NextGen Knowledge Center

§170.315(d)(2) Auditable Events and Tamper-Resistance, §170.315(d)(3) Audit Report(s), and §170.315(d)(10) Auditing Actions on Health Information

Cures criteria 170.315(d)(2) Auditable Events and Tamper-Resistance and §170.315(d)(10) Auditing Actions on Health Information.

These criteria are interrelated and therefore addressed together.

(d)(2) Auditable events and tamper-resistance establishes which actions must be audited, what must be included in the audit records, and required protections around the audit log, including detecting if the audit log has been changed outside of normal processes.

(d)(10) Auditing actions on health information establishes which actions must be audited, what must be included in the audit records, and required protections around the audit log, including detecting if the audit log has been changed outside of normal processes.

(d)(3) Audit Report(s) requires the ability of health information systems to sort the audit logs.

Required Extensions

Features that Support the Certification

  • Use of the Role-Based Access Control Extension to limit access to PHI, and the Cures Certification Support Extension to audit tampering of events.
  • An event is created when any of the following occurs in a channel that contains metadata PATIENT_ID (see the Required Actions section).
    • A message that contains PHI is viewed. Event name is “Accessed PHI”.
    • Messages that contain PHI are queried. Event name is “Queried PHI”.
  • In addition, an event is created when any of the following occurs in any channel:
    • A single message is removed. Event name is “Remove message”.
    • All messages are removed. Event name is “Remove all messages”.
    • Messages are pruned. Event name is “Data Pruner”.
  • Events are also created when modifications are made to privileges in the Role Based Access Control tab.
  • Events Browser:
    • The following columns have been added: Channel ID – Message ID, Channel Name, and Patient ID.
    • Events can be sorted by any column in the Events Browser in ascending and descending order.
    • The functionality “Remove all events” is no longer available.
  • With the use of the Cures Certification Support Extension, every 24 hours event logs are audited. If issues are found, notifications are displayed in the Events browser, the Server Log tab, and in the Mirth log file.

Required Actions

  • Administrator needs to create roles and assign them to each user based on company policies.
  • To fully use the auditing functionality for PHI related audits, a channel must include a PATIENT_ID metadata.
Related concepts
Events Table