FHIR AuditEvent IP Address, Device Type and Country

Question

In a web application I'm using HL7 FHIR (R5) standard for auditevent.

What is the correct structure/properties in FHIR to hold these properties:

• IP Address (IP address of the user who performed the event)
• Country (country name of the user)
• Device Type (what access type the user used to performe the event, e.g. Browser, Mobile..)

Thanks.

Answer 1

there is less experience with FHIR R5 than there is with FHIR R4. With FHIR R4, IHE has a very helpful Implementation Guide for use of AuditEvent - https://profiles.ihe.net/ITI/BALP/index.html

When we tried to update BALP to R5, as an experiment, we found that somethings were not possible anymore, so we put in jira tickets to make R6 better again.

That said, Here is my response to your questions.

1. The IP address where the user is, can be represented in the .agent that holds the user identity; with the IP address encoded in the .agent.networkString. If you have a hostname, that would be the string. If you don't have a hostname, then the IP address is encoded in numeric "Literal address form using square brackets '[]' as a v4 string (in dotted notation), or v6 string (in colon notation)." Quoted from the AuditEvent.agent.network[x] requirements. You would use networkURL if you know more about the IP address, such as the network protocol (e.g. http) being used.

2. The country from which the user is connecting from, would tend to be part of the Resource used to describe the user, if it is a characteristic of the user. Such as Patient.address, Practitioner.address, PractitionerRole.location, etc. (Noting that all users regardless of their medical credentials are Practitioners. Practitioner is not limited to clinical users. When the location is more dynamic, then it would go into the .agent.location.

3. In R4 there is an agent.network.type. We looked at the possibilities and realized that when we move the network.address into a URL format, then the protocol on the URL format would indicate the type of network address. This works really well for servers, but as you point out the client of a web address could be anything. However the historic network.type was about protocol not kind of client. If you need to know this level of detail, I would recommend you record it as another .agent using the Device resource in the .agent.who.

Most of the time in FHIR contained resources are discouraged, but recording AuditEvents tend to be one place where one would use a contained resource WHEN there is not a persisted resource (Practitioner, Location, etc) for that agent. It is better to record facts than lose them due to not having a persisted agent resource defined.