📒
HCX Protocol
v0.6
v0.6
  • Context
  • Introduction to HCX
  • Open Specifications
    • Design Principles
    • Key Specifications
    • Governance
  • Technical Specifications
    • Open Protocol
      • Key Design Considerations
      • Registries
      • Health Claims Exchange (HCX) Protocol
      • Data Security and Privacy
        • Transport Security
        • Message Security and Integrity
        • API Security
        • Audit and Reporting
    • Appendix A - HCX Relay example
  • Domain Specifications
    • Domain Data Specifications
      • Domain Data Models
        • eObjects
        • Implementation Guide
      • Terminologies (Code sets or Metadata standards)
      • Domain Specific Languages (DSLs)
    • Healthcare Operations Policies
      • Access Control (Roles)
      • Guidelines for Participant Onboarding
      • Guidelines for Grievance Redressal
      • Guidelines for Event audits
      • Guidelines for Beneficiary Authentication by Providers/Payors
  • Future roadmap
  • How to submit responses?
Powered by GitBook
On this page
Export as PDF
  1. Technical Specifications
  2. Open Protocol
  3. Data Security and Privacy

Audit and Reporting

Overview of audit requirements

PreviousAPI SecurityNextAppendix A - HCX Relay example

Last updated 3 years ago

HCX instances are expected to log each API call received along with the non encrypted details (domain headers, sig/enc algorithm details, sender & recipient details) and status of signature verification.

Key Requirements:

  • HCX instances should provide reports against the audit logs for different actors - payors, providers, beneficiaries, regulators, observers. Each HCX instance shall publish the list of reports supported by that instance and also define the level/details of information in each report.

  • The audit information stored should be made available through an API, so that the participating systems can query the audit log related to them.

  • Each HCX instance shall define an archival policy for retention & deletion of audit logs. The policy shall also define the process for accessing the logs after archival, if the HCX instance has support for it.

  • It is recommended for HCX instances to have a configuration to control the amount of information that gets stored in the audit logs.

Questions for Consultation

Question 1

Apart from the list mentioned here, what other audit and reporting requirements would you expect HCX to fulfil?

Instructions to send responses to the consultation questions are available .

here