Traditional access control mechanisms prevent illegal access by controlling access right before executing an action; they belong to a class of a priori security solutions and, from this point of view, they have some limitations, like inflexibility in unanticipated circumstances. By contrast, a posteriori mechanisms enforce policies not by preventing unauthorized access, but rather by deterring it. Such access control needs evidence to prove violations. Evidence is derived from one or several log records, which trace each user's actions. Efficiency of violation detection mostly depends on the compliance of log records with the access control policy. In order to develop an efficient method for finding these violations, we propose restructuring log records according to a security policy model. We illustrate our methodology by applying it to the healthcare domain, taking care of the IHE (Integrating the healthcare enterprise) framework, particularly its basic security profile, ATNA (Audit Trail and Node Authentication). This profile defines log records established on the analysis of common health practice scenarios. We analyze and establish how ATNA log records can be refined in order to be integrated into an a posteriori access and usage control process, based on an expressive and contextual security policy like the OrBAC policy.