ratio|time|dateTime|Period|base64Binary Property value --></value[x]>
  </detail>
  <agent><!-- 0..* Content as for AuditEvent.agent Entity is attributed to this agent --></agent>

 </entity>
</AuditEvent>

JSON Template 

{doco
  "resourceType" : "",

  "resourceType" : "AuditEvent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "
  "

  "type" : { CodeableConcept }, // R!  High level categorization of audit event
  "subtype" : [{ CodeableConcept }], // Specific type of event

  "action" : "<code>", // Type of action performed during the event
  "

  "severity" : "<code>", // emergency | alert | critical | error | warning | notice | informational | debug
  // occurred[x]: When the activity occurred. One of these 2:

  "occurredPeriod" : { Period },
  "occurredDateTime" : "<dateTime>",

  "recorded" : "<instant>", // R!  Time when the event was recorded
  "
  "
  "

  "outcome" : { // Whether the event succeeded or failed
    "code" : { Coding }, // R!  Whether the event succeeded or failed
    "detail" : [{ CodeableConcept }] // Additional outcome detail
  },
  "authorization" : [{ CodeableConcept }], // Authorization related to the event icon
  "basedOn" : [{ Reference(Any) }], // Workflow authorization within which this event occurred
  "patient" : { Reference(Patient) }, // The patient is the subject of the data used/created/updated/deleted during the activity
  "encounter" : { Reference(Encounter) }, // Encounter within which this event occurred or which the event is tightly associated

  "agent" : [{ // R!  Actor involved in the event
    "
    "
    "|
    
    "
    "
    "
    "
    "
    "
    "
      "
      "
    },
    "

    "type" : { CodeableConcept }, // How agent participated
    "role" : [{ CodeableConcept }], // Agent role in the event
    "who" : { Reference(CareTeam|Device|DeviceDefinition|Group|
    HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
    RelatedPerson) }, // R!  Identifier of who

    "requestor" : <boolean>, // Whether user is initiator
    "location" : { Reference(Location) }, // The agent location when the event occurred
    "policy" : ["<uri>"], // Policy that authorized the agent participation in the event
    // network[x]: This agent network location for the activity. One of these 3:

    "networkReference" : { Reference(Endpoint) },
    "networkUri" : "<uri>",
    "networkString" : "<string>",
    "authorization" : [{ CodeableConcept }] // Allowable authorization for this agent icon

  }],
  "
    "
    "|
    
    "

  "source" : { // R!  Audit Event Reporter
    "site" : { Reference(Location) }, // Logical source location within the enterprise
    "observer" : { Reference(CareTeam|Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) }, // R!  The identity of source detecting the event

    "type" : [{ CodeableConcept }] // The type of source where event originated

  },
  "entity" : [{ // Data or objects used
    "
    "
    "
    "
    "
    "

    "what" : { Reference(Any) }, // Specific instance of resource
    "role" : { CodeableConcept }, // What role the entity played
    "securityLabel" : [{ CodeableConcept }], // Security labels on the entity

    "description" : "<string>", // Descriptive text
    "

    "query" : "<base64Binary>", // Query parameters

    "detail" : [{ // Additional Information about the entity
      "
      
      ">"

      "type" : { CodeableConcept }, // R!  The name of the extra detail property
      // value[x]: Property value. One of these 11:

      "valueQuantity" : { Quantity },
      "valueCodeableConcept" : { CodeableConcept },
      "valueString" : "<string>",
      "valueBoolean" : <boolean>,
      "valueInteger" : <integer>,
      "valueRange" : { Range },
      "valueRatio" : { Ratio },
      "valueTime" : "<time>",
      "valueDateTime" : "<dateTime>",
      "valuePeriod" : { Period },

      "valueBase64Binary" : "<base64Binary>"
    }]

    }],
    "agent" : [{ Content as for AuditEvent.agent }] // Entity is attributed to this agent

  }]
}

Turtle Template 

@prefix fhir: <http://hl7.org/fhir/> .doco


[ a fhir:;

[ a fhir:AuditEvent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from 
  # from 
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
      fhir:
      fhir:
    ];
    fhir:
  ], ...;
  fhir:
    fhir:
    fhir:
    fhir:
  ];
  fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
      fhir:
      # . One of these 2
        fhir: ]
        fhir: ]
    ], ...;
  ], ...;

  # from Resource: fhir:id, fhir:meta, fhir:implicitRules, and fhir:language
  # from DomainResource: fhir:text, fhir:contained, fhir:extension, and fhir:modifierExtension
  fhir:type [ CodeableConcept ] ; # 1..1 High level categorization of audit event
  fhir:subtype  ( [ CodeableConcept ] ... ) ; # 0..* Specific type of event
  fhir:action [ code ] ; # 0..1 Type of action performed during the event
  fhir:severity [ code ] ; # 0..1 emergency | alert | critical | error | warning | notice | informational | debug
  # occurred[x] : 0..1 When the activity occurred. One of these 2
    fhir:occurred [  a fhir:Period ; Period ]
    fhir:occurred [  a fhir:DateTime ; dateTime ]
  fhir:recorded [ instant ] ; # 1..1 Time when the event was recorded
  fhir:outcome [ # 0..1 Whether the event succeeded or failed
    fhir:code [ Coding ] ; # 1..1 Whether the event succeeded or failed
    fhir:detail  ( [ CodeableConcept ] ... ) ; # 0..* Additional outcome detail
  ] ;
  fhir:authorization  ( [ CodeableConcept ] ... ) ; # 0..* Authorization related to the event
  fhir:basedOn  ( [ Reference(Any) ] ... ) ; # 0..* Workflow authorization within which this event occurred
  fhir:patient [ Reference(Patient) ] ; # 0..1 The patient is the subject of the data used/created/updated/deleted during the activity
  fhir:encounter [ Reference(Encounter) ] ; # 0..1 Encounter within which this event occurred or which the event is tightly associated
  fhir:agent ( [ # 1..* Actor involved in the event
    fhir:type [ CodeableConcept ] ; # 0..1 How agent participated
    fhir:role  ( [ CodeableConcept ] ... ) ; # 0..* Agent role in the event
    fhir:who [ Reference(CareTeam|Device|DeviceDefinition|Group|HealthcareService|Organization|Patient|
  Practitioner|PractitionerRole|RelatedPerson) ] ; # 1..1 Identifier of who

    fhir:requestor [ boolean ] ; # 0..1 Whether user is initiator
    fhir:location [ Reference(Location) ] ; # 0..1 The agent location when the event occurred
    fhir:policy  ( [ uri ] ... ) ; # 0..* Policy that authorized the agent participation in the event
    # network[x] : 0..1 This agent network location for the activity. One of these 3
      fhir:network [  a fhir:Reference ; Reference(Endpoint) ]
      fhir:network [  a fhir:Uri ; uri ]
      fhir:network [  a fhir:String ; string ]
    fhir:authorization  ( [ CodeableConcept ] ... ) ; # 0..* Allowable authorization for this agent
  ] ... ) ;
  fhir:source [ # 1..1 Audit Event Reporter
    fhir:site [ Reference(Location) ] ; # 0..1 Logical source location within the enterprise
    fhir:observer [ Reference(CareTeam|Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ] ; # 1..1 The identity of source detecting the event
    fhir:type  ( [ CodeableConcept ] ... ) ; # 0..* The type of source where event originated
  ] ;
  fhir:entity ( [ # 0..* Data or objects used
    fhir:what [ Reference(Any) ] ; # 0..1 Specific instance of resource
    fhir:role [ CodeableConcept ] ; # 0..1 What role the entity played
    fhir:securityLabel  ( [ CodeableConcept ] ... ) ; # 0..* Security labels on the entity
    fhir:description [ string ] ; # 0..1 Descriptive text
    fhir:query [ base64Binary ] ; # 0..1 Query parameters
    fhir:detail ( [ # 0..* Additional Information about the entity
      fhir:type [ CodeableConcept ] ; # 1..1 The name of the extra detail property
      # value[x] : 1..1 Property value. One of these 11
        fhir:value [  a fhir:Quantity ; Quantity ]
        fhir:value [  a fhir:CodeableConcept ; CodeableConcept ]
        fhir:value [  a fhir:String ; string ]
        fhir:value [  a fhir:Boolean ; boolean ]
        fhir:value [  a fhir:Integer ; integer ]
        fhir:value [  a fhir:Range ; Range ]
        fhir:value [  a fhir:Ratio ; Ratio ]
        fhir:value [  a fhir:Time ; time ]
        fhir:value [  a fhir:DateTime ; dateTime ]
        fhir:value [  a fhir:Period ; Period ]
        fhir:value [  a fhir:Base64Binary ; base64Binary ]
    ] ... ) ;
    fhir:agent  ( [ See AuditEvent.agent ] ... ) ; # 0..* Entity is attributed to this agent
  ] ... ) ;

