Abstract
Behavioral health systems face audit logging challenges that general-purpose healthcare standards do not adequately address. Regulations such as 42 CFR Part 2 impose stricter confidentiality requirements for substance use disorder treatment records than standard HIPAA provisions, and mental health data carries elevated stigma risk if exposed through audit trails. Existing audit approaches tend to capture excessive protected health information (PHI) in log entries or lack the structure needed for meaningful compliance analysis.
This paper presents BH Audit Schema, an open-source, versioned JSON Schema standard for behavioral health audit events. The contribution is the specific combination: a domain-specific audit contract that is machine-validatable, PHI-minimizing by construction, and explicitly mapped to HIPAA Security Rule, 42 CFR Part 2, and SOC 2 control objectives. The schema records the actions that occurred and the resource types they acted on, and it does so without logging any underlying clinical content.
The paper describes the schema's design principles, threat model, specification, regulatory control mappings, and reference implementation deployed in a production behavioral health platform. The standard, tooling, and documentation are publicly available under the Apache 2.0 license.
Suggested citation
Kumar, T. (2026). BH Audit Schema: An Open Standard for PHI-Safe Audit Logging in Behavioral Health Systems. Behavioral Health Open Source. https://github.com/bh-healthcare/bh-audit-schema