<status value="active"/> <date value="2026-03-20T11:58:09+00:00"/> <publisher value="HL7 International / Mobile Health"/> <contact> <telecom> <system value="url"/> <value value="http://www.hl7.org/Special/committees/mobile"/> </telecom> </contact> <description value="This category is about auditing, which is a mechanism for user and system accountability. Important events, such as logins and access to particular functions and data, are recorded and can be used to detect instances of non-compliant behavior and to facilitate detection of improper creation, access, modification, and deletion of personal health information. Any information technology including consumer health apps should follow best practices in managing an audit trail. The audit trail should maintain a record of users who have accessed what data, from where, and when. Audit logs should also record any attempts to access the system from an unauthorized terminal; expired usernames or passwords that try to access the system, unusual numbers of authentication attempts, and violations of an organizations security policy."/> <jurisdiction> <coding> <system value="http://unstats.un.org/unsd/methods/m49/m49.htm"/> <code value="001"/> <display value="World"/> </coding> </jurisdiction> <statement> <extension url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent"> <valueBoolean value="false"/> </extension> <key value="CMHAFFR2-APU.10-111"/> <label value="APU.10#111"/> <conformance value="SHALL"/> <conditionality value="false"/> <requirement value="[User authentication is required to access app] User authentication attempts, both successful and unsuccessful, generate an audit record."/> </statement> <statement> <extension url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent"> <valueBoolean value="false"/> </extension> <key value="CMHAFFR2-APU.10-112"/> <label value="APU.10#112"/> <conformance value="SHALL"/> <conditionality value="false"/> <requirement value="User permissions to access, or the revocation of access, regarding smartphone/tablet device capabilities for use by the app (e.g., use of camera, location services) generate an audit record."/> </statement> <statement> <extension url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent"> <valueBoolean value="false"/> </extension> <key value="CMHAFFR2-APU.10-113"/> <label value="APU.10#113"/> <conformance value="SHALL"/> <conditionality value="false"/> <requirement value="[App uses external devices or data sources for data collection] Pairing a device or data repository external to the app, which supplies data used by the app, generates an audit record."/> </statement> <statement> <extension url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent"> <valueBoolean value="false"/> </extension> <key value="CMHAFFR2-APU.10-114"/> <label value="APU.10#114"/> <conformance value="SHALL"/> <conditionality value="false"/> <requirement value="[App allows for the export of data to a data repository external to the app] Any export of data from the app generates an audit record."/> </statement> </Requirements>

Criteria N:

APU.10#111

SHALL

[User authentication is required to access app] User authentication attempts, both successful and unsuccessful, generate an audit record.

APU.10#112

SHALL

User permissions to access, or the revocation of access, regarding smartphone/tablet device capabilities for use by the app (e.g., use of camera, location services) generate an audit record.

APU.10#113

SHALL

[App uses external devices or data sources for data collection] Pairing a device or data repository external to the app, which supplies data used by the app, generates an audit record.

APU.10#114

SHALL

[App allows for the export of data to a data repository external to the app] Any export of data from the app generates an audit record.