CT3

Purpose

Audit trails are a basic requirement for electronic health information in EHRs and PHRs. Consumer Access Services must provide consumers with convenient electronic access to an audit trail as a mechanism to demonstrate compliance with use and disclosure authorization(s). An audit trail as defined here is an easy-to-comprehend date-, time-, and source-stamped historical record of significant activities and transactions that pertain to access of the consumer's account and the use and disclosure of personal data within. Of note, electronic audit trails have been in wide use in Internet banking; a 2004 survey found that almost all banks provide joint account holders with a clear audit trail that details which account holder performed which transaction.¹ 

The audit trail compiled and maintained by a Consumer Access Service should be the same audit trail displayed to the consumer, and each audit trail entry should be immutable (i.e., unchanging and unchangeable) in content.

Persistence of the audit trail should be commensurate with the data persistence policies of the Consumer Access Service. For example, if the Consumer Access Service retains professionally sourced data for seven years, then entries in the consumer's audit trail should persist for at least this same period of time.

Source-stamping is particularly important for end-users to evaluate the validity of information displayed from a consumer data stream. There are cases when a given data element may have more than one "source." For example, consider the case in which a Consumer Access Service is authorized to obtain the previous 90 days of prescription medication history on the consumer's behalf from a retail pharmacy clearinghouse. When the information is imported into the consumer's application, the clearinghouse is a "source" of the transaction. Upstream of that transaction, there were other "sources," like the doctor who wrote the prescription and the pharmacy that filled it. Ideally, the audit history should include each relevant upstream and downstream source. Consumer-sourced entries must be marked as such.

Recommended Practice

Each Consumer Access Service should maintain an easy-to-comprehend and clearly labeled electronic audit trail containing immutable entries that pertain to the consumer's account, information, and policy consent. Each entry should identify, at a minimum, who has accessed the consumer's records, a date, time, and source stamp for each such access, and the source of each significant transaction. The audit trail should be retained at minimum according to the data retention practice of the service.

We suggest the following as "auditable" events/activities:

1. Account:
   1. Access attempts and outcomes (i.e., successes or failures, length of session), including those by proxies.
   2. Logout events, including those by proxies.
2. Transactions and data:
   1. Creation (e.g., self-reported allergy)
   2. Modification (e.g., self-reported downward adjustment to a medication's dosage frequency)
   3. View (e.g., access of a problem list)
   4. Export (e.g., export of data to a PDA or spreadsheet)
   5. Import (e.g., import of data from a claims clearinghouse)
   6. Deletion (e.g., removal of a medication the consumer no longer takes)
   7. Dispute (e.g., the consumer challenges the accuracy of a professionally sourced data element)
   8. Proxy (e.g., setting up access to the record by a proxy, such as a caregiver)
3. Policy:
   1. Consent (e.g., capture of the consumer's general and independent consents, with roll-back access to versions of applicable policies to which the consumer consented)

   2. Revocation (e.g., the consumer decides to terminate a previously authorized consent that allowed sharing of data with a 3rd-party service provider)

(For related information, see CP8: Consumer Obtainment and Control of Information, Proxy Access.)

__________

1. American Bankers Association, Summary of Survey on Internet Banking: Online Enrollment, Account Opening, and Fraud Prevention. May 2004. Accessed online on August 28, 2007, at the following URL: http://www.aba.com/NR/rdonlyres/C38C00C0-071B-4944-904B-FC4A734CBC7F/35916/InternetSummary2004.pdf.