]

Changes since R3 from R5 to R6

AuditEvent
AuditEvent.type
  • Renamed from category to type
  • Min Cardinality changed from 0 to 1
  • Max Cardinality changed from * to 1
AuditEvent.subtype
  • Renamed from code to subtype
  • Min Cardinality changed from 1 to 0
  • Max Cardinality changed from 1 to *
AuditEvent.action AuditEvent.basedOn
  • Change value set Type Reference: Added Target Type Resource
  • Type Reference: Removed Target Types CarePlan, DeviceRequest, ImmunizationRecommendation, MedicationRequest, NutritionOrder, ServiceRequest, Task
AuditEvent.agent.who
  • Type Reference: Added Target Types DeviceDefinition, Group, HealthcareService
AuditEvent.entity.description
  • Added Element

Changes from http://hl7.org/fhir/ValueSet/audit-event-action R4B to http://hl7.org/fhir/ValueSet/audit-event-action|4.0.1 R6

AuditEvent
AuditEvent.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-type` (extensible)
AuditEvent.subtype
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-sub-type` (extensible)
AuditEvent.period AuditEvent.severity
  • Added Element
AuditEvent.occurred[x]
  • Renamed from period to occurred[x]
  • Add Type dateTime
AuditEvent.outcome
  • Change value set Type changed from http://hl7.org/fhir/ValueSet/audit-event-outcome code to http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.1 BackboneElement
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-outcome|4.3.0` (required)
AuditEvent.outcome.code
  • Added Mandatory Element
AuditEvent.outcome.detail
  • Added Element
AuditEvent.authorization
  • Renamed from purposeOfEvent to authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.basedOn
  • Added Element
AuditEvent.patient
  • Added Element
AuditEvent.encounter
  • Added Element
AuditEvent.agent.type
  • Remove Binding `http://hl7.org/fhir/ValueSet/participation-role-type` (extensible)
AuditEvent.agent.who
  • Min Cardinality changed from 0 to 1
  • Type Reference: Added Target Types CareTeam, DeviceDefinition, Group, HealthcareService
AuditEvent.agent.requestor
  • Min Cardinality changed from 1 to 0
AuditEvent.agent.network[x]
  • Renamed from network to network[x]
  • Add Types Reference(Endpoint), uri, string
  • Remove Type BackboneElement
AuditEvent.agent.authorization
  • Renamed from purposeOfUse to authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.source.site
  • Type changed from string to Reference(Location)
AuditEvent.source.observer
  • Type Reference: Added Target Type CareTeam
AuditEvent.source.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-source-type` (extensible)
AuditEvent.entity.role
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/object-role` (extensible)
AuditEvent.entity.securityLabel
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/security-labels` (extensible)
AuditEvent.entity.detail.type
  • Type changed from string to CodeableConcept
AuditEvent.entity.detail.value[x]
  • Add Types Quantity, CodeableConcept, boolean, integer, Range, Ratio, time, dateTime, Period
AuditEvent.entity.agent
  • Added Element
AuditEvent.outcomeDesc
  • Deleted (-> outcome.detail.text)
AuditEvent.agent.altId
  • Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-AlternativeUserID)
AuditEvent.agent.name
  • Deleted (-> who.display)
AuditEvent.agent.media
  • Deleted (-> AuditEvent.entity)
AuditEvent.agent.network.address
  • Deleted (-> network[x])
AuditEvent.agent.network.type
  • Deleted (-> network[x])
AuditEvent.entity.type
  • Deleted
AuditEvent.entity.lifecycle
  • Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-Lifecycle)
AuditEvent.entity.name
  • Deleted (-> what.display)

Changes from R4 to R6

AuditEvent
AuditEvent.agent.role AuditEvent.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding http://hl7.org/fhir/ValueSet/security-role-type `http://hl7.org/fhir/ValueSet/audit-event-type` (extensible)
AuditEvent.subtype
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-sub-type` (extensible)
AuditEvent.agent.who AuditEvent.severity
  • Added Element
AuditEvent.occurred[x]
  • Renamed from period to occurred[x]
  • Add Type dateTime
AuditEvent.agent.network.type AuditEvent.outcome
  • Change value set Type changed from http://hl7.org/fhir/ValueSet/network-type code to http://hl7.org/fhir/ValueSet/network-type|4.0.1 BackboneElement
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.0` (required)
AuditEvent.source.observer AuditEvent.outcome.code
  • Added Mandatory Element
AuditEvent.source.type AuditEvent.outcome.detail
  • Change code system for extensibly bound codes Added Element
AuditEvent.authorization
  • Renamed from "http://hl7.org/fhir/security-source-type" purposeOfEvent to "http://terminology.hl7.org/CodeSystem/security-source-type" authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.entity.what AuditEvent.basedOn
  • Added Element
AuditEvent.patient
  • Added Element
AuditEvent.encounter
  • Added Element
AuditEvent.entity.role AuditEvent.agent.type
  • Change code system for extensibly bound codes Remove Binding `http://hl7.org/fhir/ValueSet/participation-role-type` (extensible)
AuditEvent.agent.who
  • Min Cardinality changed from "http://hl7.org/fhir/object-role" 0 to "http://terminology.hl7.org/CodeSystem/object-role" 1
  • Type Reference: Added Target Types CareTeam, DeviceDefinition, Group, HealthcareService
AuditEvent.agent.requestor
  • Min Cardinality changed from 1 to 0
AuditEvent.entity.detail.value[x] AuditEvent.agent.network[x]
  • Renamed from value network to value[x] network[x]
  • Add Types Reference(Endpoint), uri, string
  • Remove Type BackboneElement
AuditEvent.agent.authorization
  • Renamed from purposeOfUse to authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.source.site
  • Type changed from string to Reference(Location)
AuditEvent.source.observer
  • Type Reference: Added Target Type CareTeam
AuditEvent.source.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-source-type` (extensible)
AuditEvent.entity.role
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/object-role` (extensible)
AuditEvent.entity.securityLabel
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/security-labels` (extensible)
AuditEvent.entity.detail.type
  • Type changed from string to CodeableConcept
AuditEvent.entity.detail.value[x]
  • Add Types Quantity, CodeableConcept, boolean, integer, Range, Ratio, time, dateTime, Period
AuditEvent.entity.agent
  • Added Element
AuditEvent.agent.reference AuditEvent.outcomeDesc
  • deleted Deleted (-> outcome.detail.text)
AuditEvent.agent.userId AuditEvent.agent.altId
  • deleted Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-AlternativeUserID)
AuditEvent.source.identifier AuditEvent.agent.name
  • deleted Deleted (-> who.display)
AuditEvent.entity.identifier AuditEvent.agent.media
  • deleted Deleted (-> AuditEvent.entity)
AuditEvent.entity.reference AuditEvent.agent.network.address
  • deleted Deleted (-> network[x])
AuditEvent.agent.network.type
  • Deleted (-> network[x])
AuditEvent.entity.type
  • Deleted
AuditEvent.entity.lifecycle
  • Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-Lifecycle)
AuditEvent.entity.name
  • Deleted (-> what.display)

See the Full Difference for further information

This analysis is available for R4 as XML or JSON . See R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.) for R4B as XML or JSON .

