Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-30869

The Sensitivity of the information in a Direct Query must be conveyed in some manner.

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Highest Highest
    • US Da Vinci CDex (FHIR)
    • current
    • Patient Care
    • Specification [deprecated]
    • Hide

      Add to Security and Privacy page:

      Sensitivity: In some cases when soliciting data, it may be important to transmit the privacy or security sensitivity of information as deemed by policy. 

      If a data consuming system requests sensitive information, then the data source must decide whether the requester is authorized to access some/all of this information.

       

      There is work in progress ([link to SMART fine-grained access project]) and the FHIR Data Segmentation for Privacy IG on standardizing how the requested information's sensitivity can be conveyed using OAuth.  Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.  In the interim, implementers should consult with their compliance department to determine what requirements exist and how best to satisfy them, whether with in-band or out-of-band communications.

      Show
      Add to Security and Privacy page: Sensitivity: In some cases when soliciting data, it may be important to transmit the privacy or security sensitivity of information as deemed by policy.  If a data consuming system requests sensitive information, then the data source must decide whether the requester is authorized to access some/all of this information.   There is work in progress ( [link to SMART fine-grained access project] ) and the  FHIR Data Segmentation for Privacy IG  on standardizing how the requested information's sensitivity can be conveyed using OAuth.  Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.  In the interim, implementers should consult with their compliance department to determine what requirements exist and how best to satisfy them, whether with in-band or out-of-band communications.
    • Eric Haas/Jay Lyle: 11-0-11
    • Enhancement
    • Compatible, substantive

    Description

      At a minimum, CDex IG must address the need for queries to specify the sensitivity tags assigned to the requested Resource by whatever means available, e.g., following the OASIS XSPA SAML IG, out-of-band communications, a trust agreement, or by pre-adopting the SMART Fine Grain Access approach for conveying sensitivity codes, which has yet to be balloted.

      Existing Wording:

      No existing wording.

      Proposed Wording:

      The details of how to convey the sensitivity of information being queried using OAuth is an area of active discussion.
      Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.
      Until that time, a CDex query requester should consult with legal counsel on how to convey the requester's intent to access sensitive information by whatever means available, e.g., following the OASIS XSPA SAML IG, out-of-band communications, a trust agreement, or by pre-adopting the yet to be balloted SMART Fine Grain Access approach for conveying information sensitivity in conformance with the HL7 Privacy and Security Healthcare Classification System.

      (Comment 67 - imported by: Jean Duteau)

      Attachments

        Activity

          People

            Unassigned Unassigned
            k.connor Kathleen Connor
            Kathleen Connor
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: