Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-30868

Confidentiality protection in a Direct Query must be conveyed in some manner.

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Highest Highest
    • US Da Vinci CDex (FHIR)
    • current
    • Patient Care
    • Specification [deprecated]
    • Hide

      Add to privacy and security page:

       

      Confidentiality: In some cases when soliciting data, it may be important to transmit the level of confidentiality protection afforded information by policy. 

       In the US, if the level of confidentiality protection required for some/all of the information requested by a data consuming system is more stringent than the "default" confidentiality protection provided for HIPAA PHI, then the data source needs to be able to make decisions about whether to provide the information at all or whether to filter the information. 

      Specifically, if the level of confidentiality required for some of the information requested is more stringent than the data consuming system is authorized to receive, then the data source would need to either deny access entirely or segment the information such that the consuming system can only access the information to which it is authorized.

       There is work in progress ([link to SMART fine-grained access project])  and the FHIR Data Segmentation for Privacy IG on standardizing how the requested information's confidentiality can be conveyed using OAuth.  Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.  In the interim, implementers should consult with their compliance department to determine what requirements exist and how best to satisfy them, whether with in-band or out-of-band communications.

      Show
      Add to privacy and security page:   Confidentiality: In some cases when soliciting data, it may be important to transmit the level of confidentiality protection afforded information by policy.   In the US, if the level of confidentiality protection required for some/all of the information requested by a data consuming system is more stringent than the "default" confidentiality protection provided for HIPAA PHI, then the data source needs to be able to make decisions about whether to provide the information at all or whether to filter the information.  Specifically, if the level of confidentiality required for some of the information requested is more stringent than the data consuming system is authorized to receive, then the data source would need to either deny access entirely or segment the information such that the consuming system can only access the information to which it is authorized.  There is work in progress ( [link to SMART fine-grained access project] )  and the  FHIR Data Segmentation for Privacy IG  on standardizing how the requested information's confidentiality can be conveyed using OAuth.  Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.  In the interim, implementers should consult with their compliance department to determine what requirements exist and how best to satisfy them, whether with in-band or out-of-band communications.
    • Eric Haas/Jay Lyle: 11-0-11
    • Enhancement
    • Compatible, substantive

    Description

      At a minimum, CDex IG must address the need for queries to specify the level of confidentiality protection assigned to the requested Resource by whatever means available, e.g., following the OASIS XSPA SAML IG, out-of-band communications, a trust agreement, or by pre-adopting the SMART Fine Grain Access approach for conveying a confidentiality code, which has yet to be balloted.

      Existing Wording:

      No existing wording.

      Proposed Wording:

      The details of how to convey the level of confidentiality protection required to be afforded the information being queried using OAuth is an area of active discussion.
      Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.
      Until that time, a CDex query requester should consult with legal counsel on how to convey the requester's intent to access confidential information by whatever means available, e.g., following the OASIS XSPA SAML IG, out-of-band communications, a trust agreement, or by pre-adopting the yet to be balloted SMART Fine Grain Access approach for conveying confidentiality in conformance with the HL7 Privacy and Security Healthcare Classification System.

      (Comment 66 - imported by: Jean Duteau)

      Attachments

        Activity

          People

            Unassigned Unassigned
            k.connor Kathleen Connor
            Kathleen Connor
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: