AuditEvent — detail: FHIR audit log
Standard FHIR audit log to trace accesses, reads, exports, and exceptions on clinical resources. Compatible with RFC 3881 (IHE ATNA), DICOM Audit Trail. Cornerstone of HIPAA Security Rule, GDPR article 30, French HDS certification.
R4 → R5 changes
R5 introduces significant changes:
codeinstead oftype+subtype(simplification).occurredDateTimeandrecordedseparated (beforerecordedcovered both).categoryis now a list (multi-classification).basedOnnew: link to trigger (Request, Notification).outcomestructured: code + detail (before free string).
Key fields
| Field | Cardinality | Role |
|---|---|---|
category | 0..* | High classification (rest, application-activity, security-alert, user-access). |
code | 1..1 | Specific action (read, create, update, delete, login, logout). |
action | 0..1 | C (Create), R (Read), U (Update), D (Delete), E (Execute). |
severity | 0..1 | informational / warning / error / critical (syslog RFC 5424 alignment). |
occurredDateTime | 0..1 | When the action happened. |
recorded | 1..1 | When the audit was created. |
outcome | 0..1 | Success (0) / Minor failure (4) / Serious failure (8) / Major failure (12). |
agent | 1..* | Who did the action (humanuser, device, application). |
source | 1..1 | Which system logged the audit (collector). |
entity | 0..* | What (accessed resources) + security classification. |
IHE ATNA and RFC 3881 alignment
FHIR AuditEvent is the FHIR expression of the IHE ATNA profile (Audit Trail and Node Authentication), itself based on RFC 3881 (Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications). Mapping:
- FHIR
code+action= ATNA EventID + EventActionCode. - FHIR
agent= ATNA ActiveParticipant. - FHIR
source= ATNA AuditSourceIdentification. - FHIR
entity= ATNA ParticipantObjectIdentification.
HDS-certified French HIS must emit AuditEvent to an ATNA collector over mutual TLS on port 6514 (RFC 5425).
Example: patient record read by physician
{
"resourceType": "AuditEvent",
"id": "audit-read-patient-marie-887",
"category": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/audit-event-type",
"code": "rest"
}]
}],
"code": {
"coding": [{
"system": "http://hl7.org/fhir/restful-interaction",
"code": "read",
"display": "read"
}]
},
"action": "R",
"severity": "informational",
"occurredDateTime": "2026-05-19T16:42:33+02:00",
"recorded": "2026-05-19T16:42:33.812+02:00",
"outcome": {
"code": {
"coding": [{
"system": "http://hl7.org/fhir/audit-event-outcome",
"code": "0",
"display": "Success"
}]
}
},
"purposeOfEvent": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "TREAT"
}]
}],
"agent": [{
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/extra-security-role-type",
"code": "humanuser"
}]
},
"who": {
"reference": "Practitioner/dr-bernard-claude",
"display": "Dr Claude BERNARD"
},
"requestor": true,
"role": [{
"coding": [{
"system": "http://snomed.info/sct",
"code": "112247003",
"display": "Medical doctor"
}]
}],
"networkString": "192.168.10.245"
}, {
"type": {
"coding": [{
"system": "http://dicom.nema.org/resources/ontology/DCM",
"code": "110153",
"display": "Source Role ID"
}]
},
"who": { "reference": "Device/ehr-pro-portal-v8.2" },
"requestor": false
}],
"source": {
"site": { "display": "Central Hospital Paris" },
"observer": { "reference": "Device/audit-aggregator-001" },
"type": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/security-source-type",
"code": "4",
"display": "Application Server"
}]
}]
},
"entity": [{
"what": { "reference": "Patient/marie-durand-887" },
"role": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/object-role",
"code": "1",
"display": "Patient"
}]
},
"securityLabel": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
"code": "R",
"display": "Restricted"
}]
}]
} Common pitfalls
- Overwhelming volume — AuditEvent can represent 100x the volume of other resources. Separate storage mandatory (cold storage, date partitioning).
- No agent with requestor=true — at least one agent must be marked as initiator. Otherwise impossible to impute the action.
- networkString sensitive — IP/MAC may be PII depending on context. GDPR requires analysis of the log's legal basis.
- Confusion with Provenance — Provenance = who modified what (business metadata). AuditEvent = who accessed / did what (technical log). See Provenance detail.