4. Audit Control
1. Audit Requirements - Brief
Requirements from “Certification Standards Committee” [http://health.state.mn.us/ehealth/ standards/certrecs102609.pdf]
1. Provide the capability to record and examine activity in information systems that contain or use electronic protected health information.
2. Provide the capability to use the ATNA profile to communicate audit messages between Secure Nodes and to establish Audit Repository nodes to collect audit information. Note: The same is mentioned by the CCHIT - EHR ARRA 2011 Preliminary Certification as part of the Security Criteria related to Audit [http://www.cchit.org/sites/all/files/Preliminary%20ARRA%202011%20Security%20Criteria%2020 091001_0.pdf]
From CCHIT - CCHIT Ambulatory Requirements for Audit control [[1]]
2. Auditing Requirements - Detail
2.1 Auditing Events
Events common to both CCHIT and ATNA
1. start/stop
2. patient record created/viewed/updated/deleted
3. Query
4. Order
5. Node-authentication failure
6. PHI export
7. PHI import
8. Security Administration events
Events mentioned only in CCHIT
1. user login/logout
2. session timeout+F10
3. account lockout
4. scheduling
5. signature created/validated
6. backup and restore
Events mentioned only in ATNA
1. Reading or modification to the audit log
2. Begin-storing-instances
3. Health-service-event
4. Images-availability-query
5. Instances-deleted
6. Instances-stored
7. Medication
8. Mobile-machine-event
9. Patient-care-assignment
10. Patient-care-episode
11. Procedure record event
12. Study created
13. Study used
Refer http://www.openmedsoftware.org/wiki/File:Visolve_Audit_ATNA_Req.pdf to get to know more about Audit
Question (To finalize on): What are the events we need to consider?
3. Audit & ATNA - Actual Tasks
3.2 ATNA related tasks
Links
- Associated with Sourceforge forum thread: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3500441