Guide for Reviewing Your Site's Audit Logs

Introduction

This guide is intended to assist health information custodians and Ocean site administrators with the review and interpretation of your site's Ocean audit log for PHIPA compliance related to auditing and monitoring.

Under the guidance of Canadian PIPEDA / PHIPA Law, health information custodians (HIC’s), including physicians and nurse practitioners, have a duty to ensure that platforms with PHI are audited and that the audit logs are reviewed on a periodic and random basis to help protect personal health information (PHI) against unauthorized use or disclosure.

According to the Information and Privacy Commissioner of Ontario:

"The logging, auditing and monitoring of all accesses to electronic records of personal health information is important to ensure the privacy of individuals and the confidentiality of their personal health information. The capacity to log all instances where personal health information is collected, used and disclosed by agents will enable custodians to respond to requests for information and complaints about the collection, use or disclosure of an individual’s personal health information; to audit and monitor all collections, uses and disclosures of personal health information by all of their agents; and to investigate actual or suspected privacy breaches including cases of unauthorized access. Logging, auditing and monitoring can be an effective deterrent to unauthorized access if all agents are made aware that all of their activities in relation to electronic records of personal health information will be logged ...

The policy and procedures should require the custodian to conduct ongoing, targeted (reactive) and random (proactive) auditing and monitoring of the logs"

Audit Logging in Ocean

Ocean, as a system that provides access for users to PHI, should be included in the HIC’s regular auditing activities   (in addition to the site's EMR and other platforms with PHI).

To assist with this task, Ocean captures all user activity related to the storage, retrieval, and presentation of PHI both from the underlying EMR as well as Ocean itself. The full audit data for a specific Ocean site is available for download at any time.

Ocean's logging and exports only provides access to activity within the specific Ocean site. Other activity, such as interactions with an underlying EMR or subsequent disclosure activity (such as printing / emailing of PHI),is not captured by Ocean. To review this activity, it is recommended that site administrators also refer to EMR audit logs as well as specific computer terminal usage logs according to internal audit policy.

Exporting the Audit Data

To export the audit log, go to the Reports section of your Ocean site administration page. Choose the relevant start and end date, and choose User "All" for a site-wide audit.

The report is then downloaded as a CSV file, which may be opened and presented by any mainstream spreadsheet application such as Excel or Google Sheets.

Although the audit report itself does not contain any PHI, it should nonetheless be treated as sensitive documentation, with appropriate safeguards in place for the encrypted transmission, storage and deletion of this information as required.

Ocean provides site administrators direct access to the previous two months' worth of audit data. Audit entries that are older than this are archived and can be obtained by submitting a support ticket.

Audit Report Description

When the CSV file is opened in a spreadsheet application, the following columns should be visible. A sample row is included in the screenshot as an example.mceclip0.png

The audit data represents a direct extraction of the values stored within Ocean, and can be interpreted with the help of this guide:

Column Name

Description

_id

A unique ID for the log entry.

creationDate

The date that the log entry was created (i.e., the date and time of the event)

siteNum

The Ocean site number of the site that the activity was performed within.

user

The username of the Ocean user performing the action.

userFullName

The full name of the Ocean user performing the action.

action

The type of the audit log entry. The actions may represent explicit or implicit consequences of the user's interactions. Please consult this guide for documentation on each specific action.

properties

This column, and subsequent columns, represent the properties or values associated with the action. They provide necessary context to understand the action, such as the relevant patient ID. Each property is listed sequentially with its name in the first column, followed by the value in the subsequent column.

What to Look for In Terms of Patient Privacy

Each audit action listed above represents user activity that may be relevant to understanding the wider context of each user's recorded behaviour in Ocean, so you should consult the guide linked above as routine and/or reactive audits are performed at your site.

A few key audit actions should be highlighted with regard to reviewing PHI use:

  • VIEW_PATIENTS: The user has opened the Patients tab, which displays the standard summary view containing patient names:mceclip2.png
  • GET_PATIENT: A patient record was retrieved from the database by Ocean reference number ("ref") and returned to a client (either to show it to the user in the web browser or for an Ocean tablet/kiosk).
  • UPLOAD_PATIENT: A patient was uploaded from the EMR to create an Ocean patient record. The ref is the Ocean assigned reference ID; the externalPatientRef is the EMR's patient ID; the client is the general system that uploaded the patient record; and the version describes the version of the client.

These audit actions will help you identify the specific patient records that may have been used or disclosed.

Have more questions? Submit a request