Resource Auditing

This feature monitors user access and user updates to protected health information (PHI) and personally identifiable information (PII) through the HTTP application programming interface (API). All HTTP resources that link a person to PHI and all resources that contain PII are monitored. Whenever a user or a client application retrieves one of these resources or issues an operation on one of these resources, the application creates an entry in a dedicated log.

System property ohi.logging.target determines where the system stores audit messages. Possible values:

  • log: PHI access is logged using any configured Logback Appender for which the PHI filter is applied. An example of such a Logback Appender is the RollingFileAppender.

  • database: audit messages for PHI access are persisted in the database as part of the HTTP API request and can be accessed via the generic/logphievents resource.

This feature is limited to logging the HTTP API operations on monitored resources. It does not trigger events.

The set of monitored resources is limited to:

  • The person (including insurable entity and insurable person) resource and its detail resources

  • Any resource representing operational information, linked to an insurable entity or a family

An audit log entry has the following parts:

Table 1. Resource Auditing
Key Value Description

Time stamp

When was PHI data accessed

keyword

All messages start with the tag "ACCESS" (not shown in the generic/logphievents payload)

user

The login name of the user (specified as 'system' for internal system user)

resource

The name of the resource that was accessed

id

The technical ID of the resource that was accessed

relatedKey

The code of the relation, family or insurable object that is in context (if applicable)

relatedId

The technical ID of the relation or insurable entity resource that is in context (if applicable)

method

The operation (GET, PUT, POST, PATCH or DELETE) issued on the resource

Monitored Resources

The following resources are monitored in Oracle Health Insurance Value-Based Payments:

  • persons

    • addresses

    • assignedproviders

    • bankaccountnumbers

    • contractalignments

    • persontitles

    • relationidentifiers

  • contract events

  • contract mutations

  • attributions

  • calculation results

Examples

Persons

persons

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=persons, id=456719800, relatedKey=MEM12345,identifierstype=12348690, method=GET}

For persons part 7 does not hold the relatedId because that is the same as part 4, the id. Instead, part 7 for persons holds the technical id of the identifiertype.
Addresses

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=addresses, id=656266336, relatedKey=MEM12345, relatedId=456719800, method=POST}

assignedproviders

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=assignedproviders, id=956266336, relatedKey=MEM12345, relatedId=456719800, method=GET}

bankaccountnumbers

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=bankaccountnumbers, id=756266336, relatedKey=MEM12345, relatedId=456719800, method=DELETE}

persontitles

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=persontitles, id=356266336, relatedKey=MEM12345, relatedId=456719800, method=PATCH}

Insurable Entities

insurableentities

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=insurableentities, id=256266330, relatedKey=MEM12345, relatedId=456719800, method=GET}

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=insurableentities, id=276266330, relatedKey=CAR12345, method=GET}

Part 6 is not logged for insurable entities that are objects, because it is identical to part 4.
insurablepersons

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=insurablepersons, id=2562663330, relatedKey=MEM12345, relatedId=456719800, method=GET}

Contracts

contractalignments

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=contractalignments, id=458889800, relatedKey=MEM12345, relatedId=456719800, method=GET}

contractevents

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=contractevents, id=956392336, relatedKey=MEM12345, relatedId=456719800, method=GET}

2017/03/01 17:58:34; …​ ; {keyword=ACCESS, user=JONES, resource=contractevents, id=956392337, method=GET}

contractmutations

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=contractmutations, id=946392336, relatedKey=MEM12345, relatedId=456719800, method=GET}

2017/03/01 17:58:34; …​ ; {keyword=ACCESS, user=JONES, resource=contractmutations, id=946392337, method=GET}

attributions

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=attributions, id=888392336, relatedKey=MEM12345, relatedId=456719800, method=GET}

calculationresults

2017/03/01 15:56:02; …​ ; {keyword=ACCESS, user=JONES, resource=calculationresults, id=317392336, relatedKey=MEM12345, relatedId=456719800, method=GET}