Audit Event

$10 / year

Audit Event is a record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage. All actors – such as applications, processes, and services – involved in an auditable event should record an Audit Event. This will likely result in multiple Audit Event entries that show whether privacy and security safeguards, such as access control, are properly functioning across an enterprise’s system-of-systems.


It is typical to get an auditable event recorded by both the application in a workflow process and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detection of, for example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors, such as trusted intermediary, that also detect a security relevant event and thus would record an Audit Event, such as a trusted intermediary.

Security relevant events are not limited to communications or RESTful events. They include:
– Software start-up and shutdown
– User login and logout
– Access control decisions
– Configuration events
– Software installation
– Policy rules changes
– Manipulation of data that exposes the data to users.

The content of an Audit Event is intended for use by security system administrators, security and privacy information managers, and records management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as providers or patients, although reports generated from the raw data would be useful. An example is a patient-centric accounting of disclosures or an access report. Servers that provide support for Audit Event resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access to the Audit Event would typically be limited to security, privacy, or other system administration purposes.

Relationship of Audit Event and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information but is a record-keeping assertion that gathers information about the context in which the information in a resource “came to be” in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource and may be persisted with the Audit Event target resource.

The audit event is based on the IHE-ATNA (Integrating the Healthcare Enterprise – Audit Trail and Node Authentication) Audit record definitions, originally from RFC 3881, and now managed by DICOM. This resource is managed collaboratively between HL7, DICOM, and IHE. The primary purpose of this resource is the maintenance of security audit log information. However, it can also be used for any audit logging needs and simple event-based notification.

Fast Healthcare Interoperability Resources (FHIR) is a draft standard describing data formats and elements (known as “resources”) and an application programming interface (API) for exchanging electronic health records. The standard was created by the Health Level Seven International (HL7) health-care standards organization.

Its goal is to facilitate interoperation between legacy healthcare systems, to make it easy to provide healthcare information to healthcare providers and individuals on a wide variety of devices from computers to tablets to cell phones, and to allow third-party application developers to provide medical applications which can be easily integrated into existing systems.

FHIR provides an alternative to document-centric approaches by directly exposing discrete data elements as services. For example, basic elements of healthcare like patients, admissions, diagnostic reports and medications can each be retrieved and manipulated via their own resource URLs (Uniform Resource Locators). FHIR was supported at an American Medical Informatics Association meeting by many EHR (Electronic Health Record) vendors which value its open and extensible nature.

Date Created


Last Modified




Update Frequency


Temporal Coverage


Spatial Coverage

United States


John Snow Labs; Health Level Seven International;

Source License URL

Source License Requirements


Source Citation



FHIR, HL7, Medical Terminology, Processes Data, Processes Information, Processes Documentation, Health Information Exchange, Electronic Health Records, FHIR Smart, Smart on FHIR

Other Titles

FHIR Audit Event Resource, Electronic Health Records Exchange Through FHIR

Concept_NameName of the concept in the FHIR structurestringrequired : 1
Computer_Ready_NameA Computer-ready name (e.g. a token) that identifies the structure - suitable for code generation. Note that this name (and other names relevant for code generation, including element & slice names, codes etc) may collide with reserved words in the relevant target language, and code generators will need to handle this.string-
TypeThe type the structure describes.string-
Dollar_RefThe Dollar_Ref ($ref) string value contains a Uniform Resource Identifier (URI) which identifies the location of the JSON (JavaScript Object Notation) value being referenced.string-
DescriptionA free text natural language description of the structure and its usestring-
ItemsThe value of the keyword should be an object or an array of objects. If the keyword value is an object, then for the data array to be valid each item of the array should be valid according to the schema in this value.string-
EnumThe enum is used to restrict a value to a fixed set of values. It must be an array with at least one element, where each element is unique.string-
RequiredThe value of the keyword should be an array of unique strings. The data object to be valid should contain all properties with names equal to the elements in the keyword value.string-
ConstThe value of this keyword can be anything. The data is valid if it is deeply equal to the value of the keyword.string-
Concept NameComputer Ready NameTypeDollar RefDescriptionItemsEnumRequiredConst
AuditEventresourceTypeThis is a AuditEvent resourceAuditEvent
AuditEventid#/definitions/idThe logical id of the resource as used in the URL for the resource. Once assigned this value never changes.
AuditEventmeta#/definitions/MetaThe metadata about the resource. This is content that is maintained by the infrastructure. Changes to the content might not always be associated with version changes to the resource.
AuditEventimplicitRules#/definitions/uriA reference to a set of rules that were followed when the resource was constructed and which must be understood when processing the content. Often this is a reference to an implementation guide that defines the special rules along with other profiles etc.
AuditEvent_implicitRules#/definitions/ElementExtensions for implicitRules
AuditEventlanguage#/definitions/codeThe base language in which the resource is written.
AuditEvent_language#/definitions/ElementExtensions for language
AuditEventtext#/definitions/NarrativeA human-readable narrative that contains a summary of the resource and can be used to represent the content of the resource to a human. The narrative need not encode all the structured data but is required to contain sufficient detail to make it "clinically safe" for a human to just read the narrative. Resource definitions may define what content should be represented in the narrative to ensure clinical safety.
AuditEventcontainedarrayThese resources do not have an independent existence apart from the resource that contains them - they cannot be identified independently and nor can they have their own independent transaction scope.{'$ref': '#/definitions/ResourceList'}
AuditEventextensionarrayMay be used to represent additional information that is not part of the basic definition of the resource. To make the use of extensions safe and manageable there is a strict set of governance applied to the definition and use of extensions. Though any implementer can define an extension there is a set of requirements that SHALL be met as part of the definition of the extension.{'$ref': '#/definitions/Extension'}
Related Data Packages