Structure

Type/identifier More specific type/id for the CodeableConcept 0..1 Alternative User identity 1..1 Coding Type of media Reason given Type of 0..1 What role Life-cycle stage for the entity Coding 0..1 0..1 Additional Information about the entity string base64Binary
Name Flags Card. Type Description & Constraints      Filter: Filters doco
. . AuditEvent TU N DomainResource Record of an event
Event record kept for security purposes
Elements defined in Ancestors: id , meta , implicitRules , language , text , contained , extension , modifierExtension
. . . type Σ 1..1 Coding CodeableConcept High level categorization of audit event
Binding: Example Audit Event ID ( Extensible Example )
. . . subtype Σ 0..* Coding CodeableConcept Specific type of event
Binding: Example Audit Event Sub-Type ( Extensible Example )

. . . action Σ 0..1 code Type of action performed during the event
Binding: AuditEventAction Audit Event Action ( Required )
. . . occurred[x] 0..1 When the activity occurred
. . . . occurredPeriod Period
... . occurredDateTime dateTime
... recorded Σ 1..1 instant Time when the event was recorded
. . . outcome Σ 0..1 BackboneElement Whether the event succeeded or failed
.... code Σ 1..1 Coding Whether the event succeeded or failed
Binding: AuditEventOutcome Example Audit Event Outcome ( Required Preferred )
. . outcomeDesc . . detail Σ 0..* CodeableConcept 0..1 Additional outcome detail
Binding: Example Audit Event Outcome Detail ( Example )

string
. . . authorization Description of Σ 0..* CodeableConcept Authorization related to the event outcome
Binding: PurposeOfUse icon ( Example )

. . purposeOfEvent . basedOn 0..* Σ Reference ( Any ) Workflow authorization within which this event occurred

0..*
. . . patient Σ 0..1 Reference ( Patient ) The purposeOfUse patient is the subject of the event data used/created/updated/deleted during the activity
V3 Value SetPurposeOfUse
. . . encounter 0..1 Reference ( Extensible Encounter ) Encounter within which this event occurred or which the event is tightly associated
. . . agent Σ 1..* BackboneElement Actor involved in the event

. . . . type 0..1 CodeableConcept How agent participated
ParticipationRoleType Binding: Participation Role Type ( Extensible Preferred )
. . . . role 0..* CodeableConcept Agent role in the event
SecurityRoleType Binding: Example Security Role Type ( Example )

. . . . who Σ 1..1 Reference ( PractitionerRole | Practitioner | PractitionerRole | Organization | Device CareTeam | Patient | Device | DeviceDefinition | RelatedPerson | Group | HealthcareService ) Identifier of who altId 0..1 string
. . . . name 0..1 string Human friendly name for the agent requestor Σ 0..1 boolean Whether user is initiator
. . . . location 0..1 Reference ( Location ) The agent location when the event occurred
Where
. . . . policy 0..* uri Policy that authorized the agent participation in the event

. . . media . network[x] 0..1 This agent network location for the activity
Media Type Code ( Extensible )
. . network . . . networkReference 0..1 BackboneElement Reference ( Endpoint ) Logical network location for application activity
. . . . address . networkUri 0..1 string uri Identifier for the network access point of the user device
. . . . type . networkString 0..1 code string The type of network access point AuditEventAgentNetworkType ( Required )
. . . purposeOfUse . authorization 0..* CodeableConcept Allowable authorization for this user agent
Binding: PurposeOfUse icon V3 Value SetPurposeOfUse ( Extensible Example )

. . . source Σ 1..1 BackboneElement Audit Event Reporter
. . . . site 0..1 string Reference ( Location ) Logical source location within the enterprise
. . . . observer Σ 1..1 Reference ( PractitionerRole | Practitioner | PractitionerRole | Organization | Device CareTeam | Patient | Device | RelatedPerson ) The identity of source detecting the event
. . . . type 0..* Coding CodeableConcept The type of source where event originated
Binding: Audit Event Source Type ( Extensible Preferred )

. . . entity I Σ 0..* BackboneElement Data or objects used
+ Rule: Either a name or a query (NOT both)
. . . . what Σ 0..1 Reference ( Any ) Specific instance of resource
. . . type . role 0..1 Coding CodeableConcept What role the entity involved played
Binding: Example Audit event entity type Event Entity Role ( Extensible Example )
. . . role . securityLabel 0..* Coding CodeableConcept Security labels on the entity played
AuditEventEntityRole Binding: Example set of Security Labels ( Extensible Example )

. . . lifecycle . description 0..1 Coding string Descriptive text
ObjectLifecycleEvents ( Extensible )
. . . securityLabel . query Σ 0..1 base64Binary Query parameters
0..*
. . . . detail Security labels on 0..* BackboneElement Additional Information about the entity
SecurityLabels ( Extensible )
. . . . name . type 1..1 Σ CodeableConcept I The name of the extra detail property
Binding: Example value set Audit Event Entity Detail Type ( Example )
string . . . . . value[x] 1..1 Property value
Descriptor for entity
. . . . . description . valueQuantity Quantity
. . . . . . valueCodeableConcept 0..1 string CodeableConcept Descriptive text
. . . . . . query valueString Σ string I
. . . . . . valueBoolean base64Binary boolean Query parameters
. . detail . . . . valueInteger 0..* BackboneElement integer
. . . . . type . valueRange Range
. . . . . . valueRatio 1..1 string Ratio Name of the property
. . . . value[x] . . valueTime 1..1 time Property value
. . . . . . valueString valueDateTime dateTime
. . . . . . valuePeriod Period
. . . . . . valueBase64Binary base64Binary
. . . . agent 0..* see agent Entity is attributed to this agent


doco Documentation for this format icon

See the Extensions for this resource

UML Diagram ( Legend )

AuditEvent ( DomainResource ) Identifier for a family of Partitions the event. For example, a menu item, program, rule, policy, function code, application name audit event into one or URL. It identifies the performed function more categories that can be used to filter searching, to govern access control and/or to guide system behavior type : Coding CodeableConcept [1..1] « Type of event. (Strength=Extensible) null (Strength=Example) AuditEventID AuditEventIDExample + ?? » Identifier Describes what happened. The most specific codes for the category of event subtype : Coding CodeableConcept [0..*] « Sub-type of event. (Strength=Extensible) null (Strength=Example) AuditEventSub-Type AuditEventSubTypeExample + ?? » Indicator for type of action performed during the event that generated the audit action : code [0..1] « Indicator for type of action performed during the event that generated the event. (Strength=Required) AuditEventAction ! » Indicates and enables segmentation of various severity including debugging from critical severity : code [0..1] « The severity of the audit entry. (Strength=Required) AuditEventSeverity ! » The time or period during which the activity occurred period occurred[x] : Period DataType [0..1] « Period | dateTime » The time when the event was recorded recorded : instant [1..1] Indicates whether The authorization (e.g., PurposeOfUse) that was used during the event succeeded or failed being recorded outcome authorization : code CodeableConcept [0..1] [0..*] « Indicates whether null (Strength=Example) PurposeOfUse ?? » Allows tracing of authorization for the event succeeded or failed. (Strength=Required) events and tracking whether proposals/recommendations were acted upon AuditEventOutcome ! basedOn : Reference [0..*] « Any » A free text description The patient element is available to enable deterministic tracking of activities that involve the outcome patient as the subject of the data used in an activity patient : Reference [0..1] « Patient » This will typically be the encounter the event occurred, but some events MAY be initiated prior to or after the official completion of an encounter but still be tied to the context of the encounter (e.g. pre-admission lab tests) outcomeDesc encounter : string Reference [0..1] « Encounter » Outcome The purposeOfUse (reason) that was used during Indicates whether the event being recorded succeeded or failed purposeOfEvent code : Coding [1..1] « Indicates whether the event succeeded or failed. (Strength=Preferred) AuditEventOutcomeExample ? » Additional details about the error. This MAY be a text description of the error or a system code that identifies the error detail : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) null (Strength=Example) v3.PurposeOfUse AuditEventOutcomeDetailExample + ?? » Agent Specification The Functional Role of the participation type the user plays when performing the event type : CodeableConcept [0..1] « The Participation type of the agent to the event. (Strength=Extensible) null (Strength=Preferred) ParticipationRoleType + ? » The security role that structural roles of the user was acting under, that come from local codes defined by agent indicating the access control agent's competency. The security system (e.g. RBAC, ABAC) used in role enabling the local context agent with respect to the activity role : CodeableConcept [0..*] « What security role enabled the agent to participate in the event. null (Strength=Example) SecurityRoleType SecurityRoleTypeExamples ?? » Reference to who this agent is that was involved in the event who : Reference [0..1] [1..1] « PractitionerRole Practitioner | Practitioner PractitionerRole | Organization | Device CareTeam | Patient | RelatedPerson Device » Alternative agent Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if available altId | DeviceDefinition : string | RelatedPerson [0..1] | Group | Human-meaningful name for the agent name : string HealthcareService [0..1] » Indicator that the user is or is not the requestor, or initiator, for the event being audited requestor : boolean [1..1] [0..1] Where the agent location is known, the agent location when the event occurred location : Reference [0..1] « Location » The policy or plan Where the policy(ies) are known that authorized the activity being recorded. agent participation in the event. Typically, a single activity may MAY have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token used policy : uri [0..*] Type of media involved. Used when When the event is about exporting/importing onto media utilizes a network there SHOULD be an agent describing the local system, and an agent describing remote system, with the network interface details media network[x] : Coding DataType [0..1] « Used when the event is about exporting/importing onto media. (Strength=Extensible) MediaTypeCode Reference ( Endpoint )| uri | string + » The reason (purpose of use), specific to this agent, authorization (e.g., PurposeOfUse) that was used during the event being recorded purposeOfUse authorization : CodeableConcept [0..*] « The reason the activity took place. (Strength=Extensible) v3.PurposeOfUse + » Network An identifier for the network access point of the user device for the audit event address : string [0..1] An identifier for the type of network access point that originated the audit event null (Strength=Example) type : code PurposeOfUse [0..1] « The type of network access point of this agent in the audit event. (Strength=Required) AuditEventAgentNetworkType ! ?? » Source Logical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider group site : string Reference [0..1] « Location » Identifier of the source where the event was detected observer : Reference [1..1] « PractitionerRole Practitioner | Practitioner PractitionerRole | Organization | Device CareTeam | Patient | Device | RelatedPerson » Code specifying the type of source where event originated type : Coding CodeableConcept [0..*] « Code specifying the type of system that detected and recorded the event. (Strength=Extensible) null (Strength=Preferred) AuditEventSourceType + ? » Entity Identifies a specific instance of the entity. The reference should SHOULD be version specific specific. This is allowed to be a Parameters resource what : Reference [0..1] « Any » The type of the object that was involved in this audit event type : Coding [0..1] « Code for the entity type involved in the audit event. (Strength=Extensible) AuditEventEntityType + » Code representing the role the entity played in the event being audited role : Coding CodeableConcept [0..1] « Code representing the role the entity played in the audit event. (Strength=Extensible) AuditEventEntityRole + » Identifier for the data life-cycle stage for the entity lifecycle : Coding [0..1] « Identifier for the data life-cycle stage for the entity. (Strength=Extensible) (Strength=Example) ObjectLifecycleEvents AuditEventEntityRoleExample + ?? » Security labels for the identified entity securityLabel : Coding CodeableConcept [0..*] « Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible) null (Strength=Example) All Security Labels SecurityLabelExamples + ?? » A name of the entity in the audit event name : string [0..1] Text that describes the entity in more detail description : string [0..1] The query parameters for a query-type entities query : base64Binary [0..1] Detail The type name of extra detail provided in the value value. This element is the tag for the value. Where a simple string is used for the tag name, use the CodeableConcept.display element type : string CodeableConcept [1..1] « null (Strength=Example) AuditEventEntityDetailTypeExa... ?? » The value of the extra detail value[x] : Type DataType [1..1] « Quantity | CodeableConcept | string | boolean | integer | Range | Ratio | time | dateTime | Period | base64Binary » Logical network location for application activity, if Indicates whether the activity has a network location event succeeded or failed. A free text descripiton can be given in outcome.text network outcome [0..1] An actor taking an active role in the event or activity that is logged agent [1..*] The system actor that is reporting the event source [1..1] Tagged value pairs for conveying additional information about the entity detail [0..*] The entity is attributed to an agent to express the agent's responsibility for that entity in the activity. This is most used to indicate when persistence media (the entity) are used by an agent. For example when importing data from a device, the device would be described in an entity, and the user importing data from that media would be indicated as the entity.agent agent [0..*] Specific instances of data or objects that have been accessed entity [0..*]

XML Template 

<

<AuditEvent xmlns="http://hl7.org/fhir"> doco

 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <</type>
 <</subtype>

 <type><!-- 1..1 CodeableConcept High level categorization of audit event --></type>
 <subtype><!-- 0..* CodeableConcept Specific type of event --></subtype>

 <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
 <</period>

 <severity value="[code]"/><!-- 0..1 emergency | alert | critical | error | warning | notice | informational | debug -->
 <occurred[x]><!-- 0..1 Period|dateTime When the activity occurred --></occurred[x]>

 <recorded value="[instant]"/><!-- 1..1 Time when the event was recorded -->
 <
 <
 <</purposeOfEvent>

 <outcome>  <!-- 0..1 Whether the event succeeded or failed -->
  <code><!-- 1..1 Coding Whether the event succeeded or failed --></code>
  <detail><!-- 0..* CodeableConcept Additional outcome detail --></detail>
 </outcome>
 <authorization><!-- 0..* CodeableConcept Authorization related to the event icon --></authorization>
 <basedOn><!-- 0..* Reference(Any) Workflow authorization within which this event occurred --></basedOn>
 <patient><!-- 0..1 Reference(Patient) The patient is the subject of the data used/created/updated/deleted during the activity --></patient>
 <encounter><!-- 0..1 Reference(Encounter) Encounter within which this event occurred or which the event is tightly associated --></encounter>

 <agent>  <!-- 1..* Actor involved in the event -->
  <</type>
  <</role>
  <|
    </who>
  <
  <
  <
  <</location>
  <
  <</media>
  <
   <
   <
  </network>
  <</purposeOfUse>

  <type><!-- 0..1 CodeableConcept How agent participated --></type>
  <role><!-- 0..* CodeableConcept Agent role in the event --></role>
  <who><!-- 1..1 Reference(CareTeam|Device|DeviceDefinition|Group|
    HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
    RelatedPerson) Identifier of who --></who>

  <requestor value="[boolean]"/><!-- 0..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) The agent location when the event occurred --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized the agent participation in the event -->
  <network[x]><!-- 0..1 Reference(Endpoint)|uri|string This agent network location for the activity --></network[x]>
  <authorization><!-- 0..* CodeableConcept Allowable authorization for this agent icon --></authorization>

