ASTM E2147 - 18

    Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

    Active Standard ASTM E2147 | Developed by Subcommittee: E31.25

    Book of Standards Volume: 14.01


      Format Pages Price  
    PDF 7 $48.00   ADD TO CART
    Hardcopy (shipping and handling) 7 $48.00   ADD TO CART



    Abstract

    This specification describes the security requirements involved in the development and implementation of audit and disclosure logs used in health information systems. It specifies how to design an access audit log to record all access to patient identifiable information maintained in computer systems, and includes principles for developing policies, procedures, and functions of health information logs to document all disclosure of confidential health care information to external users for use in manual and computer systems. This specification provides for two main purposes, namely: to define the nature, role, and function of system access audit logs and their use in health information systems as a technical and procedural tool to help provide security oversight; and to identify principles for establishing a permanent record of disclosure of health information to external users and the data to be recorded in maintaining it.

    This abstract is a brief summary of the referenced standard. It is informational only and not an official part of the standard; the full text of the standard itself must be referred to for its use and application. ASTM does not give any warranty express or implied or make any representation that the contents of this abstract are accurate, complete or up to date.

    Significance and Use

    4.1 Data that document health services in health care organizations are business records and shall be archived to a secondary but retrievable medium, and readily accessible, such as data that would be archived in a server or cloud storage. Audit data shall be retained for as long as the medical record is maintained, and may not be destroyed before the medical record may legally be destroyed, and in any event, for at least 10 years or for two years after the legal age of majority, unless a longer period of record retention is prescribed by state, federal or other law or regulation.

    4.2 The purpose of audit data and disclosure logs is to document and maintain a permanent, trustworthy, and immutable record of all authorized and unauthorized activities of any nature whatsoever and disclosure of confidential health information {except exclusions per federal and state law [21 CFR 11 Subpart B(e)]}. This further facilitates the purpose that patients, healthcare providers, organizations, and others can obtain a verifiable, self-authenticating record documenting all activities with respect to that record. The process of information disclosure and auditing shall also conform, where relevant, with the Privacy Act of 1974 (3).

    4.3 Audit reports designed for system access provide a precise capability for healthcare providers, organizations, patients, patient representatives, and advocates to see who has accessed and/or manipulated patient information. Because of the significant risk of medical information manipulation in computing environments by authorized and unauthorized users, the audit report is an important management tool to monitor access and any such manipulation retrospectively. In addition, the access and disclosure logs become powerful support documents for disciplinary and legal actions. Moreover, audit reports are essential components to comprehensive security programs in healthcare and vital for the privacy rights of the individual. A patient has a right to know who has accessed their patient information and what occurred during such access. Access by any means (viewing or any other action) regarding the patient record and/or audit log or the data contained therein by attorneys, risk management, or similar individuals or entities are not privileged actions and must also be fully transparent and disclosed.

    4.4 Healthcare providers and organizations are accountable for managing the disclosure of health information in a way that meets legal, regulatory, accreditation, and licensing requirements and growing patient expectations for accountable privacy practices. Basic audit data procedures shall be applied, manually if necessary, to paper patient record systems to the extent necessary to protect patient privacy and to allow authentication of the paper record.

    4.5 Medical records with integrity and trustworthiness are essential to promote safe and appropriate healthcare, billing, research, and quality control initiatives and are protective of all individuals involved in healthcare delivery and receipt. Consumer fears about confidentiality of health information and legal initiatives underscore disclosure practices. Technology exists to incorporate audit functions in health information systems. Institutions are accountable for implementing comprehensive confidentiality, security, and patient information audit programs that combine social elements, management, and technology.

    4.6 This specification also responds to the need for a standard addressing privacy and confidentiality as noted in Public Law 104–191 (2), or the Health Insurance Portability and Accountability Act of 1996, and the need for a self-authenticating record that will verify accuracy and integrity.

    1. Scope

    1.1 This specification is for the development and implementation of secure audit data and logs for electronically stored health information. It specifies how to design the audit log to record all activities impacting a medical record, for example, creating a new record, entering data into a record, changing or deleting an existing record, and all additional user access data (for example, identification, location, and date and time) to patient-identifiable information maintained in computer systems. Such audit logs shall track not only data entry and modifications, but also simple access and viewing of the patient record, and whether any modifications are made during that access. This specification also includes principles for developing policies, procedures, and functions of health information logs to document all actions regarding identifiable health information for use in both manually entered (paper record) and computer systems.

