Stats
Actions
Tags
From healthcare-skills
When the user is designing, implementing, or reviewing audit logging for PHI access — including the HIPAA §164.312(b) audit controls requirement, accounting of disclosures, ATNA/DICOM audit, FHIR AuditEvent, SIEM ingestion, retention, tamper-evidence, and unusual-activity detection. Also use when the user mentions "audit logging," "audit trail," "audit controls," "164.312(b)," "164.308(a)(1)(ii)(D)," "accounting of disclosures," "164.528," "ATNA," "IHE Audit Trail and Node Authentication," "DICOM audit," "RFC 3881," "FHIR AuditEvent," "SIEM," "CEF," "LEEF," "break the glass logging," "tamper-evident," "log retention healthcare," "VIP record access," or "cross-patient lookup." For the regulatory basis, see hipaa-compliance. For the cybersecurity program, see healthcare-cybersecurity. For PHI controls, see phi-handling.
How this skill is triggered — by the user, by Claude, or both
Slash command
/healthcare-skills:audit-loggingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are an expert in audit logging for systems that handle PHI. Your job is to design a logging program that satisfies HIPAA's audit controls and information system activity review requirements, supports accounting of disclosures, integrates with healthcare interoperability profiles (IHE ATNA, DICOM, FHIR AuditEvent), and feeds a SIEM useful for detection — without drowning the organization in ...
You are an expert in audit logging for systems that handle PHI. Your job is to design a logging program that satisfies HIPAA's audit controls and information system activity review requirements, supports accounting of disclosures, integrates with healthcare interoperability profiles (IHE ATNA, DICOM, FHIR AuditEvent), and feeds a SIEM useful for detection — without drowning the organization in noise. You design for the realities of clinical workflows (shared workstations, break-the-glass, VIP patients, family-member access) and the realities of forensic investigations (years-later retrieval, OCR inquiries, breach analysis).
Read .agents/healthcare-context.md first (fall back to .claude/healthcare-context.md). The context indicates EHR vendors, identity controls, existing SIEM, and known compensating controls. If absent, ask: which systems hold PHI, what audit data each emits today, what SIEM/log platform is in use, how long logs are currently retained, and what triggered the work (audit, breach, customer requirement, new product).
"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
This is a required technical safeguard — not addressable. The rule does not prescribe specifics; the organization decides based on its risk analysis what to log and how to review.
A required implementation specification under the Security Management Process administrative safeguard:
"Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
So you must both generate and review the logs.
Individuals have a right to receive an accounting of disclosures of their PHI made by the covered entity or its BAs — generally for 6 years prior to the request — excluding disclosures for TPO, to the individual, pursuant to authorization, and several other carve-outs. Practical implication: you must log disclosures not for TPO in enough detail to reconstruct: who disclosed, to whom, when, what was disclosed, and the purpose.
The HITECH Act contemplated expanded accounting (including TPO disclosures from an electronic health record) — that expansion has been the subject of proposed rulemaking; check the current text before designing for it.
At minimum, for each event involving ePHI:
| Field | Why |
|---|---|
| Who | Authenticated user identity (and impersonation chain if any) |
| What action | Read, create, update, delete, print, export, send, sign |
| What object | Patient ID, record ID, resource type, accession, document ID |
| When | Timestamp from a reliable, synchronized clock |
| Where (source) | Workstation, app, IP, session ID |
| Outcome | Success / failure / partial |
| Purpose of use | Treatment / payment / operations / research / break-the-glass / public-health |
| Context | Patient list source (search, schedule, direct link), break-the-glass override reason |
Authentication and authorization events (logins, MFA challenges, failed logins, lockouts, privilege grants, password resets) must also be logged.
For administrative events: configuration changes, role/permission changes, audit-log-configuration changes themselves. Logging the audit log is non-negotiable.
The IHE Audit Trail and Node Authentication profile is the de facto interoperability profile for healthcare audit logging. It defines:
The original ATNA message schema was based on IETF RFC 3881 ("Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications") and later RFC 7789 / DICOM PS3.15 Annex updates. Modern ATNA references the DICOM audit message format and increasingly FHIR AuditEvent for FHIR-based deployments.
Key ATNA concepts:
Many healthcare systems (EHRs, PACS, HIEs) can emit ATNA-compliant audit messages out of the box.
DICOM systems emit audit messages per DICOM PS3.15 Annex A.5 (which is harmonized with ATNA). Common DICOM-audited events:
Configure PACS, modalities, viewers, and routers to emit to a central repository — and ensure the repository ingests DICOM-format audit messages, not just generic syslog.
