|
Type
|
Reference
|
Content
|
|
web
|
profiles.ihe.net
|
ATNA
required, encouraged IHE-IUA
or SMART-on-FHIR
|
|
web
|
profiles.ihe.net
|
ATNA
required, encouraged IHE-IUA
or SMART-on-FHIR
|
|
web
|
profiles.ihe.net
|
|
|
web
|
profiles.ihe.net
|
|
|
web
|
github.com
|
Basic Audit Log Patterns (BALP), published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 1.1.4-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.BasicAudit/
and changes regularly. See the Directory of published versions
|
|
web
|
www.ihe.net
|
IG © 2022+ IHE IT Infrastructure Technical Committee
. Package ihe.iti.balp#1.1.4-current based on FHIR 4.0.1
. Generated 2025-09-05
Links: Table of Contents |
QA Report
| New Issue | Issues
Version History |
 |
Propose a change
|
|
web
|
github.com
|
Links: Table of Contents
|
QA Report
| New Issue
| Issues
Version History
|
|
Propose a change
|
|
web
|
github.com
|
Links: Table of Contents
|
QA Report
| New Issue
| Issues
Version History
|
|
Propose a change
|
|
web
|
profiles.ihe.net
|
Links: Table of Contents
|
QA Report
| New Issue
| Issues
Version History
|
|
Propose a change
|
|
web
|
www.ihe.net
|
Links: Table of Contents
|
QA Report
| New Issue
| Issues
Version History
|
|
Propose a change
|
|
web
|
profiles.ihe.net
|
CapabilityStatement for ATNA
Audit Record Repository Actor with the ATNA ATX:FHIR Feed Option and Retrieve Audit Message Option defined in RESTful-ATNA Supplement
that also has support for BALP Content.
|
|
web
|
www.ihe.net
|
CapabilityStatement for ATNA
Audit Record Repository Actor with the ATNA ATX:FHIR Feed Option and Retrieve Audit Message Option defined in RESTful-ATNA Supplement
that also has support for BALP Content.
|
|
web
|
profiles.ihe.net
|
IUA - 3.72 Incorporate Access Token [ITI-72]
|
|
web
|
docs.oasis-open.org
|
In SAML this is defined to be carried
in the saml:AuthnContextClassRef
, but may be carried elsewhere based on the use-case and profiling of SAML.
|
|
web
|
docs.oasis-open.org
|
OASIS Authentication Context for SAML
|
|
web
|
gazelle.ihe.net
|
All of the AuditEvent (AuditMessage) encodings can be found on Gazelle AuditTrail section
. These specifications usually use a table format. These are in the format of DICOM AuditMessage, but the mapping to FHIR AuditEvent is defined in the FHIR AuditEvent mapping to DICOM
.
|
|
web
|
profiles.ihe.net
|
The MHD
Implementation Guide has the following AuditEvent profiles:
|
|
web
|
profiles.ihe.net
|
Provide Document Bundle [ITI-65]
-
Document Source
-
Document Recipient
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
Find Document Lists [ITI-66]
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
Find Document References [ITI-67]
-
Document Consumer
-
Document Responder
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
Retrieve Document [ITI-68]
-
Document Consumer
-
Document Responder
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
examples
|
|
web
|
github.com
|
MHD open issue to align AuditEvents with BasicAudit
|
|
web
|
profiles.ihe.net
|
The PDQm
Implementation Guide has the following AuditEvent profiles:
|
|
web
|
profiles.ihe.net
|
Mobile Patient Demographics Query [ITI-78]
-
Patient Demographics Consumer
-
Patient Demographics Supplier
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
example
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
example
|
|
web
|
github.com
|
PDQm open issue to align AuditEvents with BasicAudit
|
|
web
|
profiles.ihe.net
|
The PIXm
Implementation Guide has the following AuditEvent profiles:
|
|
web
|
profiles.ihe.net
|
Patient Identity Cross-reference Query [ITI-83]
-
Patient Identifier Cross-reference Consumer
-
Patient Identifier Cross-reference Manager
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
example
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
example
|
|
web
|
profiles.ihe.net
|
Patient Identifier Cross-reference Feed [ITI-104]
-
Patient Identifier Cross-reference Consumer
-
Patient Identifier Cross-reference Manager
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
example
|
|
web
|
profiles.ihe.net
|
profile
|
|
web
|
profiles.ihe.net
|
example
|
|
web
|
github.com
|
PIXm open issue to align AuditEvents
|
|
web
|
profiles.ihe.net
|
This section only applies to auditing agents that have access to the content of the SAML Security Token. This section is only concerned with the AuditEvent profiling to use when an event is attributable to an agent defined in a SAML Security Token. This does not cover how the SAML Token was created, acquired, authorized, or managed. See IHE-XUA
. This specification presumes that the interactions to obtain the “SAML Security Token” were themselves auditable events and properly recorded in the audit log.
