Resource Auditing
This feature monitors user access and user updates to protected health information (PHI) and personally identifiable information (PII) through the HTTP application programming interface (API). All HTTP resources that link a person to PHI and all resources that contain PII are monitored. Whenever a user or a client application retrieves one of these resources or issues an operation on one of these resources, the application creates an entry in a dedicated log.
System property ohi.logging.target
determines where the system stores audit
messages. Possible values:
-
log: PHI access is logged using any configured Logback Appender for which the PHI filter is applied. An example of such a Logback Appender is the RollingFileAppender.
-
database: audit messages for PHI access are persisted in the database as part of the HTTP API request and can be accessed via the
generic/logphievents
resource.
Design choices
-
This feature is limited to logging the HTTP API operations on monitored resources. It does not trigger events.
-
The set of monitored resources is limited to:
-
The person (including insurable entity and insurable person) resource and its detail resources
-
Any resource representing operational information, linked to an insurable entity or a family
-
An audit log entry has the following parts:
Key | Value Description |
---|---|
Time stamp |
When was PHI data accessed |
keyword |
All messages start with the tag "ACCESS"
(not shown in the |
user |
The login name of the user (specified as 'system' for internal system user) |
resource |
The name of the resource that was accessed |
id |
The technical ID of the resource that was accessed |
relatedKey |
The code of the relation, family or insurable object that is in context (if applicable) |
relatedId |
The technical ID of the relation or insurable entity resource that is in context (if applicable) |
method |
The operation (GET, PUT, POST, PATCH or DELETE) issued on the resource |
Monitored Resources
The following resources are monitored in OHI Claims Adjudication:
-
persons
-
addresses
-
assignedproviders
-
bankaccountnumbers
-
eligibilitychecks
-
maritalstatuses
-
persontitles
-
relationidentifiers
-
personcoveredservices
-
-
insurableentities
-
insurablepersons
-
-
claims
-
claimlines
-
-
ctrclaims
-
ctrclaimlines
-
-
authorizations
-
limitcounters
-
limitconsumptions
-
-
providerlimitcounters
-
regimecounters
-
regimeconsumptions
-
-
adjudicationcases
-
episodes
-
policyproducts
-
policyfamilies
The following resources are monitored in OHI Capitation:
-
persons
-
addresses
-
assignedproviders
-
bankaccountnumbers
-
contractalignments
-
persontitles
-
relationidentifiers
-
-
contract events
-
contract mutations
-
attributions
-
calculation results
The following resources are monitored in OHI Enterprise Policy Administration:
-
persons
-
addresses
-
assignedproviders
-
bankaccountnumbers
-
maritalstatuses
-
persontitles
-
relationidentifiers
-
personcoveredservices
-
-
insurableentities
-
insurablepersons
-
-
policies
-
policyholders
-
policy enrollments
-
policy bill receivers
-
-
policy accounts
-
policy account transactions
-
-
calculation results
Examples
The following sections show sample log entries. The samples assume the value for
system property ohi.logging.target
is log
, and a Logback file appender is
configured.
Technical details like thread, level and class parts of the log entry are omitted
and replaced by "…".
Common Examples
Persons
persons
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=persons, id=456719800, relatedKey=MEM12345,identifierstype=12348690, method=GET}
Part (5.6) is not logged for persons, because it is identical to part (5.4).
addresses
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=addresses, id=656266336, relatedKey=MEM12345, relatedId=456719800, method=POST}
bankaccountnumbers
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=bankaccountnumbers, id=756266336, relatedKey=MEM12345, relatedId=456719800, method=DELETE}
persontitles
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=persontitles, id=356266336, relatedKey=MEM12345, relatedId=456719800, method=PATCH}
OHI Claims Adjudication Examples
Persons
maritalstatuses
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=maritalstatuses, id=456719800, relatedKey=MEM12345, relatedId=456719800, method=GET}
eligibilitychecks
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=eligibilitychecks, id=856266336, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=eligibilitychecks, id=856266335, method=GET}
Insurable Entities
insurableentities
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=insurableentities, id=256266330, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=insurableentities, id=276266330, relatedKey=CAR12345, method=GET}
Part (5.6) is not logged for insurable entities that are objects, because it is identical to part (5.4).
