Audit and Reporting
Overview of audit requirements
HCX instances are expected to log each API call received along with the non encrypted details (domain headers, sig/enc algorithm details, sender & recipient details) and status of signature verification.
- HCX instances should provide reports against the audit logs for different actors - payors, providers, beneficiaries, regulators, observers. Each HCX instance shall publish the list of reports supported by that instance and also define the level/details of information in each report.
- The audit information stored should be made available through an API, so that the participating systems can query the audit log related to them.
- Each HCX instance shall define an archival policy for retention & deletion of audit logs. The policy shall also define the process for accessing the logs after archival, if the HCX instance has support for it.
- It is recommended for HCX instances to have a configuration to control the amount of information that gets stored in the audit logs.
Apart from the list mentioned here, what other audit and reporting requirements would you expect HCX to fulfil?