Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-28840

Add langauge.

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive with Modification
    • Icon: Highest Highest
    • US Da Vinci HRex (FHIR)
    • current
    • Clinical Interoperability Council
    • Approaches to Exchanging FHIR Data
    • 3.0.3.10Ad Hoc Query
    • Hide

      That language is covered elsewhere in the IG. It doesn't belong here where the focus is on architectural choices - and where the language is intended to be independent of Da Vinci (and even country)

      In the new section between 3.0.1 and 3.0.2 will also add the following:

      Designers will also want to take into account additional considerations such as:

      • performance/response time
      • ability of the exchange mechanism to allow appropriate constraint on data retrieved (whether enforced by data source, data consumer or both)
      • etc.
      Show
      That language is covered elsewhere in the IG. It doesn't belong here where the focus is on architectural choices - and where the language is intended to be independent of Da Vinci (and even country) In the new section between 3.0.1 and 3.0.2 will also add the following: Designers will also want to take into account additional considerations such as: performance/response time ability of the exchange mechanism to allow appropriate constraint on data retrieved (whether enforced by data source, data consumer or both) etc.
    • Marti Velezis / Jimmy Tcheng : 6-0-1
    • Clarification
    • Non-substantive

    Description

      Add language

      Existing Wording:

      However, ad-hoc query means that the data source must have a security model that allows arbitrary queries against data. That does not mean they must allow all data consumers to query whatever they like. However, it does mean that the data source must be able to evaluate a given ad-hoc query and determine whether it is "allowed" for that data consumer and if not, either reject the query or add additional filters to make it acceptable prior to execution. Also, because ad-hoc queries are use-case independent, the data source must make access control decisions without knowing the 'purpose' for which the data is being retrieved. (Though in some cases, the authorization layer might allow capturing an overall reason for whatever actions are taken within a given authorized session.)

      Proposed Wording:

      However, ad-hoc query means that the data source must have a security model that allows arbitrary queries against data. That does not mean they must allow all data consumers to query whatever they like. However, it does mean that the data source must be able to evaluate a given ad-hoc query and determine whether it is "allowed" for that data consumer and if not, either reject the query or add additional filters to make it acceptable prior to execution. Also, because ad-hoc queries are use-case independent, the data source must make access control decisions without knowing the 'purpose' for which the data is being retrieved. (Though in some cases, the authorization layer might allow capturing an overall reason for whatever actions are taken within a given authorized session.) However, data consumers should limit the request for information to that required to address the specific, stated purpose of the data exchange or prearranged, agreed- upon purposes. For instance, trading partners will use data use agreements (DUAs), business associate agreements (BAAs) and/or contracts per the Da Vinci Guiding Principles.

      Attachments

        Activity

          People

            Unassigned Unassigned
            celine_lefebvre Celine Lefebvre
            Celine Lefebvre
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: