To remain HIPPA compliant, all access to patient data must be logged and answer the question: who accessed what, when. In many cases this can be left to the EHR's FHIR® API to handle but there are scenarios where an app may during normal operation expose data in a way that cannot be captured by the EHR's FHIR® API. For example, an app that fetches data from an EHR then allows for the export of that information via email or another HIPPA compliant messaging system. In these cases it is the responsibility of the application to ensure that this event is recorded.
interopiO™ provides a solution for this by exposing an API endpoint on each gateway for the collection of these audit events.
This endpoint is secured using the access token the app is already using to communicate with the gateway and should be included in the Authorization header for each request.
Authorization Bearer <access_token>
This endpoint expects an instance of the FHIR® resource AuditEvent in the same FHIR® version of the gateway where the event is being posted.