 </agent>
 <
  <
  <|
    </observer>
  <</type>

 <source>  <!-- 1..1 Audit Event Reporter -->
  <site><!-- 0..1 Reference(Location) Logical source location within the enterprise --></site>
  <observer><!-- 1..1 Reference(CareTeam|Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) The identity of source detecting the event --></observer>

  <type><!-- 0..* CodeableConcept The type of source where event originated --></type>

 </source>
 <entity>  <!-- 0..* Data or objects used -->
  <</what>
  <</type>
  <</role>
  <</lifecycle>
  <</securityLabel>
  <

  <what><!-- 0..1 Reference(Any) Specific instance of resource --></what>
  <role><!-- 0..1 CodeableConcept What role the entity played --></role>
  <securityLabel><!-- 0..* CodeableConcept Security labels on the entity --></securityLabel>

  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <

  <query value="[base64Binary]"/><!-- 0..1 Query parameters -->

  <detail>  <!-- 0..* Additional Information about the entity -->
   <
   <</value[x]>

   <type><!-- 1..1 CodeableConcept The name of the extra detail property --></type>
   <value[x]><!-- 1..1 Quantity|CodeableConcept|string|boolean|integer|Range|
     Ratio|time|dateTime|Period|base64Binary Property value --></value[x]>
  </detail>
  <agent><!-- 0..* Content as for AuditEvent.agent Entity is attributed to this agent --></agent>

 </entity>
</AuditEvent>

JSON Template 

{doco
  "resourceType" : "",

  "resourceType" : "AuditEvent",

  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "
  "

  "type" : { CodeableConcept }, // R!  High level categorization of audit event
  "subtype" : [{ CodeableConcept }], // Specific type of event

  "action" : "<code>", // Type of action performed during the event
  "

  "severity" : "<code>", // emergency | alert | critical | error | warning | notice | informational | debug
  // occurred[x]: When the activity occurred. One of these 2:

  "occurredPeriod" : { Period },
  "occurredDateTime" : "<dateTime>",

  "recorded" : "<instant>", // R!  Time when the event was recorded
  "
  "
  "

  "outcome" : { // Whether the event succeeded or failed
    "code" : { Coding }, // R!  Whether the event succeeded or failed
    "detail" : [{ CodeableConcept }] // Additional outcome detail
  },
  "authorization" : [{ CodeableConcept }], // Authorization related to the event icon
  "basedOn" : [{ Reference(Any) }], // Workflow authorization within which this event occurred
  "patient" : { Reference(Patient) }, // The patient is the subject of the data used/created/updated/deleted during the activity
  "encounter" : { Reference(Encounter) }, // Encounter within which this event occurred or which the event is tightly associated

  "agent" : [{ // R!  Actor involved in the event
    "
    "
    "|
    
    "
    "
    "
    "
    "
    "
    "
      "
      "
    },
    "

    "type" : { CodeableConcept }, // How agent participated
    "role" : [{ CodeableConcept }], // Agent role in the event
    "who" : { Reference(CareTeam|Device|DeviceDefinition|Group|
    HealthcareService|Organization|Patient|Practitioner|PractitionerRole|
    RelatedPerson) }, // R!  Identifier of who

    "requestor" : <boolean>, // Whether user is initiator
    "location" : { Reference(Location) }, // The agent location when the event occurred
    "policy" : ["<uri>"], // Policy that authorized the agent participation in the event
    // network[x]: This agent network location for the activity. One of these 3:

    "networkReference" : { Reference(Endpoint) },
    "networkUri" : "<uri>",
    "networkString" : "<string>",
    "authorization" : [{ CodeableConcept }] // Allowable authorization for this agent icon

  }],
  "
    "
    "|
    
    "

  "source" : { // R!  Audit Event Reporter
    "site" : { Reference(Location) }, // Logical source location within the enterprise
    "observer" : { Reference(CareTeam|Device|Organization|Patient|Practitioner|
    PractitionerRole|RelatedPerson) }, // R!  The identity of source detecting the event

    "type" : [{ CodeableConcept }] // The type of source where event originated

  },
  "entity" : [{ // Data or objects used
    "
    "
    "
    "
    "
    "

    "what" : { Reference(Any) }, // Specific instance of resource
    "role" : { CodeableConcept }, // What role the entity played
    "securityLabel" : [{ CodeableConcept }], // Security labels on the entity

    "description" : "<string>", // Descriptive text
    "

    "query" : "<base64Binary>", // Query parameters

    "detail" : [{ // Additional Information about the entity
      "
      
      ">"

      "type" : { CodeableConcept }, // R!  The name of the extra detail property
      // value[x]: Property value. One of these 11:

      "valueQuantity" : { Quantity },
      "valueCodeableConcept" : { CodeableConcept },
      "valueString" : "<string>",
      "valueBoolean" : <boolean>,
      "valueInteger" : <integer>,
      "valueRange" : { Range },
      "valueRatio" : { Ratio },
      "valueTime" : "<time>",
      "valueDateTime" : "<dateTime>",
      "valuePeriod" : { Period },

      "valueBase64Binary" : "<base64Binary>"
    }]

    }],
    "agent" : [{ Content as for AuditEvent.agent }] // Entity is attributed to this agent

  }]
}

Turtle Template 

@prefix fhir: <http://hl7.org/fhir/> .doco


[ a fhir:;

[ a fhir:AuditEvent;

  fhir:nodeRole fhir:treeRoot; # if this is the parser root

  # from 
  # from 
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
  fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
      fhir:
      fhir:
    ];
    fhir:
  ], ...;
  fhir:
    fhir:
    fhir:
    fhir:
  ];
  fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
    fhir:
      fhir:
      # . One of these 2
        fhir: ]
        fhir: ]
    ], ...;
  ], ...;

  # from Resource: fhir:id, fhir:meta, fhir:implicitRules, and fhir:language
  # from DomainResource: fhir:text, fhir:contained, fhir:extension, and fhir:modifierExtension
  fhir:type [ CodeableConcept ] ; # 1..1 High level categorization of audit event
  fhir:subtype  ( [ CodeableConcept ] ... ) ; # 0..* Specific type of event
  fhir:action [ code ] ; # 0..1 Type of action performed during the event
  fhir:severity [ code ] ; # 0..1 emergency | alert | critical | error | warning | notice | informational | debug
  # occurred[x] : 0..1 When the activity occurred. One of these 2
    fhir:occurred [  a fhir:Period ; Period ]
    fhir:occurred [  a fhir:DateTime ; dateTime ]
  fhir:recorded [ instant ] ; # 1..1 Time when the event was recorded
  fhir:outcome [ # 0..1 Whether the event succeeded or failed
    fhir:code [ Coding ] ; # 1..1 Whether the event succeeded or failed
    fhir:detail  ( [ CodeableConcept ] ... ) ; # 0..* Additional outcome detail
  ] ;
  fhir:authorization  ( [ CodeableConcept ] ... ) ; # 0..* Authorization related to the event
  fhir:basedOn  ( [ Reference(Any) ] ... ) ; # 0..* Workflow authorization within which this event occurred
  fhir:patient [ Reference(Patient) ] ; # 0..1 The patient is the subject of the data used/created/updated/deleted during the activity
  fhir:encounter [ Reference(Encounter) ] ; # 0..1 Encounter within which this event occurred or which the event is tightly associated
  fhir:agent ( [ # 1..* Actor involved in the event
    fhir:type [ CodeableConcept ] ; # 0..1 How agent participated
    fhir:role  ( [ CodeableConcept ] ... ) ; # 0..* Agent role in the event
    fhir:who [ Reference(CareTeam|Device|DeviceDefinition|Group|HealthcareService|Organization|Patient|
  Practitioner|PractitionerRole|RelatedPerson) ] ; # 1..1 Identifier of who

