Compliance module logging is designed to answer questions broader than those that can be answered using the main audit log
, such as:
- Which users have seen a given patient's data? What data was viewed by each user?
- Which patients have been seen by a particular user? What data was viewed for each patient?
- Which roles and PHI levels were declared by each user? Were those declarations appropriate to their job roles & assigned responsibilities?
- Was all data the user accessed consistent with the user's declarations?
What Gets Logged
The default behavior is to log only those queries that access PHI columns.
To open the Audit Log
- Select (Admin) > Site > Admin Console.
- Under Management click Audit Log.
- The following compliance-related views are available on the dropdown:
- Logged query events - Shows the SQL query that was run against the data.
- Logged select query events - Lists specific columns and identified data relating to explicitly logged queries, such as a list of participant id's that were accessed, as well as the set of PHI-marked columns that were accessed.
- Site Settings events - Logs compliance-related configuration changes to a given folder, that is, changes made on a folder's Compliance tab.
- User events - Records login and impersonation events.
To change the logging behavior of a folder, see Compliance: Configure PHI Data Handling
PIVOT Queries and Compliance Logging
Note that PIVOT queries cannot be used with compliance logging of query access. Logging is based on PHI access being checked by row linked to a participant. Because PIVOT queries aggregate data from multiple rows, and thus multiple participants, this access cannot be accurately logged, so the query will raise an "unauthorized" error.