Stream: implementers
Topic: AuditEvent object
Ardon Toonstra (Jul 19 2016 at 14:45):
Hi there! In an audit logging use case we are using the AuditEvent Resource. All activity within a patient’s record should be logged. The information that has been ‘touched’ should be identifiable as well as the patient. Is it possible to use object.reference for the patient and the object.identifier, object.name and object.description for the identification of the ‘touched’ information? Or should this be done separately by slicing object?
Grahame Grieve (Jul 19 2016 at 19:16):
i'm not understanding the 'or' bit? You can do that, I think, but where does slicing come into it?
John Moehrke (Jul 19 2016 at 22:45):
Ardon, you have two AuditEvent.entity elements. One that points at the Patient (by reference), One that points at the object touched (by reference). You also need an AuditEvent.agent to identify who did the touching, you should likely have another AuditEvent.agent to identify the software doing the touching. All of these should be just references. So the size of this thing is not that big. The expectation is that an audit log analysis/reporting system can follow the references if it needs details, and when it does that access conttrol and more audit events are logged.
Ardon Toonstra (Jul 20 2016 at 06:45):
@Grahame Grieve I wondered if I can use 1 object element to identify the patient and the information touched or that I should use multiple object elements.
@John Moehrke For what I am understanding from your answer is that I should use two AuditEvent.objects (DSTU2), one for the patient and the other for the identification of the information that has been accessed.
Grahame Grieve (Jul 20 2016 at 07:04):
y I agree with John
Ardon Toonstra (Jul 20 2016 at 07:05):
Thank you both
Last updated: Apr 12 2022 at 19:14 UTC
