In healthcare information management, privacy and confidentiality are two major concerns usually satisfied by access control means. Traditional access control mechanisms prevent illegal access by controlling access right before executing an action. They have some limitations like inflexibility in unanticipated circumstances (e.g., emergency). Recently, a posteriori access control has been proposed to complete a priori protection for a more effective and flexible solution. It controls the access by deterring user from having unauthorized access. To be deployed, a posteriori access control needs evidence to prove the users' violations. In this paper, we show how log records defined by the Integrating the Healthcare Enterprise-Audit Trail and Node Authentication (ATNA) profile can be used to deploy an a posteriori access control system. To develop an efficient method for finding violations, we propose a framework that customizes ATNA log records according to a contextual security policy like the Organization-Based Access Control. Experiments we conducted are also presented.