    fhir:requestor [ boolean ] ; # 0..1 Whether user is initiator
    fhir:location [ Reference(Location) ] ; # 0..1 The agent location when the event occurred
    fhir:policy  ( [ uri ] ... ) ; # 0..* Policy that authorized the agent participation in the event
    # network[x] : 0..1 This agent network location for the activity. One of these 3
      fhir:network [  a fhir:Reference ; Reference(Endpoint) ]
      fhir:network [  a fhir:Uri ; uri ]
      fhir:network [  a fhir:String ; string ]
    fhir:authorization  ( [ CodeableConcept ] ... ) ; # 0..* Allowable authorization for this agent
  ] ... ) ;
  fhir:source [ # 1..1 Audit Event Reporter
    fhir:site [ Reference(Location) ] ; # 0..1 Logical source location within the enterprise
    fhir:observer [ Reference(CareTeam|Device|Organization|Patient|Practitioner|PractitionerRole|RelatedPerson) ] ; # 1..1 The identity of source detecting the event
    fhir:type  ( [ CodeableConcept ] ... ) ; # 0..* The type of source where event originated
  ] ;
  fhir:entity ( [ # 0..* Data or objects used
    fhir:what [ Reference(Any) ] ; # 0..1 Specific instance of resource
    fhir:role [ CodeableConcept ] ; # 0..1 What role the entity played
    fhir:securityLabel  ( [ CodeableConcept ] ... ) ; # 0..* Security labels on the entity
    fhir:description [ string ] ; # 0..1 Descriptive text
    fhir:query [ base64Binary ] ; # 0..1 Query parameters
    fhir:detail ( [ # 0..* Additional Information about the entity
      fhir:type [ CodeableConcept ] ; # 1..1 The name of the extra detail property
      # value[x] : 1..1 Property value. One of these 11
        fhir:value [  a fhir:Quantity ; Quantity ]
        fhir:value [  a fhir:CodeableConcept ; CodeableConcept ]
        fhir:value [  a fhir:String ; string ]
        fhir:value [  a fhir:Boolean ; boolean ]
        fhir:value [  a fhir:Integer ; integer ]
        fhir:value [  a fhir:Range ; Range ]
        fhir:value [  a fhir:Ratio ; Ratio ]
        fhir:value [  a fhir:Time ; time ]
        fhir:value [  a fhir:DateTime ; dateTime ]
        fhir:value [  a fhir:Period ; Period ]
        fhir:value [  a fhir:Base64Binary ; base64Binary ]
    ] ... ) ;
    fhir:agent  ( [ See AuditEvent.agent ] ... ) ; # 0..* Entity is attributed to this agent
  ] ... ) ;

]

Changes since Release 3 from R5 to R6

AuditEvent
AuditEvent.type
  • Renamed from category to type
  • Min Cardinality changed from 0 to 1
  • Max Cardinality changed from * to 1
AuditEvent.subtype
  • Renamed from code to subtype
  • Min Cardinality changed from 1 to 0
  • Max Cardinality changed from 1 to *
AuditEvent.action AuditEvent.basedOn
  • Change value set Type Reference: Added Target Type Resource
  • Type Reference: Removed Target Types CarePlan, DeviceRequest, ImmunizationRecommendation, MedicationRequest, NutritionOrder, ServiceRequest, Task
AuditEvent.agent.who
  • Type Reference: Added Target Types DeviceDefinition, Group, HealthcareService
AuditEvent.entity.description
  • Added Element

Changes from http://hl7.org/fhir/ValueSet/audit-event-action R4B to http://hl7.org/fhir/ValueSet/audit-event-action|4.0.1 R6

AuditEvent
AuditEvent.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-type` (extensible)
AuditEvent.subtype
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-sub-type` (extensible)
AuditEvent.period AuditEvent.severity
  • Added Element
AuditEvent.occurred[x]
  • Renamed from period to occurred[x]
  • Add Type dateTime
AuditEvent.outcome
  • Change value set Type changed from http://hl7.org/fhir/ValueSet/audit-event-outcome code to http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.1 BackboneElement
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-outcome|4.3.0` (required)
AuditEvent.outcome.code
  • Added Mandatory Element
AuditEvent.outcome.detail
  • Added Element
AuditEvent.authorization
  • Renamed from purposeOfEvent to authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.basedOn
  • Added Element
AuditEvent.patient
  • Added Element
AuditEvent.encounter
  • Added Element
AuditEvent.agent.type
  • Remove Binding `http://hl7.org/fhir/ValueSet/participation-role-type` (extensible)
AuditEvent.agent.who
  • Min Cardinality changed from 0 to 1
  • Type Reference: Added Target Types CareTeam, DeviceDefinition, Group, HealthcareService
AuditEvent.agent.requestor
  • Min Cardinality changed from 1 to 0
AuditEvent.agent.network[x]
  • Renamed from network to network[x]
  • Add Types Reference(Endpoint), uri, string
  • Remove Type BackboneElement
AuditEvent.agent.authorization
  • Renamed from purposeOfUse to authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.source.site
  • Type changed from string to Reference(Location)
AuditEvent.source.observer
  • Type Reference: Added Target Type CareTeam
AuditEvent.source.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-source-type` (extensible)
AuditEvent.entity.role
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/object-role` (extensible)
AuditEvent.entity.securityLabel
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/security-labels` (extensible)
AuditEvent.entity.detail.type
  • Type changed from string to CodeableConcept
AuditEvent.entity.detail.value[x]
  • Add Types Quantity, CodeableConcept, boolean, integer, Range, Ratio, time, dateTime, Period
AuditEvent.entity.agent
  • Added Element
AuditEvent.outcomeDesc
  • Deleted (-> outcome.detail.text)
AuditEvent.agent.altId
  • Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-AlternativeUserID)
AuditEvent.agent.name
  • Deleted (-> who.display)
AuditEvent.agent.media
  • Deleted (-> AuditEvent.entity)
AuditEvent.agent.network.address
  • Deleted (-> network[x])
AuditEvent.agent.network.type
  • Deleted (-> network[x])
AuditEvent.entity.type
  • Deleted
AuditEvent.entity.lifecycle
  • Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-Lifecycle)
AuditEvent.entity.name
  • Deleted (-> what.display)