insurablepersons
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=insurablepersons, id=2562663330, relatedKey=MEM12345, relatedId=456719800, method=GET}
Claims
claims
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=claims, id=256266331, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/02 13:22:12; … ; {keyword=ACCESS, user=JONES, resource=claims, id=245239330, method=PUT}
claimlines
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=claimlines, id=256266332, relatedKey=MEM12345, relatedId=456719800, method=POST}
Note that if a claim line does not have a reference to an insurable entity, that information is picked up from the claim level.
ctrclaims
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=ctrclaims, id=256266331, relatedKey=MEM12345, method=GET}
2017/03/02 13:22:12; … ; {keyword=ACCESS, user=JONES, resource=ctrclaims, id=256266333, method=GET}
Part (5.6) is not logged for ctr claims, because ctr claims do not have references to insurable entities; the code of the serviced (insurable) entity is stored as an attribute on the ctr claim.
ctrclaimlines
2017/03/01 15:56:02; … ;{keyword=ACCESS, user=JONES, resource=ctrclaimlines, id=256266334, relatedKey=MEM12345, method=GET}
Note that if a ctr claim line does not have a specified serviced entity code, that information is picked up from the ctr claim level. Part (5.6) is not logged for ctr claim lines (same as for ctr claims).
Authorizations
authorizations
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=authorizations, id=256266335, relatedKey=MEM12345, relatedId=456719800, method=GET}
Counters
limitcounters
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=limitcounters, id=256266336, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/02 13:22:12; … ; {keyword=ACCESS, user=JONES, resource=limitcounters, id=245239337, relatedKey=FAM12345, method=GET}
limitconsumptions
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=limitconsumptions, id=256266338, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/02 13:22:12; … ; {keyword=ACCESS, user=JONES, resource=limitconsumptions, id=256266339, method=GET}
providerlimitcounters
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=providerlimitcounters, id=256266346, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/02 13:22:12; … ; {keyword=ACCESS, user=JONES, resource=providerlimitcounters, id=256266356, method=GET}
regimecounters
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=regimecounters, id=256266366, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/02 13:22:12; … ; {keyword=ACCESS, user=JONES, resource=regimecounters, id=256266376, relatedKey=FAM12345, method=GET}
regimeconsumptions
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=regimeconsumptions, id=256266386, relatedKey=MEM12345, relatedId=456719800, method=GET}
Adjudication Cases
adjudicationcases
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=adjudicationcases, id=256266396, relatedKey=MEM12345, relatedId=456719800, method=GET}
Episodes
episodes
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=episodes, id=256266436, relatedKey=MEM12345, relatedId=456719800, method=GET}
Policy Products and Families
policyproducts
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=policyproducts, id=256266536, relatedKey=MEM12345, relatedId=456719800, method=GET}
policyfamilies
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=policyfamilies, id=256266636, relatedKey=MEM12345, relatedId=456719800, method=GET}
In part (5.5) the code of the relation or insurable object is logged instead of the code of the family.
OHI Capitation Examples
Persons
assignedproviders
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=assignedproviders, id=956266336, relatedKey=MEM12345, relatedId=456719800, method=GET}
contractalignments
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=contractalignments, id=458889800, relatedKey=MEM12345, relatedId=456719800, method=GET}
Change Events
contractevents
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=contractevents, id=956392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 17:58:34; … ; {keyword=ACCESS, user=JONES, resource=contractevents, id=956392337, method=GET}
contractmutations
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=contractmutations, id=946392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 17:58:34; … ; {keyword=ACCESS, user=JONES, resource=contractmutations, id=946392337, method=GET}
Calculations
attributions
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=attributions, id=888392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
calculationresults
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=calculationresults, id=317392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
OHI Enterprise Policy Administration Examples
Persons
maritalstatuses
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=maritalstatuses, id=456719800, relatedKey=MEM12345, relatedId=456719800, method=GET}