|
|
web
|
profiles.ihe.net
|
In this section, we use the term “SAML Security Token” in a general sense to refer to either (a) an XUA SAML token being used in an [ITI-40]
or (b) any other SAML token used to secure an Interoperability transaction.
|
|
web
|
profiles.ihe.net
|
There is documentation of the audit event details to be added to a grouped transaction audit event log in XUA Security Considerations 2:3.40.4.2
; however, this does not explain how this should be recorded in a FHIR AuditEvent. There are two patterns defined here: minimal and comprehensive. Where minimal presumes that when the audit log is used, the system using the AuditEvent has access to the security infrastructure registry and logs to lookup the identifiers, thus the details that could be looked up later are not replicated in the AuditEvent. Comprehensive presumes that there is no access to lookup these details, thus preserving as much of the Security Token into the AuditEvent as is reasonable and useful.
|
|
web
|
profiles.ihe.net
|
The Minimal AuditEvent pattern defined here is not the same as the one defined in XUA
, mostly due to the more expressive and coded nature of the FHIR AuditEvent over the DICOM AuditMessage.
|
|
web
|
profiles.ihe.net
|
This section is only concerned with the AuditEvent profiling to use when an event is attributable to an agent defined in an OAuth Security Token. This does not cover how the oAuth Token was created, acquired, authorized, or managed. See IUA
. This specification presumes that the interactions to obtain the “Oauth Security Token” were themselves auditable events and properly recorded in the audit log.
|
|
web
|
profiles.ihe.net
|
In this section we use the term “OAuth Security Token” in a general sense to refer to either (a) an IUA
OAuth Access Token being used in an [ITI-72]
or (b) any other OAuth Access Token used to secure an Interoperability transaction (e.g., SMART Backend Services
, or SMART App Launch Framework
, or other).
|
|
web
|
profiles.ihe.net
|
In this section we use the term “OAuth Security Token” in a general sense to refer to either (a) an IUA
OAuth Access Token being used in an [ITI-72]
or (b) any other OAuth Access Token used to secure an Interoperability transaction (e.g., SMART Backend Services
, or SMART App Launch Framework
, or other).
|
|
web
|
profiles.ihe.net
|
Given that IHE has the IUA Profile
, and has Security Audit Considerations
, the AuditEvent specification here will focus on IUA interactions. The profiling AuditEvent defined here is the AuditEvent that the Client and Server would record when using IUA
with the ITI TF-2: 3.72 Incorporate Access Token [ITI-72]
to secure some RESTful transaction. The RESTful transaction is not defined here, just the additional AuditEvent element details that would be added to the AuditEvent for the RESTful transaction being secured (see RESTful activities
for general purpose logging).
|
|
web
|
profiles.ihe.net
|
Given that IHE has the IUA Profile
, and has Security Audit Considerations
, the AuditEvent specification here will focus on IUA interactions. The profiling AuditEvent defined here is the AuditEvent that the Client and Server would record when using IUA
with the ITI TF-2: 3.72 Incorporate Access Token [ITI-72]
to secure some RESTful transaction. The RESTful transaction is not defined here, just the additional AuditEvent element details that would be added to the AuditEvent for the RESTful transaction being secured (see RESTful activities
for general purpose logging).
|
|
web
|
profiles.ihe.net
|
Given that IHE has the IUA Profile
, and has Security Audit Considerations
, the AuditEvent specification here will focus on IUA interactions. The profiling AuditEvent defined here is the AuditEvent that the Client and Server would record when using IUA
with the ITI TF-2: 3.72 Incorporate Access Token [ITI-72]
to secure some RESTful transaction. The RESTful transaction is not defined here, just the additional AuditEvent element details that would be added to the AuditEvent for the RESTful transaction being secured (see RESTful activities
for general purpose logging).
