1.1 This specification is for the development and implementation of secure audit data and logs for electronically stored health information. It specifies how to design the audit log to record all activities impacting a medical record, for example, creating a new record, entering data into a record, changing or deleting an existing record, and all additional user access data (for example, identification, location, and date and time) to patient-identifiable information maintained in computer systems. Such audit logs shall track not only data entry and modifications, but also simple access and viewing of the patient record, and whether any modifications are made during that access. This specification also includes principles for developing policies, procedures, and functions of health information logs to document all actions regarding identifiable health information for use in both manually entered (paper record) and computer systems.

1.2 The first purpose of this specification is to define the nature, purpose, and function of system access audit logs and their use in health information systems as a technical and procedural tool to help provide privacy and security oversight and produce a self-authenticating record that would, when maintained together with its audit logs, speak to and confirm its own integrity and accuracy of the medical and other data within the record. Moreover, in concert with organizational confidentiality and security policies and procedures, permanent audit logs can clearly identify all system application users who accessed and acted on patient identifiable information or both, and identify the location of the user, identify patient information accessed, and maintain a permanent record of actions taken by the user. Accomplishing the purpose of creating a trustworthy record thus requires the use of secure, automatic, computer-generated, time-stamped audit logs, which shall be used to independently record the identity of the user as well as the date, time, and location of user access, and also record all entries and actions that create, change, or delete electronic records or other patient information. Full transparency of modifications or deletions or both is mandatory. For example, record changes shall not obscure previously recorded information. Such audit data and documentation shall be retained for a period at least as long as that required for the subject paper and electronic records (together, “records”), including any time period required by evidence preservation or litigation hold requirements and applicable state or applicable federal laws pertaining to the subject records. In no event shall the audit data or medical records in hard copy or electronic format be destroyed in advance of that date prescribed by state, federal or other law or regulation, when such records may be legally destroyed; and in any case, not before ten years or, in the case of a minor child, before two years after that child’s eighteenth birthday. If such records are for any reason maintained beyond this minimum requirement, then the audit logs, and the data contained therein, must be maintained as long as the records are maintained. Audit logs and healthcare information shall be provided when specifically requested by authorized healthcare providers; the patient, his personal representative, advocate, and/or designee; researchers; quality control personnel; and organizational managers or administrators or both; and other persons authorized to have access to patient records or patient-identifiable information or both in any form.

1.3 In the absence of computerized logs, audit log principles can be implemented manually in the paper patient record environment with respect to permanently monitoring paper patient record access, data entry, and data modification. Where the paper patient record and the computer-based patient record coexist in parallel, security oversight and access and data management shall address both environments with the underlying and unifying principle being transparency regarding the identity of the individual accessing or acting upon data in the record or both; the location of the individual when doing so; the time and date of such actions/entries; and clear visibility of modifications such as addenda, deletions, error corrections, and late entries.

1.4 The second purpose of this specification is to identify principles for establishing a permanent record of disclosure of health information to external users and the data to be recorded in maintaining it. Security management of health information requires a comprehensive framework that incorporates both mandates and criteria for disclosing patient health information found in federal and state laws and rules and regulations and ethical statements of professional conduct. Accountability for such a framework shall be established through a set of standard principles that are applicable to all healthcare settings and health information systems.

1.5 The creation and preservation of logs used to audit and oversee health information access, actions made upon health information, and disclosure of health information are the responsibility of each healthcare provider, organization, data intermediary, data warehouse, clinical data repository, third-party payer, agency, organization, or corporation that maintains or provides or has access to individually identifiable data. Such logs are specified in and support policy on information access monitoring and are tied to disciplinary sanctions that satisfy legal, regulatory, accreditation, institutional mandates, civil remedies by the patient or patient’s family, and are also tied to authentication of medical data and a patient’s right to obtain a complete, accurate, and transparent set of medical data and metadata (for example, audit logs).

1.6 When non-patient-specific healthcare data is sought (for example, analyses of aggregate patient data for internal or external reviews, research, or subsidies), healthcare providers and organizations need to also prescribe access requirements for such aggregate data and approve query tools that allow complete auditing capability or design data repositories that, in an active query, can limit inclusion of data in end-product aggregate form that reveals potential keys to identifiable data. In other words, endproduct aggregate-patient data shall not contain patient-identifying data or elements that, through analysis, can be used to identify individuals through inferences. For example, fields such as birth date, sex, race, or relevant demographics, and medical records numbers, or combinations thereof, are analyzed together for research purposes, using software that matches data elements across databases, thereby allowing identification of specific patients through inferencing, while preserving patient privacy. Audit data and logs can be designed to work with such applications, if the query functions are part of a defined retrieval application, but the end-product data is safeguarded to protect patient identity from release. This specification applies to the disclosure or transfer of health information (records) whether as individual files or in batches.

1.7 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.