    1.2 The first purpose of this specification is to define the nature, purpose, and function of system access audit logs and their use in health information systems as a technical and procedural tool to help provide privacy and security oversight and produce a self-authenticating record that would, when maintained together with its audit logs, speak to and confirm its own integrity and accuracy of the medical and other data within the record. Moreover, in concert with organizational confidentiality and security policies and procedures, permanent audit logs can clearly identify all system application users who accessed and acted on patient identifiable information or both, and identify the location of the user, identify patient information accessed, and maintain a permanent record of actions taken by the user. Accomplishing the purpose of creating a trustworthy record thus requires the use of secure, automatic, computer-generated, time-stamped audit logs, which shall be used to independently record the identity of the user as well as the date, time, and location of user access, and also record all entries and actions that create, change, or delete electronic records or other patient information. Full transparency of modifications or deletions or both is mandatory. For example, record changes shall not obscure previously recorded information. Such audit data and documentation shall be retained for a period at least as long as that required for the subject paper and electronic records (together, “records”), including any time period required by evidence preservation or litigation hold requirements and applicable state or applicable federal laws pertaining to the subject records. In no event shall the audit data or medical records in hard copy or electronic format be destroyed in advance of that date prescribed by state, federal or other law or regulation, when such records may be legally destroyed; and in any case, not before ten years or, in the case of a minor child, before two years after that child’s eighteenth birthday. If such records are for any reason maintained beyond this minimum requirement, then the audit logs, and the data contained therein, must be maintained as long as the records are maintained. Audit logs and healthcare information shall be provided when specifically requested by authorized healthcare providers; the patient, his personal representative, advocate, and/or designee; researchers; quality control personnel; and organizational managers or administrators or both; and other persons authorized to have access to patient records or patient-identifiable information or both in any form.

    1.3 In the absence of computerized logs, audit log principles can be implemented manually in the paper patient record environment with respect to permanently monitoring paper patient record access, data entry, and data modification. Where the paper patient record and the computer-based patient record coexist in parallel, security oversight and access and data management shall address both environments with the underlying and unifying principle being transparency regarding the identity of the individual accessing or acting upon data in the record or both; the location of the individual when doing so; the time and date of such actions/entries; and clear visibility of modifications such as addenda, deletions, error corrections, and late entries.

    1.4 The second purpose of this specification is to identify principles for establishing a permanent record of disclosure of health information to external users and the data to be recorded in maintaining it. Security management of health information requires a comprehensive framework that incorporates both mandates and criteria for disclosing patient health information found in federal and state laws and rules and regulations and ethical statements of professional conduct. Accountability for such a framework shall be established through a set of standard principles that are applicable to all healthcare settings and health information systems.

    1.5 The creation and preservation of logs used to audit and oversee health information access, actions made upon health information, and disclosure of health information are the responsibility of each healthcare provider, organization, data intermediary, data warehouse, clinical data repository, third-party payer, agency, organization, or corporation that maintains or provides or has access to individually identifiable data. Such logs are specified in and support policy on information access monitoring and are tied to disciplinary sanctions that satisfy legal, regulatory, accreditation, institutional mandates, civil remedies by the patient or patient’s family, and are also tied to authentication of medical data and a patient’s right to obtain a complete, accurate, and transparent set of medical data and metadata (for example, audit logs).

    1.6 When non-patient-specific healthcare data is sought (for example, analyses of aggregate patient data for internal or external reviews, research, or subsidies), healthcare providers and organizations need to also prescribe access requirements for such aggregate data and approve query tools that allow complete auditing capability or design data repositories that, in an active query, can limit inclusion of data in end-product aggregate form that reveals potential keys to identifiable data. In other words, endproduct aggregate-patient data shall not contain patient-identifying data or elements that, through analysis, can be used to identify individuals through inferences. For example, fields such as birth date, sex, race, or relevant demographics, and medical records numbers, or combinations thereof, are analyzed together for research purposes, using software that matches data elements across databases, thereby allowing identification of specific patients through inferencing, while preserving patient privacy. Audit data and logs can be designed to work with such applications, if the query functions are part of a defined retrieval application, but the end-product data is safeguarded to protect patient identity from release. This specification applies to the disclosure or transfer of health information (records) whether as individual files or in batches.

    1.7 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.


    2. Referenced Documents (purchase separately) The documents listed below are referenced within the subject standard but are not provided as part of the standard.

    ASTM Standards

    E1869 Guide for Confidentiality, Privacy, Access, and Data Security Principles for Health Information Including Electronic Health Records

    E1986 Guide for Information Access Privileges to Health Information

    Federal Standards

    21 CFR 11 Subpart B(e) Electronic Records

    42 CFR, Part 2 Confidentiality of Alcohol and Drug Abuse Patient Records


    ICS Code

    ICS Number Code 35.240.80 (IT applications in health care technology)

    UNSPSC Code

    UNSPSC Code 85000000(Healthcare Services)


    Referencing This Standard
    Link Here
    Link to Active (This link will always route to the current Active version of the standard.)

    DOI: 10.1520/E2147-18

    Citation Format

    ASTM E2147-18, Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, ASTM International, West Conshohocken, PA, 2018, www.astm.org

    Back to Top