|
|
web
|
profiles.ihe.net
|
The IUA
Profile is used here as a proxy for all oAuth specifications. IUA
is used here because IHE has direct access and has defined fields. The Minimal AuditEvent pattern defined here is not the same as the one defined in IUA
, mostly due to the more expressive and coded nature of the FHIR AuditEvent vs. the DICOM AuditMessage.
|
|
web
|
profiles.ihe.net
|
The Minimal AuditEvent pattern defined here is not the same as the one defined in [ITI-72] Security Audit Considerations
, mostly due to the more expressive and coded nature of the FHIR AuditEvent over the DICOM AuditMessage. This AuditEvent pattern is also recommended for both client and server to the extent possible.
|
|
web
|
profiles.ihe.net
|
This is transformed from the content defined today in ATNA [ITI-20] 2:3.20.8 Disclosure audit message
. It is replicated here for ease of understanding, and is presented here using the FHIR AuditEvent. There are some differences caused and enabled by the FHIR AuditEvent schema and profiling.
|
|
web
|
www.astm.org
|
The requirements of an accounting of disclosures are defined in ASTM-2147
. A disclosure shall include the following, when the value is known:
|
|
web
|
github.com
|
The source code for this Implementation Guide can be found on IHE ITI.BasicAudit Github Repo
.
|
|
web
|
www.google.com
|
Search this IG
|
|
web
|
profiles.ihe.net
|
IHE uses the normative words Shall, Should, and May according to standards conventions
.
|
|
web
|
profiles.ihe.net
|
The use of mustSupport
in StructureDefinition profiles equivalent to the IHE use of R2
as defined in Appendix Z
.
|
|
web
|
github.com
|
BasicAudit/2
. Is the oAuth AuditEvent patterns appropriate, especially the opaque one. With Opaque is the last 32 characters big enough yet not too big? Note there are no examples given due to this need for Trial Implementation feedback and experience (5 warnings).
|
|
web
|
github.com
|
BasicAudit/3
. The R4 version of AuditEvent uses extensible binding often, this has limited the ways that the AuditEvent can be constrained. R5 has relaxed these to either example or preferred binding, so some further can be done in this IG once R5 is released.
|
|
web
|
github.com
|
BasicAudit/6
. This IG covers only basic RESTful http. Not covered are FHIR Operations, or advanced http activities like Patch, conditional create, conditional update, etc? What others are needed, for them please provide an example transaction that can be used in a profiled example.
|
|
web
|
github.com
|
BasicAudit/7
. X-Request-Id header – I explained this only inside of the RESTful section, but it is applicable anywhere that X-Request-Id is used. X-Reqeust-Id is profiled differently than the example given in the FHIR core specification. Specifically there is a entity type defined here to enable slicing, where the example in FHIR core uses both type (job) and role (stream) which is harder to slice. I did not make this a standalone section because it is simply too small.
- X-Request-Id vs TraceId – I added X-Request-Id profiling. I did not add TraceId, as I am not as aware of what this is. It seems very similar, unclear if it is different or the same thing. The modeling of TraceId that is in the FHIR Core is a bit different than I modeled X-Request-Id here. TraceId example in core is a .entity.type #21 “Job”, with a .entity.what.identifier.type #TraceId. Where as for X-Request-Id I followed the example that Grahame indicted his server supports today for X-Request-Id. I welcome comment, as I am not an expert TraceId nor X-Reqeust-Id.
|
|
web
|
github.com
|
BasicAudit/18
. Is the use of AssuranceLevel proper? Should the extension element be defined more specific to NIST-800-63 assurance levels, and not allow to be carrying historical vocabulary that is not specifically assurance-level but rather the method of authentication used (e.g. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)?
|
|
web
|
github.com
|
BasicAudit/19
. Note: Support for HL7 Security for Scalable Registration, Authentication, and Authorization (aka UDAP)
when it gets published
|
|
web
|
github.com
|
BasicAudit/21
. IG builder / validation issue with the slicing I need to use in AuditEvent (12 validation errors). Discussion can be found https://chat.fhir.org/#narrow/stream/215610-shorthand/topic/slicing.20with.20complex.20.24this and https://chat.fhir.org/#narrow/stream/179252-IG-creation/topic/slicing.20sliced.20extension
|
|
web
|
github.com
|
BasicAudit/22
. There are no named options. It might be useful to have named options to enable minimal vs comprehensive; or to allow claims of compliance to only disclosure auditEvent.