Changes from R4 to R6

AuditEvent
AuditEvent.agent.role AuditEvent.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-type` (extensible)
AuditEvent.subtype
  • Type changed from Coding to CodeableConcept
  • Remove Binding http://hl7.org/fhir/ValueSet/security-role-type `http://hl7.org/fhir/ValueSet/audit-event-sub-type` (extensible)
AuditEvent.agent.who AuditEvent.severity
  • Added Element
AuditEvent.occurred[x]
  • Renamed from period to occurred[x]
  • Add Type dateTime
AuditEvent.agent.network.type AuditEvent.outcome
  • Change value set Type changed from http://hl7.org/fhir/ValueSet/network-type code to http://hl7.org/fhir/ValueSet/network-type|4.0.1 BackboneElement
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.0` (required)
AuditEvent.source.observer AuditEvent.outcome.code
  • Added Mandatory Element
AuditEvent.source.type AuditEvent.outcome.detail
  • Change code system for extensibly bound codes Added Element
AuditEvent.authorization
  • Renamed from "http://hl7.org/fhir/security-source-type" purposeOfEvent to "http://terminology.hl7.org/CodeSystem/security-source-type" authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.entity.what AuditEvent.basedOn
  • Added Element
AuditEvent.patient
  • Added Element
AuditEvent.encounter
  • Added Element
AuditEvent.entity.role AuditEvent.agent.type
  • Change code system for extensibly bound codes Remove Binding `http://hl7.org/fhir/ValueSet/participation-role-type` (extensible)
AuditEvent.agent.who
  • Min Cardinality changed from "http://hl7.org/fhir/object-role" 0 to "http://terminology.hl7.org/CodeSystem/object-role" 1
  • Type Reference: Added Target Types CareTeam, DeviceDefinition, Group, HealthcareService
AuditEvent.agent.requestor
  • Min Cardinality changed from 1 to 0
AuditEvent.entity.detail.value[x] AuditEvent.agent.network[x]
  • Renamed from value network to value[x] network[x]
  • Add Types Reference(Endpoint), uri, string
  • Remove Type BackboneElement
AuditEvent.agent.authorization
  • Renamed from purposeOfUse to authorization
  • Remove Binding `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse` (extensible)
AuditEvent.source.site
  • Type changed from string to Reference(Location)
AuditEvent.source.observer
  • Type Reference: Added Target Type CareTeam
AuditEvent.source.type
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/audit-source-type` (extensible)
AuditEvent.entity.role
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/object-role` (extensible)
AuditEvent.entity.securityLabel
  • Type changed from Coding to CodeableConcept
  • Remove Binding `http://hl7.org/fhir/ValueSet/security-labels` (extensible)
AuditEvent.entity.detail.type
  • Type changed from string to CodeableConcept
AuditEvent.entity.detail.value[x]
  • Add Types Quantity, CodeableConcept, boolean, integer, Range, Ratio, time, dateTime, Period
AuditEvent.entity.agent
  • Added Element
AuditEvent.agent.reference AuditEvent.outcomeDesc
  • deleted Deleted (-> outcome.detail.text)
AuditEvent.agent.userId AuditEvent.agent.altId
  • deleted Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-AlternativeUserID)
AuditEvent.source.identifier AuditEvent.agent.name
  • deleted Deleted (-> who.display)
AuditEvent.entity.identifier AuditEvent.agent.media
  • deleted Deleted (-> AuditEvent.entity)
AuditEvent.entity.reference AuditEvent.agent.network.address
  • Deleted (-> network[x])
AuditEvent.agent.network.type
  • deleted Deleted (-> network[x])
AuditEvent.entity.type
  • Deleted
AuditEvent.entity.lifecycle
  • Deleted (-> use extension http://hl7.org/fhir/StructureDefinition/auditevent-Lifecycle)
AuditEvent.entity.name
  • Deleted (-> what.display)

See the Full Difference for further information

This analysis is available for R4 as XML or JSON . See R3 <--> R4 Conversion Maps (status = 8 tests that all execute ok. All tests pass round-trip testing and all r3 resources are valid.) for R4B as XML or JSON .

 

See the Profiles & Extensions and the alternate Additional definitions: Master Definition XML + JSON , XML Schema / Schematron + JSON Schema , ShEx (for Turtle ) + see the extensions , the spreadsheet version & the dependency analysis

6.4.3.1 6.4.4.1 Terminology Bindings

AuditEvent.outcome AuditEvent.purposeOfEvent AuditEvent.agent.purposeOfUse AuditEvent.agent.media AuditEvent.agent.network.type The type of network access point of this agent in the audit event. AuditEvent.entity.type AuditEvent.entity.lifecycle 6.4.3.2 Constraints id Level Location Description
Path Definition ValueSet Type Reference Documentation
AuditEvent.type Type of event. AuditEventIDExample Extensible Example AuditEventID

Example value set of Event Categories for Audit Events - defined by DICOM with some FHIR specific additions.

AuditEvent.subtype Sub-type of event. AuditEventSubTypeExample Extensible Example AuditEventSub-Type

Example values for more detailed code concerning the type of the audit event - defined by DICOM with some additional FHIR, HL7, and other additions.

AuditEvent.action AuditEventAction Required

Indicator value set for type of action performed during the event that generated the event.

AuditEvent.severity AuditEventSeverity Required AuditEventAction

The severity of the audit entry.

AuditEvent.outcome.code AuditEventOutcomeExample (a valid code from Issue Severity ) Preferred Indicates

Example codes to indicate whether the event succeeded or failed.

AuditEvent.outcome.detail Required AuditEventOutcomeDetailExample (a valid code from Operation Outcome Codes icon ) Example AuditEventOutcome

Example values to indicate more detailed reason for outcome.

AuditEvent.authorization The reason the activity took place. PurposeOfUse icon Extensible Example v3.PurposeOfUse

Supports communication of purpose of use at a general level.

AuditEvent.agent.type The Participation type of the agent to the event. ParticipationRoleType Extensible Preferred ParticipationRoleType

This FHIR value set is comprised of Actor participation Type codes, which can be used to value FHIR agents, actors, and other role elements. The codes are intended to express how the agent participated in some activity. Sometimes refered to the agent functional-role relative to the activity.

AuditEvent.agent.role What security role enabled the agent to participate in the event. SecurityRoleTypeExamples (a valid code from Example Codes for Security Structural Role ) Example SecurityRoleType

This value set contains example structural roles. In general, two types of roles can be distinguished: structural roles and functional roles. Structural Roles reflect human or organizational categories (hierarchies), and describe prerequisites, feasibilities, or competences for actions. Functional roles are bound to the realization or performance of actions.

AuditEvent.agent.authorization Used when the event is about exporting/importing onto media. Extensible PurposeOfUse icon MediaTypeCode Required Example AuditEventAgentNetworkType

Supports communication of purpose of use at a general level.

AuditEvent.source.type Code specifying the type of system that detected and recorded the event. AuditEventSourceType Extensible Preferred AuditEventSourceType

The type of process where the audit event originated from. Use of these codes is not required but is encouraged to maintain translation with DICOM AuditMessage schema.

AuditEvent.entity.role Code for the entity type involved in the audit event. Extensible AuditEventEntityRoleExample (a valid code from AuditEventEntityRole icon ) AuditEventEntityType Example AuditEvent.entity.role Code

Example codes representing the role the entity played in the audit event. Extensible AuditEventEntityRole

AuditEvent.entity.securityLabel Identifier for the data life-cycle stage for the entity. Extensible SecurityLabelExamples ObjectLifecycleEvents Example AuditEvent.entity.securityLabel Security Labels

A sample of security labels from the Healthcare Privacy and Security Classification System. Extensible All Security Labels System as the combination of data and event codes.

AuditEvent.entity.detail.type Expression AuditEventEntityDetailTypeExamples sev-1 (a valid code from Example Codes for AuditEvent.entity.detail.type ) Rule Example AuditEvent.entity Either a name or a query (NOT both) name.empty() or query.empty()

Example values for the type of additional detail about an entity used in an event.

6.4.3.3 6.4.4.2 Using Coded Values

The AuditEvent resource and the ATNA Audit record are used in many contexts throughout healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who defined these codes to meet very specific use cases. These codes should SHOULD be used when they are suitable. When needed, other codes can be defined.

Note: When using codes from a vocabulary, the display element for the code can be left off to keep the AuditEvent size small and minimize impact of a large audit log of similar entries.

The set of codes defined for this resource is expected to grow over time, and additional codes may MAY be proposed / requested using the "Propose a change" link above below.

6.4.3.4 6.4.4.3 Event codes for Common Scenarios

This table summarizes common event scenarios, and the codes that should SHOULD be used for each case.

Scenario type category subtype code action Other
User Login ( example ) 110114 icon User Authentication 110122 icon User Authentication E Execute One agent which contains the details of the logged-in user.
User Logout ( example ) 110114 icon User Authentication 110123 icon User Logout E Execute One agent which contains the details of the logged-out user.
REST operation logged on server ( example ) rest RESTful Operation [code] defined for operation * (see below) Agent for logged in user, if available.
Search operation logged on server ( example ) rest RESTful Operation [code] defined for operation E Execute Agent for logged in user, if available, and one object with a query element. The Execute action is used as the server must execute the search parameters to get the results, whereas a Read action identifies a specific object.
Break-Glass started ( example ) 110113 icon Security Alert 110127 icon Emergency Override Started E Execute Agent is the user who is authorized to break-glass and has declared an emergency override. Note there is an Emergency Override Stopped code that can be used to indicate the closing of the break-glass event, when it is known.

