ASTM E2147-18

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: E2147 − 18
Standard Specification for
Audit and Disclosure Logs for Use in Health Information
Systems
This standard is issued under the fixed designation E2147; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope entries and actions that create, change, or delete electronic
records or other patient information. Full transparency of
1.1 This specification is for the development and implemen-
modifications or deletions or both is mandatory. For example,
tation of secure audit data and logs for electronically stored
record changes shall not obscure previously recorded informa-
health information. It specifies how to design the audit log to
tion. Such audit data and documentation shall be retained for a
record all activities impacting a medical record, for example,
period at least as long as that required for the subject paper and
creating a new record, entering data into a record, changing or
electronic records (together, “records”), including any time
deleting an existing record, and all additional user access data
period required by evidence preservation or litigation hold
(for example, identification, location, and date and time) to
requirements and applicable state or applicable federal laws
patient-identifiable information maintained in computer sys-
pertaining to the subject records. In no event shall the audit
tems. Such audit logs shall track not only data entry and
data or medical records in hard copy or electronic format be
modifications, but also simple access and viewing of the
destroyed in advance of that date prescribed by state, federal or
patient record, and whether any modifications are made during
other law or regulation, when such records may be legally
that access. This specification also includes principles for
destroyed; and in any case, not before ten years or, in the case
developing policies, procedures, and functions of health infor-
of a minor child, before two years after that child’s eighteenth
mation logs to document all actions regarding identifiable
birthday. If such records are for any reason maintained beyond
health information for use in both manually entered (paper
this minimum requirement, then the audit logs, and the data
record) and computer systems.
contained therein, must be maintained as long as the records
1.2 The first purpose of this specification is to define the
are maintained. Audit logs and healthcare information shall be
nature, purpose, and function of system access audit logs and
provided when specifically requested by authorized healthcare
their use in health information systems as a technical and
providers; the patient, his personal representative, advocate,
procedural tool to help provide privacy and security oversight
and/or designee; researchers; quality control personnel; and
and produce a self-authenticating record that would, when
organizational managers or administrators or both; and other
maintained together with its audit logs, speak to and confirm its
persons authorized to have access to patient records or patient-
own integrity and accuracy of the medical and other data
identifiable information or both in any form.
within the record. Moreover, in concert with organizational
1.3 In the absence of computerized logs, audit log principles
confidentiality and security policies and procedures, permanent
can be implemented manually in the paper patient record
audit logs can clearly identify all system application users who
environment with respect to permanently monitoring paper
accessed and acted on patient identifiable information or both,
patient record access, data entry, and data modification. Where
and identify the location of the user, identify patient informa-
the paper patient record and the computer-based patient record
tion accessed, and maintain a permanent record of actions
coexist in parallel, security oversight and access and data
taken by the user. Accomplishing the purpose of creating a
management shall address both environments with the under-
trustworthy record thus requires the use of secure, automatic,
lying and unifying principle being transparency regarding the
computer-generated, time-stamped audit logs, which shall be
identity of the individual accessing or acting upon data in the
used to independently record the identity of the user as well as
record or both; the location of the individual when doing so;
the date, time, and location of user access, and also record all
the time and date of such actions/entries; and clear visibility of
modifications such as addenda, deletions, error corrections, and
This specification is under the jurisdiction of ASTM Committee E31 on
late entries.
Healthcare Informatics and is the direct responsibility of Subcommittee E31.25 on
Healthcare Data Management, Security, Confidentiality, and Privacy.
1.4 The second purpose of this specification is to identify
Current edition approved May 1, 2018. Published May 2018. Originally
principles for establishing a permanent record of disclosure of
approved in 2001. Last previous edition approved in 2009 as E2147 – 01(2009)
health information to external users and the data to be recorded
which was withdrawn March 2017 and reinstated in May 2018. DOI: 10.1520/
E2147-18. in maintaining it. Security management of health information
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
E2147 − 18
requires a comprehensive framework that incorporates both E1869 Guide for Confidentiality, Privacy, Access, and Data
mandates and criteria for disclosing patient health information Security Principles for Health Information Including Elec-
found in federal and state laws and rules and regulations and tronic Health Records (Withdrawn 2017)
ethical statements of professional conduct. Accountability for E1986 Guide for Information Access Privileges to Health
such a framework shall be established through a set of standard Information (Withdrawn 2017)
principles that are applicable to all healthcare settings and
2.2 Federal Standards:
health information systems.
21 CFR 11 Subpart B(e) Electronic Records
1.5 The creation and preservation of logs used to audit and 42 CFR, Part 2 Confidentiality of Alcohol and Drug Abuse
oversee health information access, actions made upon health Patient Records
information, and disclosure of health information are the
responsibility of each healthcare provider, organization, data
3. Terminology
intermediary, data warehouse, clinical data repository, third-
3.1 Definitions:
party payer, agency, organization, or corporation that maintains
3.1.1 access, n—the provision of an opportunity to
or provides or has access to individually identifiable data. Such
approach, inspect, review, retrieve, store, communicate with, or
logs are specified in and support policy on information access
make use of health information resources (for example,
monitoring and are tied to disciplinary sanctions that satisfy
hardware, software, systems or structure) or patient identifiable
legal, regulatory, accreditation, institutional mandates, civil
data and information, or both.
remedies by the patient or patient’s family, and are also tied to
3.1.2 access report—record that is a subset of the ”clinical
authentication of medical data and a patient’s right to obtain a
audit report” documenting the following information about
complete, accurate, and transparent set of medical data and
each access of patient medical information: user identification
metadata (for example, audit logs).
