Audit and Reporting

Overview of audit requirements on HCX

HCX instances are expected to log each API call received along with the non encrypted details (domain headers, sig/enc algorithm details, sender & recipient details) and status of signature verification.

Key Requirements:

  • HCX instances should provide reports against the audit logs for different actors - payors, providers, beneficiaries, regulators, observers. Each HCX instance shall publish the list of reports supported by that instance and also define the level/details of information in each report.

  • The audit information stored should be made available through an API, so that the participating systems can query the audit log related to them.

  • Each HCX instance shall define an archival policy for retention & deletion of audit logs. The policy shall also define the process for accessing the logs after archival, if the HCX instance has support for it.

  • It is recommended for HCX instances to have a configuration to control the amount of information that gets stored in the audit logs.

Following section provides details of the HCX notification classification, structure, and triggers.

Last updated