Audit Event Actions for RESTful operations:

Operation Action
create C
read, vread, history-instance, history-type, history-system R
update U
delete D
transaction, operation, conformance, validate, search, search-type, search-system E

6.4.4.3.1 Recording Search Events

A search event is recorded as an Execute action as the server must execute the search parameters to get the results. The category is a rest operation. The code SHOULD be search . The Server is identified in an .agent as the role Destination Role ID , and the client is identified in an .agent as the role Source Role ID . Additional .agent elements MAY be used to identify user, application, organization, etc.

A Search Event records one .entity element that holds the search request, and SHOULD NOT record the contents of the search response so as to limit duplication of sensitive health information that is already present in the system, and discoverable by replaying the search request.

The AuditEvent.entity.query SHALL hold the whole WHOLE http header and body encoded as base64binary. This SHOULD preserve as much of the raw http header and body as possible to best capture any attempts by clients or intermediaries to misbehave. There SHOULD be no sanitization or normalization of this value.

The FHIR specification defines a harmonized search parameter string, which is returned in the searchset bundle as the .link.url on the .link for self. This string could be recorded in the AuditEvent.entry.description as it is well behaved and represents what was actually processed as search parameters. See: conformance icon

Where there are identifiable Patient subject(s) associated with the returned Resource(s), the AuditEvent.patient SHOULD be used to record the Patient as the subject of the data or activity. When multiple patient results are returned one AuditEvent is created for every Patient identified in the resulting search set. Note this is true when the search set bundle includes any number of resources that collectively reference multiple Patients. This includes one Resource with multiple subject values, or many Resources with single subject values that are different.

6.4.3.5 6.4.4.4 Encoding a FHIR operation outcome

FHIR interactions can result in a rich description of the outcome using the OperationOutcome . The OperationOutcome Resource is a collection of error, warning or information messages that result from a system action. This describes in detail the outcome of some operation, such as when a RESTful operation fails.

When recording into an AuditEvent that some FHIR interaction has happened, the AuditEvent should SHOULD include the OperationOutcome from that FHIR interaction. This is done by placing the OperationOutcome into an AuditEvent.entity. Likely as a contained resource, given that OperationOutcome resources often are not persisted.

entity.who entity.what is the OperationOutcome -- Likely contained

entity.type is code OperationOutcome

entity.description explains why this OperationOutcome was included.

See transaction failure example : When a client attempts to post (create) an Observation Resource, using a server Patient endpoint; this would result in an error with an OperationOutcome.

6.4.3.6

6.4.4.5 PurposeOfEvent authorization and PurposeOfUse agent.authorization

The AuditEvent provides the element purposeOfEvent AuditEvent.authorization to convey the purpose of use for the whole event and purposeOfUse AuditEvent.agent.authorization to convey the reason purpose of use that a particular actor (machine, person, software) was involved in the event.

purposeOfEvent AuditEvent.authorization is an element at the level of AuditEvent and can convey the purpose of the activity that resulted in the event. This will occur when the system that is reporting the event is aware of the purpose of the event. A specific example would be a radiology reporting system where a radiologist has created and is sending a finished report. This system likely knows the purpose, e.g., "treatment". It is multi-valued because the one event may MAY be related to multiple purposes.

It is also commonplace that the reporting system does not have information about the purpose of the event. In these cases, the event report would not have a purposeOfEvent. an authorization.

It is also likely that the same event will be reported from different perspectives, e.g., by both the sender and recipient of a communication. These two different perspectives can have different knowledge regarding the purposeOfEvent . purposeOfUse authorization.

purposeOfUse AuditEvent.agent.authorization is an element at the level of agent within AuditEvent. This describes the reason that this person, machine, or software is participating in the activity that resulted in the event. For example, an individual person participating in the event may MAY assert a purpose of use from their perspective. It is also possible that they are participating for multiple reasons and report multiple purposeOfUse.

The reporting system might not have knowledge regarding why a particular machine or person was involved and would omit this element in those cases.

When the same event is reported from multiple perspectives, the reports can have different knowledge regarding the purpose.

6.4.4.6 Patient as subject of data or activity reference in AuditEvent.patient

It is a best practice to include a reference to the Patient affected by any auditable event, in order to enable Privacy Accounting of Disclosures and Access Logs, and to enable privacy office and security office audit log analysis. Reasonable efforts SHOULD be taken to assure the Patient is recorded, but it is recognized that there are times when this is not reasonable.

Where an activity impacts more than one Patient subject; multiple AuditEvent resources SHOULD be recorded, one for each Patient subject. This best enables segmentation of the AuditEvent details so as to limit the Privacy impact. The use of multiple AuditEvent is a best-practice and SHOULD be driven by a Policy. There will be cases where the use of multiple AuditEvent resources are not necessary, such as public health reporting.

To record a REST interaction or $operation, it is often necessary to complete the transaction in order to determine the Patient subject. Inspection of the potential returned results MAY be necessary. Some REST and $operations include parameters limiting the results to a specific Patient, in these cases this parameter informs the inclusion of the Patient reference.

Implementation Guides MAY make the AuditEvent requirements more clear given the workflow or security context mandated by the Implementation Guide.

6.4.4 6.4.5 Search Parameters

Search parameters for this resource. See also the full list of search parameters for this resource , and check the Extensions registry for search parameters on extensions related to this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.

Identifier for the network access point of the user device AuditEvent.agent.network.address agent Human friendly name for the agent AuditEvent.agent.name agent-role
Name Type Description Expression In Common
action token Type of action performed during the event AuditEvent.action
address string agent reference Identifier of who AuditEvent.agent.who
( Practitioner , Group , Organization , CareTeam , Device , DeviceDefinition , Patient , HealthcareService , PractitionerRole , RelatedPerson )
agent-name string agent-role token Agent role in the event AuditEvent.agent.role
based-on altid token reference Alternative User identity Reference to the service request. AuditEvent.agent.altId AuditEvent.basedOn
(Any)
date date Time when the event was recorded AuditEvent.recorded 22 Resources
entity encounter reference Specific instance of resource Encounter related to the activity recorded in the AuditEvent AuditEvent.entity.what AuditEvent.encounter
(Any) ( Encounter ) 		26 Resources
entity entity-name string reference Descriptor for entity Specific instance of resource AuditEvent.entity.name AuditEvent.entity.what
(Any)
entity-desc entity-role token string What role the Description of an entity played AuditEvent.entity.role AuditEvent.entity.description
entity-role entity-type token Type of What role the entity involved played AuditEvent.entity.type AuditEvent.entity.role
outcome token Whether the event succeeded or failed AuditEvent.outcome AuditEvent.outcome.code
patient reference Identifier of who Where the activity involved patient data AuditEvent.agent.who.where(resolve() is Patient) | AuditEvent.entity.what.where(resolve() is Patient) AuditEvent.patient
( Patient ) 		60 Resources
policy uri Policy that authorized event AuditEvent.agent.policy
purpose site token Logical source location within The authorization (purposeOfUse) of the enterprise event AuditEvent.source.site AuditEvent.authorization | AuditEvent.agent.authorization
source reference The identity of source detecting the event AuditEvent.source.observer
( Practitioner , Organization , CareTeam , Device , Patient , PractitionerRole , RelatedPerson )
subtype token More specific type/id code for the event AuditEvent.subtype
type token Type/identifier Type (category) of event AuditEvent.type