(the person accessing the record); the date and time of the
1.6 When non-patient-specific healthcare data is sought (for
access (documenting both start and exit times spent on each
example, analyses of aggregate patient data for internal or
record accessed); total duration of access; specific terminal,
external reviews, research, or subsidies), healthcare providers
hardware, or location from which the access occurred; type of
and organizations need to also prescribe access requirements
action (for example, copy, print, addition, modification, and
for such aggregate data and approve query tools that allow
deletion to the record, and when any access has been made,
complete auditing capability or design data repositories that, in
even when the user makes no entry or change); specific patient
an active query, can limit inclusion of data in end-product
data accessed.
aggregate form that reveals potential keys to identifiable data.
In other words, endproduct aggregate-patient data shall not
3.1.2.1 Discussion—The above access information is an
contain patient-identifying data or elements that, through
indispensable part of the medical record because it is clinically
analysis, can be used to identify individuals through inferences.
relevant and does not appear in certain iterations of the record.
For example, fields such as birth date, sex, race, or relevant
All accesses shall be recorded, and the entire access record
demographics, and medical records numbers, or combinations
shall be provided when an access record is requested.
thereof, are analyzed together for research purposes, using
3.1.3 audit data, n—complete historical record of entries
software that matches data elements across databases, thereby
regarding patient care information automatically collected and
allowing identification of specific patients through inferencing,
stored by electronic health records (EHR) software or, in the
while preserving patient privacy. Audit data and logs can be
case of paper records, collected and stored as a matter of
designed to work with such applications, if the query functions
industry standard and related policy and procedure.
are part of a defined retrieval application, but the end-product
3.1.3.1 Discussion—This data collection includes informa-
data is safeguarded to protect patient identity from release. This
tion entered or altered (changed or deleted) by users or
specification applies to the disclosure or transfer of health
processes and information concerning all users who accessed
information (records) whether as individual files or in batches.
or who made, changed, or caused entries to be made into the
1.7 This international standard was developed in accor-
EHR or paper medical record. In the case of EHR, this
dance with internationally recognized principles on standard-
collection includes, but is not limited to, information regarding
ization established in the Decision on Principles for the
demographic data about the user and facts about access and
Development of International Standards, Guides and Recom-
actions taken by the user, such as date, time, location, and area
mendations issued by the World Trade Organization Technical
of record accessed/actions taken, and the actions taken by the
Barriers to Trade (TBT) Committee.
user or process in the record, such as creation, queries, views,
additions, modifications, deletions, and so forth.
2. Referenced Documents
3.1.4 authentication, n—confirmation that a record is what it
2.1 ASTM Standards:
purports to be, an accurate depiction of a patient’s medical care
and data; the act of establishing a record, or other document, as
For referenced ASTM standards, visit the ASTM website, www.astm.org, or
contact ASTM Customer Service at service@astm.org. For Annual Book of ASTM
Standards volume information, refer to the standard’s Document Summary page on The last approved version of this historical standard is referenced on www.ast-
the ASTM website. m.org.
E2147 − 18
genuine, trustworthy and official; the provision of such assur- well as an ordinary language description of any abbreviations
ance of the record’s authenticity is possible only because of the or coded information recorded in the database.
audit log and data associated therewith.
3.1.11.1 Discussion—The data dictionary serves as a legend
3.1.4.1 Discussion—Authentication of the record is possible by which the information in the database can be queried and
only when the associated audit data relating to the record is
through which reports can be decoded. The data dictionary also
made an indispensable part of the medical record. (1), explains the connections and dependencies of the tables within
3.1.5 authorization, n—the mechanism for obtaining con-
the database.
sent for the use and disclosure of health information.
3.1.12 database, n—collection of data organized for rapid
((1), AHIMA)
search and retrieval (2).
3.1.6 authorize, v—the granting to a user the right of access
3.1.13 database security, n—refers to the ability of the
to specified data and information, a program, a terminal or a
system to enforce security policy governing access, creation,
process.
modification, or destruction of information.
3.1.7 certificate, n—certificate authority (CA) states a given
3.1.13.1 Discussion—Unauthorized creation or destruction
correlation or given properties of persons or information
of information is an important and substantial threat that shall
technology (IT) systems are true.
be addressed via proactive database security measures.
3.1.7.1 Discussion—If the certificate is used to confirm that
3.1.14 disclosure, n—to access, release, transfer, or other-
a key belongs to its owner, it is called a key certificate. If the wise divulge health information to any internal or external user
certificate is used to confirm roles (qualifications), it is called
or entity other than the individual who is the subject of such
an authentication certificate. information.