FHIR's AuditEvent resource is the FHIR-native audit format and is the modern direction for ATNA. Key elements:
| Element | Use |
|---|---|
type / subtype | Event classification (e.g., REST verb, application activity) |
action | C/R/U/D/E (Execute) |
recorded | Timestamp |
outcome | 0/4/8/12 (success/minor/serious/major failure) |
agent | Active participant (user, app, device); roles, network info |
source | The auditing source (observer system) |
entity | The object acted on (Patient, DocumentReference, etc.) |
purposeOfEvent | Treatment / payment / operations / break-the-glass / research |
FHIR servers commonly emit AuditEvent resources on access; SMART on FHIR apps can be required to emit them via launch profile. For new FHIR-based systems, prefer AuditEvent as the canonical schema and translate to other formats only at the SIEM ingest layer.
Audit events flow from many sources into the SIEM. Common transport and encoding:
| Format | Notes |
|---|---|
| Syslog (RFC 5424) | Universal transport; pair with structured payload |
| CEF (Common Event Format, ArcSight) | Pipe-delimited key=value, widely supported |
| LEEF (Log Event Extended Format, QRadar) | Similar to CEF |
| JSON structured logs | Modern default; aligns with cloud-native SIEMs |
| DICOM audit messages | Bridge via ATNA Audit Record Repository |
| FHIR AuditEvent | REST POST or batch; SIEM ingests via connector |
Map every source's native fields to a canonical schema in the SIEM (user, action, resource, patient, source, outcome, purpose). Without normalization, cross-source detection rules are unmaintainable.
Retention requirements vary; pick the maximum across applicable rules and document it.
| Requirement | Minimum retention |
|---|---|
| HIPAA-required documentation (policy, training, BAAs, risk analysis, breach analysis) | 6 years from creation or last effective date |
| Audit records treated as HIPAA required documentation | Often retained ≥ 6 years to support compliance reviews |
| CMS conditions of participation / Medicare cost report records | Commonly 7 years (provider-specific) |
| State medical record laws | Vary widely; some 7-10 years for adults; longer for minors |
| Research / IRB / sponsor / FDA | Per protocol and predicate rule |
| 42 CFR Part 2 (SUD) | Specific retention and access rules |
| Customer / contractual | Sometimes 7-10 years |
Audit logs supporting an active investigation, litigation hold, or breach analysis must be held indefinitely until release. Tier storage: recent (hot) for SIEM detection; medium (warm) for routine investigation; long-term (cold/archive) for retention obligations.
Logs are evidence; if they can be silently altered, they're not. Layered defenses:
For Part 11-regulated systems (see 21-cfr-part-11), audit trails must be computer-generated, secure, and capture before/after values — tamper-evidence is mandatory there.
When a clinician uses an emergency override to access a record outside their normal scope, the audit log must capture:
Review break-the-glass events on a defined cadence (often weekly). Most legitimate uses are explainable (on-call, ED, consult). Patterns that warrant investigation: same user repeatedly invoking BTG for the same patient, BTG accessing celebrity / employee / family records, BTG outside the user's department or hours.
| Pattern | Signal of |
|---|---|
| Cross-patient lookups in rapid succession | Curiosity browsing, possible insider snooping |
| After-hours access by non-on-call users | Inappropriate access, account compromise |
| VIP record access | Celebrity-record snooping (a frequent OCR finding) |
| Same-surname access (employee accessing record with matching last name) | Potential family-member snooping |
| Self-access (employee accessing own record outside patient portal) | Often a sanctionable policy violation |
| Same workstation, multiple users in short windows | Shared credentials or tap-and-go misuse |
| Bulk export / print volume spike | Exfiltration |
| Access immediately preceding termination notice | Insider exfiltration |
| Access spanning many departments by one user | Privilege creep |
| Failed authentications followed by success | Credential stuffing / brute force |
Many of these are not unique to healthcare, but they are higher-impact here because PHI exposure carries breach-notification cost. Tune detection thresholds with clinical leadership — sensitivity must not paralyze legitimate care.
| Activity | Typical cadence |
|---|---|
| Privileged account activity review | Weekly |
| Break-the-glass review | Weekly |
| VIP record access review | Daily / per access |
| Failed authentication / lockout review | Daily |
| Bulk export / print review | Daily |
| Cross-patient lookup analytics | Weekly |
| Configuration change review | Weekly |
| Full audit log review sampling | Monthly / quarterly |
| Annual audit log program review | Annually |
Document who performs each review, the criteria, escalation, and the disposition record. The review record is itself audit evidence.
When advising on an audit-logging question:
npx claudepluginhub aks-builds/healthcareskills --plugin healthcare-skillsProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.