Basic Audit Log Patterns (BALP)
1.1.3 - Trial-Implementation International flag

This page is part of the IHE Basic Audit Log Patterns (BALP) (v1.1.3: Publication) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version. For a full list of available versions, see the Directory of published versions

Resource Profile: Basic AuditEvent pattern for when an Authorization permit is decided

Official URL: https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.AuthZconsent Version: 1.1.3
Active as of 2024-02-14 Computable Name: AuthZconsent

An AduitEvent recording a permit authorization decision by a Consent Decision Service,

  • Given an Authorization Decision resulted in a permit
  • And based on a Consent resource (C1)
  • And filed by a patient (P1),
  • And in response to a request by an organization (Org1)
  • And for the purpose of treatment (TREAT).
  • And the given request is authorized
  • When an AuditEvent is recorded for the activity
  • Then that AuditEvent would follow this profile regarding recording the authorization decision
    • Security Alert
    • Authorization Decison by Consent
    • Execute action
    • date/time recorded
    • outcome
      • success when Permit
      • failure when Deny
      • outcomeDesc would explain why a deny
    • recorded by the authorization server
    • Agents
      • client app
      • user
        • user requested purposeOfUse
      • user organization
      • authorization service
    • Entity
      • patient subject
      • consent on file for that patient
      • the token id (JWT ID) issued (if one is issued) should be recorded
      • other data may be recorded that was used in the decision

Usage:

Formal Views of Profile Content

Description of Profiles, Differentials, Snapshots and how the different presentations work.

This structure is derived from AuditEvent

NameFlagsCard.TypeDescription & Constraintsdoco
.. AuditEvent 0..*AuditEventEvent record kept for security purposes
... modifierExtension 0..0
... type 1..1CodingType/identifier of event
Required Pattern: At least the following
.... system1..1uriIdentity of the terminology system
Fixed Value: http://dicom.nema.org/resources/ontology/DCM
.... code1..1codeSymbol in syntax defined by the system
Fixed Value: 110113
... subtype 1..*CodingMore specific type/id for the event
Binding: Authorization subType events valueset (required)
... action 0..1codeType of action performed during the event
Required Pattern: E
... outcome 1..1codeWhether the event succeeded or failed
... outcomeDesc S0..1stringDescription of the event outcome
... purposeOfEvent S0..*CodeableConceptThe purposeOfUse of the event
... Slices for agent 4..*BackboneElementActor involved in the event
Slice: Unordered, Open by pattern:type
.... agent:client 1..1BackboneElementActor involved in the event
..... type 1..1CodeableConceptHow agent participated
Required Pattern: At least the following
...... coding1..*CodingCode defined by a terminology system
Fixed Value: (complex)
....... system1..1uriIdentity of the terminology system
Fixed Value: http://dicom.nema.org/resources/ontology/DCM
....... code1..1codeSymbol in syntax defined by the system
Fixed Value: 110150
..... role 0..0
..... who 1..1Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson)Identifier of who
..... altId 0..0
..... name 0..0
..... location 0..0
..... policy S0..*uriPolicy that authorized event
..... media 0..0
..... network 1..1BackboneElementLogical network location for application activity
..... purposeOfUse 0..0
.... agent:user 1..1BackboneElementActor involved in the event
..... type 1..1CodeableConceptHow agent participated
Required Pattern: At least the following
...... coding1..*CodingCode defined by a terminology system
Fixed Value: (complex)
....... system1..1uriIdentity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
....... code1..1codeSymbol in syntax defined by the system
Fixed Value: IRCP
..... role S0..*CodeableConceptAgent role in the event
..... who 1..1Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson)Identifier of who
..... altId 0..0
..... name S0..1stringHuman friendly name for the agent
..... requestor 1..1booleanWhether user is initiator
Required Pattern: true
..... location 0..0
..... policy S0..*uriPolicy that authorized event
..... media 0..0
..... network 0..0
..... purposeOfUse S0..*CodeableConceptReason given for this user
.... agent:userorg 1..1BackboneElementActor involved in the event
..... type 1..1CodeableConceptHow agent participated
Required Pattern: At least the following
...... coding1..*CodingCode defined by a terminology system
Fixed Value: (complex)
....... system1..1uriIdentity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/v3-RoleClass
....... code1..1codeSymbol in syntax defined by the system
Fixed Value: PROV
..... role 0..0
..... who S1..1Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson)Identifier of who
..... altId 0..0
..... name 0..0
..... requestor 1..1booleanWhether user is initiator
Required Pattern: false
..... location 0..0
..... policy 0..0
..... media 0..0
..... network 0..0
..... purposeOfUse S0..*CodeableConceptReason given for this user
.... agent:authorizer C1..1BackboneElementActor involved in the event
val-audit-source: The Audit Source is this agent too.
..... type 1..1CodeableConceptHow agent participated
Required Pattern: At least the following
...... coding1..*CodingCode defined by a terminology system
Fixed Value: (complex)
....... system1..1uriIdentity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/extra-security-role-type
....... code1..1codeSymbol in syntax defined by the system
Fixed Value: authserver
..... role 0..0
..... who 1..1Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson)Identifier of who
..... altId 0..0
..... name 0..0
..... requestor 1..1booleanWhether user is initiator
Required Pattern: false
..... location 0..0
..... policy 0..0
..... media 0..0
..... network 0..0
..... purposeOfUse 0..0
... Slices for entity 2..*BackboneElementData or objects used
Slice: Unordered, Closed by pattern:type
.... entity:patient 1..1BackboneElementData or objects used
..... what 1..1Reference(Patient)Specific instance of resource
..... type 1..1CodingType of entity involved
Required Pattern: At least the following
...... system1..1uriIdentity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/audit-entity-type
...... code1..1codeSymbol in syntax defined by the system
Fixed Value: 1
..... role 1..1CodingWhat role the entity played
Required Pattern: At least the following
...... system1..1uriIdentity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/object-role
...... code1..1codeSymbol in syntax defined by the system
Fixed Value: 1
.... entity:consent 1..*BackboneElementData or objects used
..... what S1..1Reference(Resource)Specific instance of resource
..... type 1..1CodingType of entity involved
Required Pattern: At least the following
...... system1..1uriIdentity of the terminology system
Fixed Value: http://hl7.org/fhir/resource-types
...... code1..1codeSymbol in syntax defined by the system
Fixed Value: Consent
.... entity:token 0..1BackboneElementData or objects used
..... what 1..1Reference(Resource)Specific instance of resource
...... identifier 1..1IdentifierLogical reference, when literal reference is not known
....... value 1..1stringjti (JWT ID)
..... type 1..1CodingType of entity involved
Required Pattern: At least the following
...... system1..1uriIdentity of the terminology system
Fixed Value: https://profiles.ihe.net/ITI/BALP/CodeSystem/UserAgentTypes
...... code1..1codeSymbol in syntax defined by the system
Fixed Value: UserOauthAgent

doco Documentation for this format

Terminology Bindings (Differential)

PathConformanceValueSetURI
AuditEvent.subtyperequiredAuthZsubTypeVS (a valid code from Authorization subType events)
https://profiles.ihe.net/ITI/BALP/ValueSet/AuthZsubTypeVS
from this IG

Constraints

IdGradePath(s)DetailsRequirements
val-audit-sourceerrorAuditEvent.agent:authorizerThe Audit Source is this agent too.
: $this.who = %resource.source.observer

 

Other representations of profile: CSV, Excel, Schematron