3.1.8 change, v—to alter or edit information previously
3.1.15 health information, n—any information relating to
recorded in health information technology, for example, by
the past, present, or future physical or mental health or
addition or deletion.
condition of an individual, the provision of healthcare to an
individual, or the past, present, or future payments (for
3.1.8.1 Discussion—Information previously recorded shall
example, coding and billing) for the provision of healthcare to
not be changed without the retention of prior value(s). Change
a protected individual; and that identifies the individual with
shall be retained as an audited event and in a viewable format
respect to which there is a reasonable basis to believe that the
that identifies the previous (and now changed) information in a
information can be used to identify the individual. This
patient’s record (similar to how one might see changes repre-
information may exist in any form or medium, which is created
sented by redlining in a word-processing application). How
or received by a healthcare provider, a health plan, health
such changes are displayed or produced or both in exported
researcher, public health authority, instructor, employer, school
electronic or printed form is a design decision left to EHR
or university, health information service, or other entity that
technology developers.
creates, receives, obtains, maintains, uses, or transmits health
3.1.9 clinical audit report, n—report created using audit
information, such as a health oversight agency, a health
data collected and stored within the EHR.
information service organization or other (2).
3.1.9.1 Discussion—Audit data can be aggregated into re-
3.1.16 information, n—data to which meaning is assigned,
ports used to respond to a particular query or user’s activity in
according to context and assumed conventions.
the EHR. Audit data can also be aggregated into reports,
commonly called “audit logs” or “audit trails” drawn from 3.1.17 integrity, n—as it relates to health information, it
entire collections of data that have been automatically collected means that the information/record is accurate, complete, and
in the course of patient healthcare. An “access report” is one immutable in that all actions taken with respect to the record
example of a report that can be generated to respond to the are transparent.
questions of which users have gained access to an individual’s
3.1.17.1 Discussion—The integrity of a record containing
health information and what such users did during such access.
health information is verified as trustworthy and authentic by
3.1.10 confidential, adj—status accorded to data or informa-
maintaining all audit data, which shall be enabled by default
tion indicating that it is sensitive for some reason, and
(that is, turned on), immutable (that is, unable to be changed,
therefore, it needs to be protected against theft, disclosure, or
overwritten, or deleted), and able to record not only which
improper use, and must be disseminated only to patient—
action(s) occurred, but more specifically the electronic and
designated individuals or organizations with an approved need
other health information to which the action applies.
to know (1).
3.1.18 privacy and security audit report—intended to cap-
3.1.11 data dictionary, n—description in ordinary language
ture a forensic reconstruction of events that occurred on a
of every table, data object, classification, or category of data, or
patient record.
combinations thereof, contained in the database, including the
properties of each table, data object, and data classification, as 3.1.18.1 Discussion—One important audience of the pri-
vacy and security audit report is security officers and privacy
officers who are relying on the privacy and security audit report
to determine if inappropriate use or disclosure of patient data
American Health Information Management Association.
https://www.federalregister.gov/d/2012-20982/p-157 occurred. When a user performs a create, access, update,
E2147 − 18
change, delete, copy, print, query (search), or user permission 11 Subpart B(e)]}. This further facilitates the purpose that
change that affects a patient record, the system shall audit the patients, healthcare providers, organizations, and others can
following information: user identification, patient obtain a verifiable, self-authenticating record documenting all
identification, the date and time, location from which the event activities with respect to that record. The process of informa-
occurred, type of action, and summary of patient data accessed. tion disclosure and auditing shall also conform, where relevant,
For query (search) events, a summary of the search criteria that with the Privacy Act of 1974 (3).
was used may be audited instead of the list of patient records
4.3 Audit reports designed for system access provide a
returned by the search. If the access is an emergency access
precise capability for healthcare providers, organizations,
(for example, “break glass”), the user or accessor shall docu-
patients, patient representatives, and advocates to see who has
ment his or her reason for access.
accessed and/or manipulated patient information. Because of
3.1.19 self-authenticating, adv—having the capacity to
the significant risk of medical information manipulation in
maintain and demonstrate the integrity and accuracy of all
computing environments by authorized and unauthorized
actions and data within the electronic medical record so that the
users, the audit report is an important management tool to
record is trustworthy.
monitor access and any such manipulation retrospectively. In
addition, the access and disclosure logs become powerful
3.1.19.1 Discussion—Audit data is integral to self-
support documents for disciplinary and legal actions.
authentication and trustworthiness of patient information in-
Moreover, audit reports are essential components to compre-
cluding the medical record and billing record.
hensive security programs in healthcare and vital for the
3.1.20 transaction log, n—specific type of report showing
privacy rights of the individual. A patient has a right to know
all of the content changes in a record that can be generated
who has accessed their patient information and what occurred
from audit data for the purpose of reconstructing the substan-
during such access. Access by any means (viewing or any other
tive record if the record is lost or destroyed.
...