|
|
web
|
profiles.ihe.net
|
Editor, add the following new or modified actors to the IHE Technical Frameworks General Introduction Appendix A
:
|
|
web
|
profiles.ihe.net
|
Editor, add the following new or modified transactions to the IHE Technical Frameworks General Introduction Appendix B
:
|
|
web
|
profiles.ihe.net
|
The Audit Log Patterns defined here rely on the ATNA
Profile for transport of the AuditEvent and query/retrieval of AuditEvents previously recorded.
The patterns defined here may be used as they are, or further refined to specific use-cases.
Where a more specific audit event is defined, it should be derived off of these basic patterns. Thus, a more specific AuditEvent would be compliant with one or more of the AuditEvent patterns defined here.
|
|
web
|
profiles.ihe.net
|
This Implementation Guide is intended to be fully compliant with the HL7 FHIR
specification, providing only use-case driven constraints to aid with interoperability, deterministic results, and compatibility with ATNA
and other IHE Profiles.
|
|
web
|
www.ihe.net
|
ANY Secure Client
and ANY Secure Server
represent abstractions of any client/server actor grouped with an ATNA Secure Node
or an ATNA Secure Application
supporting the ATX: FHIR Feed Option
, defined in the RESTful ATNA Supplement
. Where ANY Secure Client
and ANY Secure Server
are involved in some communication that is an auditable event described in this Implementation Guide and for which some AuditEvent pattern is defined. The AuditEvent patterns defined here will be created and recorded [ITI-20] by the Secure Node
or Secure Application
that is grouped within the diagramed ANY Secure Client
and the ANY Secure Server
.
|
|
web
|
profiles.ihe.net
|
Figure 1:52.1-1 shows the actors directly involved in the Basic Audit Log Patterns Profile and the relevant transactions between them. The Audit Creator
creates AuditEvent records following this profile that is consumed by the Audit Consumer
. The transport for the AuditEvent records is the ATNA
Profile.
|
|
web
|
www.ihe.net
|
The Audit Creator shall detect the defined auditable events and record a complaint AuditEvent as defined. The Audit Creator shall be grouped with an ATNA Secure Application
or ATNA Secure Node
with support for ATNA ATX:FHIR Feed Option
defined in the RESTful ATNA Supplement
for the recording of the compliant AuditEvent to the Audit Record Repository.
|
|
web
|
www.ihe.net
|
The Audit Consumer shall be grouped with an ATNA Audit Consumer
with support for the Retrieve Audit Message Option
defined in the RESTful ATNA Supplement
. The Audit Consumer understands the AuditEvent profiles defined, but shall not reject an AuditEvent due to non-compliance.
|
|
web
|
profiles.ihe.net
|
The ATNA
Audit Record Repository with support for ATNA ATX:FHIR Feed Option
, and Retrieve Audit Message Option
. These options are defined in the RESTful ATNA Supplement
. The ATNA Audit Record Repository may detect and validate the AuditEvent requirements defined here, but shall not reject an AuditEvent due to non-compliance.
|
|
web
|
www.ihe.net
|
The ATNA
Audit Record Repository with support for ATNA ATX:FHIR Feed Option
, and Retrieve Audit Message Option
. These options are defined in the RESTful ATNA Supplement
. The ATNA Audit Record Repository may detect and validate the AuditEvent requirements defined here, but shall not reject an AuditEvent due to non-compliance.
|
|
web
|
profiles.ihe.net
|
The required groupings for BasicAudit are those in the ATNA Profile, see IHE ITI TF-1:9.3
.
|
|
web
|
www.ihe.net
|
The following use-case represents the use-case defined in ATNA [ITI-81]
. The use of this transaction in this Implementation Guide is to specialize it with the use of the patient identity to retrieve AuditEvent resources where that patient identity was found in the .agent or .entity. Where the patient identity in the .agent element indicates that the patient was actively engaged in the activity recorded in that AuditEvent, and .entity element indicates that the patient was the subject of the event. Note that accessing the audit log is an auditable event and thus interactions 3 and 5.
|
