Provenance — detail: FHIR audit trail
Metadata audit trail resource that tracks: who created/modified what, when, with which agent (human + device), under what legal authority. Aligned with W3C PROV-DM, essential for GDPR article 30 (record of processing) and HIPAA audit logs.
W3C PROV-DM alignment
FHIR Provenance is aligned with the W3C Provenance Data Model (PROV-DM):
target= PROV Entity (the impacted resource).agent= PROV Agent (who did it).activity= PROV Activity (the action: CREATE, UPDATE, DELETE).entity= links with other entities (previous version, derived resource).
Allows export to PROV-O graphs (RDF) for advanced provenance analyses.
Key fields
| Field | Cardinality | Role |
|---|---|---|
target | 1..* | Resource(s) impacted by the action. |
occurred[x] | 0..1 | When the action happened (Period or dateTime). |
recorded | 1..1 | When the Provenance itself was recorded. |
policy | 0..* | URI to the applicable policy (procedure, business rule). |
location | 0..1 | Where the action happened. |
authorization | 0..* | Legal/medical justification (TREAT, EMERG, REQUEST…). |
activity | 0..1 | CREATE / UPDATE / DELETE / READ / EXECUTE (v3-DataOperation). |
agent | 1..* | Actors (author, device, organization, witness). |
entity | 0..* | Other linked entities (revision, derivation, source). |
signature | 0..* | Electronic signature JWS/XAdES. |
Provenance vs AuditEvent
Critical choice:
- Provenance — business metadata. Attached to clinical resources (who wrote this prescription, who modified this exam). Lightweight, indexed with resources.
- AuditEvent — technical log. Tracks accesses, reads, exports, exceptions. High volume, separate storage.
In practice: Provenance for "what" and "who" of each change. AuditEvent for read accesses + errors.
Example: prescription update by physician
{
"resourceType": "Provenance",
"id": "prov-rx-887-update",
"target": [{ "reference": "MedicationRequest/rx-acetaminophen-2026-887" }],
"occurredDateTime": "2026-05-19T15:30:00+02:00",
"recorded": "2026-05-19T15:30:05+02:00",
"policy": [
"https://www.hl7.fr/policies/PrescriptionElectronique-v3.html"
],
"location": { "reference": "Location/cabinet-bernard-paris13" },
"authorization": [{
"concept": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "TREAT",
"display": "Treatment"
}]
}
}],
"activity": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-DataOperation",
"code": "UPDATE"
}]
},
"agent": [{
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/provenance-participant-type",
"code": "author"
}]
},
"role": [{
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/v3-ParticipationType",
"code": "AUT"
}]
}],
"who": {
"reference": "Practitioner/dr-bernard-claude",
"display": "Dr Claude BERNARD - NPI 1234567890"
}
}, {
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/provenance-participant-type",
"code": "device"
}]
},
"who": {
"reference": "Device/ehr-prescription-module-v8.2"
}
}],
"entity": [{
"role": "revision",
"what": {
"reference": "MedicationRequest/rx-acetaminophen-2026-887/_history/2",
"display": "Previous version: 1 tab x 4 per day"
}
}],
"signature": [{
"type": [{
"system": "urn:iso-astm:E1762-95:2013",
"code": "1.2.840.10065.1.12.1.1",
"display": "Author's Signature"
}],
"when": "2026-05-19T15:30:05+02:00",
"who": { "reference": "Practitioner/dr-bernard-claude" },
"sigFormat": "application/jose",
"data": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkRSX0JFUk5BUkRfQ0xBVURFXzIwMjYifQ..."
}]
} Common pitfalls
- No signature — for France, an e-prescription must be signed (CPS card + JWS). Provenance without signature = medically-legally invalid.
- agent missing or anonymous — the "who" must be identified (RPPS, NPI, unique identifier). Otherwise impossible to trace accountability.
- occurred = recorded — conflating the two. occurred = when the clinical act happened, recorded = when the system logged it (can differ for delayed entry).
- entity[].role missing — without role, we don't know if the referenced entity is a prior version, source, derivative.