Designation:E2147−01(Reapproved2013)AnAmericanNationalStandardStandardSpecificationforAuditandDisclosureLogsforUseinHealthInformationSystems1ThisstandardisissuedunderthefixeddesignationE2147;thenumberimmediatelyfollowingthedesignationindicatestheyearoforiginaladoptionor,inthecaseofrevision,theyearoflastrevision.Anumberinparenthesesindicatestheyearoflastreapproval.Asuperscriptepsilon(´)indicatesaneditorialchangesincethelastrevisionorreapproval.1.Scope1.1Thisspecificationisforthedevelopmentandimplemen-tationofsecurityaudit/disclosurelogsforhealthinformation.Itspecifieshowtodesignanaccessauditlogtorecordallaccesstopatientidentifiableinformationmaintainedincom-putersystemsandincludesprinciplesfordevelopingpolicies,procedures,andfunctionsofhealthinformationlogstodocu-mentalldisclosureofhealthinformationtoexternalusersforuseinmanualandcomputersystems.Theprocessofinforma-tiondisclosureandauditingshouldconform,whererelevant,withthePrivacyActof1974(1).21.2Thefirstpurposeofthisspecificationistodefinethenature,role,andfunctionofsystemaccessauditlogsandtheiruseinhealthinformationsystemsasatechnicalandproceduraltooltohelpprovidesecurityoversight.Inconcertwithorga-nizationalconfidentialityandsecuritypoliciesandprocedures,permanentauditlogscanclearlyidentifyallsystemapplicationuserswhoaccesspatientidentifiableinformation,recordthenatureofthepatientinformationaccessed,andmaintainapermanentrecordofactionstakenbytheuser.Byprovidingaprecisemethodforanorganizationtomonitorandreviewwhohasaccessedpatientdata,auditlogshavethepotentialformoreeffectivesecurityoversightthantraditionalpaperrecordenvi-ronments.Thisspecificationwillidentifyfunctionalityneededforauditlogmanagement,thedatatoberecorded,andtheuseofauditlogsassecurityandmanagementtoolsbyorganiza-tionalmanagers.1.3Intheabsenceofcomputerizedlogs,auditlogprinciplescanbeimplementedmanuallyinthepaperpatientrecordenvironmentwithrespecttopermanentlymonitoringpaperpatientrecordaccess.Wherethepaperpatientrecordandthecomputer-basedpatien...
