Construct an AuditMessage XML document conforming to DICOM Supplement 95 / RFC 3881 structure for each auditable event, identifying the EventIdentification (eventActionCode, eventDateTime, eventOutcomeIndicator)
Populate the ActiveParticipant elements for the human requestor (with userId and network access point), the process performing the action, and the destination system
Add a ParticipantObjectIdentification element for the patient (ParticipantObjectTypeCode=1, Role=1) with the patient identifier, and a second element for the document or study accessed
Transmit the audit message to the ATNA Audit Repository using either syslog over TLS (RFC 5425) on port 6514 or the DICOM STOW method, depending on the repository's supported transport
Verify the repository acknowledges receipt and implement local buffering so audit messages are not lost if the repository is temporarily unavailable
Known gotchas
ATNA requires TLS mutual authentication (both client and server present certificates) for syslog transport — plain TCP syslog is not compliant and will be rejected by a strict repository
The EventOutcomeIndicator must accurately reflect success (0) or failure (4/8/12) — logging all events as success regardless of actual outcome is a common audit trail deficiency found during IHE Connectathon testing
FHIR AuditEvent resources can be used as an alternative audit representation but the coded values (type, subtype, action) must align with the DICOM/ATNA code system to be interoperable with traditional ATNA repositories
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp