Privacy Consent on FHIR (PCF)
1.1.0 - Trial-Implementation
This page is part of the Privacy Consent on FHIR (PCF) (v1.1.0: Publication) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version. For a full list of available versions, see the Directory of published versions
Editor, replace existing Volume 1 Appendix P with the following. This appendix exists in the Final Text Technical Framework but only covers BPPC. This version expands on the scope and updates the details. |
Privacy policies are an important part of an organization’s overall risk management strategy. They help to protect the organization from potential legal liability, as well as from reputational damage. Privacy policies should be aligned with other policies within the organization, such as data security policies, employee training policies, and incident response plans.
Privacy policies should be reviewed and updated regularly to ensure that they reflect the latest legal and regulatory requirements. They should also be communicated to employees and customers in a clear and concise way.
Here are some of the other policies within an organization that privacy policies relate to:
This appendix provides information about Privacy Policies and when consent could be automated and consequently when the BPPC, APPC, or PCF Profiles could be used.
Concepts (this set of concepts is a non-exhaustive subset of terms relevant to Privacy Consent and the definitions given here have been simplified for that scope.):
The Privacy Policy includes appropriate access rules that define conditions on various factor(s) for example:
Some Privacy Consent needs require a more basic record, where as other Consents require intermediate or advanced needs. The more advanced need must support both the recording of the patient specific parameters and the ability to distinguish the accesses that would be impacted by those specific parameters.
The Privacy Consent Ceremony and the development of the Privacy Policies is not constrained or described by IHE. The Privacy Preferences is a potential way to improve the Patient Experience by allowing the Patient to express their desired privacy conditions and parameters. These Privacy Preferences would not be enforceable as they are as statement of desire and not agreed to by a Data Holder. The Consent ceremony could take these preferences as input, and thus, present the terms that the Data Holder is willing to enforce. Thus, at the end of the Consent Ceremony there would be a Patient Privacy Consent Resource that expresses the terms that the Data Holder and Patient have agreed to.
A domain’s Privacy Consent Policies could result in various actions, for example:
There is always a need to have overarching policies that define for a user what kind of activities and data access is allowed. This overarching policy would define all of the access control rules that are independent from any patient choice. Within an organization these overarching policies would include activities allowed, such as not allowing a janitor to prescribe drugs. One possible implementation may have a collection of roles vs. object types that would form an access control matrix. An example of a simple access control matrix is shown in the table below, where an X
indicates that the given role would have access to the given object type.
Table P-1: Sample Access Control Policies
Object Type vs Functional Role | Billing Information | Administrative Information | Dietary Restrictions | General Clinical Information | Sensitive Clinical Information | Research Information | Mediated by Direct Care Provider |
---|---|---|---|---|---|---|---|
Administrative Staff | X | X | |||||
Dietary Staff | X | X | |||||
General Care Provider | X | X | X | ||||
Direct Care Provider | X | X | X | X | X | ||
Emergency Care Provider | X | X | X | X | X | ||
Researcher | X | ||||||
Patient or Legal Representative | X | X | X | X | X | ||
Janitor |
Within a trust domain, they will define a similar matrix, and that matrix results in a single Domain Privacy Policy. This vocabulary must then be configured in the Access Control and Enforcement Points. Using the example above, the Domain Privacy Policy might look like.
Table P-2: Patient Privacy Policies When Expressed by Document Sensitivity
Privacy Consent Policy | Description |
---|---|
Billing Information | May be accessed by administrative staff and the patient or their legal representative. |
Administrative Information | May be accessed by administrative or dietary staff or general, direct or emergency care providers, the patient or their legal representative. |
Dietary Restrictions | May be accessed by dietary staff, general, direct or emergency care providers, the patient or their legal representative. |
General Clinical Information | May be accessed by general, direct or emergency care providers, the patient or their legal representative. |
Sensitive Information | May be accessed by direct or emergency care providers, the patient or their legal representative. |
Research Information | May be accessed by researchers. |
Mediated by Direct Care Provider | May be accessed by direct or emergency care providers. |
Janitors | Shall not have access to any data. |
This method can be used to define the Patient Privacy Policy. Variations may also be defined, covering the differences between Patient Privacy Policy available and the effects of a Patient rejecting the Patient Privacy Policy.
Note that a Patient Privacy policy will focus on who has access to data. Other Consents, like Consent-to-Treat or Medical-Advanced-Directives (living wills), focus more on authorization for activities.
The above closely matches Role Based Access Control (RBAC), where users are grouped into one or more roles. These groupings might be based on where the user reports to or works, called ‘structural roles,’ or may be indicated by what the user is currently doing, called ‘functional roles’. Regardless of if a role is a structural or functional role, it may authorize activities and access to data. These roles will have rules associated with them, like the matrix above. Thus, when any request is being made by a user, their roles are compared to the data access request to determine if the data should be given.
RBAC works well when object types are clearly needed or forbidden by a given role. This is often the case in many industries.
Healthcare struggles with RBAC as some data needs to have different rules due to the data values, rather than the kind of data. The most clear example of this comes with Restricted sensitivity data, but is also true within Normal sensitive data. As shown above, there is some need for Dietary Staff, providing the hospital rooms with meals, to know some of the healthcare indicators such as allergies and current recovery status. Thus, the Dietary Staff needs access to some Normal sensitive data but not other Normal sensitive data. One could just write policy that tells Dietary Staff to not look at any data they should not be looking at, and possibly watch the audit logs for deviations from this policy. This might work within an organization, but will not work very well within a network Trust Domain.
Attribute Based Access Control (ABAC) is where users are given clearances, which at this level are not too much different than roles. The big difference is that these clearances provide access to data based on the attributes of the data. So for example, with the Dietary Staff their clearance may give them access to a subset of observations, where that subset is a list of types of observation.
The use of ABAC in a Consent enables Consent policies to have rules based on things like:
The ultimate use of ABAC is when the data have been classified by the data sensitivity and confidentiality. The classification of data is a hard task, see Security Labeling Service below. However, if data is classified, then the classification can be used in ABAC. Many classification tags systems place the tag in a common place that is independent of the object type. For example in XDS, there is a metadata element confidentialityCode
that can carry the sensitivity and confidentiality classification of the data regardless of the format of the data. In FHIR, there is a meta.security
element that is at the top of all kinds of FHIR resources, that can carry this classification. In both of these cases the Access Control decision and enforcement does not need to look at the kind of the data, it simply looks at the classification.
In a Consent these attribute parameters can enable various consent provisions:
The following list of references is provided as good references to understand the terms and concepts presented here. These references are not required by IHE.
The following are some steps that a domain implementing privacy should consider.
The full scope of privacy policies is potentially infinite. The following are some considerations of obligations and refrains that a Patient Privacy Policy may require of an Access Control Enforcement Point. Where Obligations are activities that must be done, and Refrains are activities that must not be done. Many of these obligations and refrains have been given codes in the HL7 Security Control ValueSets.
Obligation - Security label metadata that segments an IT resource by conveying the mandated workflow action that an information custodian, receiver, or user must perform. For Example: Encrypt, mask, comply with policy Refrain - Security label metadata that segments an IT resource by conveying actions which an information custodian, receiver, or user is not permitted to perform unless otherwise authorized or permitted under specified circumstances. For Example: Do not disclose without consent, no reuse.
Obligations may also be expressed in oAuth scopes such as those defined in SMART-App-Launch.
This section includes explanation of some example scenarios and points at example Consent resources for them. These example scenarios are provided for educational use only, they are not an endorsement of these scenarios.
Some realms only require that the patient be given access to the organizations privacy policy. In these realms, the patient is not given the choice to accept, reject, or change the terms of the privacy policy. The expectation is that the patient can stop the engagement with the healthcare provider if they don’t like the privacy policy (yes, we know this is a fallacy in many situations).
These realms may use the Consent resource to indicate that the ceremony of providing access to the privacy policy has happened, when it happened, who presented the policy, and which version of the policy was presented. The specific version of privacy policy recorded can also be helpful to know when a given patient needs to be presented with the new version of the privacy policy.
active
patient consent
specifically a notice of privacy practices
permit
- given there is no way to deny, this would be fixed at permit.Other elements would not be needed.
Given:
sushi:
Instance: example-notice
InstanceOf: Consent
Title: "Example of a Notice of Privacy Policy"
* status = #active
* category[+] = https://loinc.org#59284-0 "Patient Consent"
* category[+] = http://terminology.hl7.org/CodeSystem/consentcategorycodes#npp
* dateTime = 2022-03-11T12:22
* subject = Reference(Patient/example)
* grantee = Reference(Patient/example)
* grantor = Reference(Practitioner/example-clerk)
* controller = Reference(Organization/f001)
* policyText = Reference(DocumentReference/example-privacy-policy-v1)
* provision.type = #permit
support resources
Instance: example-privacy-policy-v1
InstanceOf: DocumentReference
Title: "Burgers Organization privacy policy"
* status = #current
* docStatus = #final
* type = https://loinc.org#57017-6 "Privacy policy Organization Document"
* category = https://loinc.org#57017-6 "Privacy policy Organization Document"
* content.attachment.contentType = application-pdf
* content.attachment.url = https://example.org/privacy-policy-v1.html
Instance: example-clerk
InstanceOf: Practitioner
Title: "Registration Desk Clerk example"
* active = true
* name.text = "John Moehrke"
Organizations that never allow a patient to be in a deny
mode never need to look at Consent for access-control reasons as there is no difference if the Patient has been given notice or not. In these cases the Consent is there for record keeping only. See Change to opt-out below.
This section covers the most basic of privacy consents, that simply records an acknowledgement to a given privacy policy permitting data sharing. This is only slightly different than the Notice of Privacy Policy, in that with this example, there is some evidence captured from the ceremony. Such as a patient initialing or signing a form indicating they have received the Privacy Policy. Similar to the Notice of Privacy Policy, the Patient is not given a choice to reject or change the terms of the privacy policy. The specific version of privacy policy recorded can also be helpful to know when a given patient needs to be presented with the new version of the privacy policy.
The Consent is the same as with Notice of Privacy Policy with the following additions:
Other elements would not be needed.
Given: the same example attributes as above with the addition of a signed form. Thus the only addition is the sourceReference, which points at a scanned image of the signature in a DocumentReference resource.
sushi:
Instance: example-acknowledge
InstanceOf: Consent
Title: "Example of an acknowledged Notice of Privacy Policy"
* status = #active
* category[+] = https://loinc.org#59284-0 "Patient Consent"
* category[+] = http://terminology.hl7.org/CodeSystem/consentcategorycodes#npp
* dateTime = 2022-03-11T12:22
* subject = Reference(Patient/example)
* grantee = Reference(Patient/example)
* grantor = Reference(Practitioner/example-clerk)
* controller = Reference(Organization/f001)
* policyText = Reference(DocumentReference/example-privacy-policy-v1)
* provision.type = #permit
* sourceReference = Reference(DocumentReference/example-signed-acknowledgement-20220311)
support resources
Instance: example-signed-acknowledgement
InstanceOf: DocumentReference
Title: "Patient Peter James Chalmers signed an acknowledgement of the Privacy Policy"
* status = #current
* docStatus = #final
* type = https://loinc.org#57016-8 "Privacy policy acknowledgement Document"
* content.attachment.contentType = application-pdf
* content.attachment.data = "SGVsbG8gV29ybGQ="
Organizations that never allow a patient to be in a deny
mode never need to look at Consent for access-control reasons as there is no difference if the Patient has signed a consent or not. In these cases the Consent is there for record keeping only. See Change to opt-out below.
This section covers the case where a basic permit has been used, but for some reason the authorization is revoked or rejected. An example might be where the organization does allow the patient to reject a previously permitted action, and the patient has expressed they want to deny sharing now. Another example might be where legal action has happened compelling an organization to revoke the consent.
The example scenario here describes methods where there would be only one Consent on record for a given Patient.
Thus the current status would be simply discoverable by looking for the Consent for a given Patient and checking the .status
element and .provision.type
.
This logic presumes that where no Consent is found, that an implied permit
is the default.
Thus one must look for both the existence of a Consent for the given Patient, and that the Consent.provision.type is permit
.
Alternatives are shown:
.status
to inactive
. When this is done the .lastUpdated
will automatically indicate the date and time this change happened.Consent.status
, the existing Consent would be marked as inactive
same as above, and the AuditEvent and/or Provenance would further indicate the new Consent replaces the old Consent. Shown below using Provenance.Note that at some point after this, the consent may go back to active
. This transition would follow the same process with the .status changes in the other direction.
Alternative 1 is not shown, as it is simply changing the .status.
Given:
example-acknowledge
is revised as Alternative 1
sushi:
Instance: example-change-consent
InstanceOf: Provenance
Title: "Consent revoked"
* target = Reference(Consent/example-acknowledge/_history/2)
* entity.what = Reference(Consent/example-acknowledge/_history/1)
* entity.role = #revision
* dateTime = 2022-03-11T16:56
* activity = http://terminology.hl7.org/CodeSystem/iso-21089-lifecycle#hold
* patient = Reference(Patient/example)
* agent.type = http://terminology.hl7.org/CodeSystem/provenance-participant-type#enterer
* agent.who = Reference(Practitioner/example-lawyer)
Instance: example-lawyer
InstanceOf: Practitioner
Title: "Corporate Lawyer example"
* active = true
* name.text = "David Pyke"
That organizations that never allow a patient to be in a deny
mode never need to look at Consent for access control reasons as there is no difference if the Patient has been given notice, or signed anything.
In these cases, the Consent is there for record keeping only.
With the support for Change to opt-out, there is now a need for access-control to always look for Consent status.
The most simple access-control will simply look for the existence of a Consent, check that it is .status = active
, and that it is .provision.type = deny
; if it is anything else then the access-control rule is that which is represented by the privacy policy.
The above examples were recording blanket agreement or disagreement by a given patient to a given policy. This is not as flexible as the Consent resource can support. The Consent resource can also record deviations and special cases. These are recorded in the .provisions
structure. The root level .provision
simply sets the context as shown above. There is nested .provision
(s) that can exist within the root level .provision
, and even within other nested .provisions
. Each level of nesting would contain the exceptions to the rules set down in the prior level, thus each successive level of nesting reverses the permit
vs deny
. In this way one can encode situations where broad sharing is allowed, but not sharing with Dr. Bob. The following is an example fragment of just the .provision
. Note that the second nested provision is a deny
provision with the only other element populated is the actor.reference of Dr. Bob.
...
* provision.type = #permit
* provision.provision[0].type = #deny
* provision.provision[0].actor[0].reference = Reference(example-dr-bob)
Instance: example-dr-bob
InstanceOf: Practitioner
Title: "Dr. Bob"
* active = true
* name.text = "Dr. Bob"
Each .provision
has elements that describe the setting for that permit
or deny
. Each element within a given .provision
is in an AND relationship with the other elements in that given .provision
. An element that is not populated indicates that for that kind of element there is no constraint. Thus in the above example, the deny
provision for Dr. Bob has none of the other elements in that .provision
filled out, so this means that Dr. Bob is forbidden access regardless of the role
he might take on, or the purpose
of use, or the action
, or the class
of data, or the dataPeriod
timeframe of the data, etc.
Thus to say that Dr. Bob is not to get access to the data, except for patient directed purpose of use; one would have a Deny of all access by Dr. Bob, and a nested Permit of Dr. Bob AND patient directed purpose of use AND normal confidentiality data (not restricted).
...
* provision.type = #deny
* provision.provision[0].type = #permit
* provision.provision[0].actor[0].reference = Reference(example-dr-bob)
* provision.provision[0].purpose = http://terminology.hl7.org/CodeSystem/v3-ActReason#PATRQT "patient requested"
* provision.provision[0].securityLabel = http://terminology.hl7.org/CodeSystem/v3-Confidentiality#N "normal"
Repetitions within an element are in an OR relationship. Thus to say that Dr. Bob is allowed this access, not just patient requested, but also family requested, and power of attorney; one would just put them all as alternatives on the purpose element.
...
* provision.type = #deny
* provision.provision[0].type = #permit
* provision.provision[0].actor[0].reference = Reference(example-dr-bob)
* provision.provision[0].purpose[0] = http://terminology.hl7.org/CodeSystem/v3-ActReason#PATRQT "patient requested"
* provision.provision[0].purpose[1] = http://terminology.hl7.org/CodeSystem/v3-ActReason#FAMRQT "family requested"
* provision.provision[0].purpose[2] = http://terminology.hl7.org/CodeSystem/v3-ActReason#PWATRNY "power of attorney"
* provision.provision[0].securityLabel = http://terminology.hl7.org/CodeSystem/v3-Confidentiality#N "normal"
The provision.period
is used to indicate that this provision is only active during a period of time. This is useful to indicate that Dr. Bob should be denied access until 2024, because I will be moving away from Dr. Bob in 2022.
...
* provision.type = #permit
* provision.provision[0].type = #deny
* provision.provision[0].period.end = 2024
* provision.provision[0].actor[0].reference = Reference(example-dr-bob)
The provision elements are very powerful. We are not going to explain examples of all of them.
The provision.dataPeriod
element is very useful, as it is not uncommon for a patient to remember a timeframe when they had a specifically sensitive healthcare episode. Thus it is easy to give a timeframe, where any data that was authored or last updated within that timeframe would be the context of that provision. The further advantage of this mechanism is that there is no indication of why or what is sensitive; just a timeframe.
For example, deny access to any data authored or last updated in 2018. This will block all data, regardless of what kind of data, or who is asking for the data.
Data may be “Normal” medical data or “Restricted” medical data. The distinction here focused purely on data classification for stigmatizing sensitive topics. The discussion below focuses on FHIR, but the same can apply to Document Sharing metadata confidentiailtyCode
tag.
The various clinical Resources in FHIR are very complex and highly variable. Although Observation is the most often used Resource, sensitive data may exist in ANY other FHIR resource including Allergies, Procedures, CarePlan, Medication, Problems, DiagnosticReport, ImagingStudy, Genetics, etc… By assessing the sensitivity classification and placing that assessment into a well-known location found in all FHIR Resources - .meta.security
, the Access Control does not need to be aware of the kind of FHIR Resource, it can just process the data as a DomainResource and simply look at the .meta.security
element.
The following example fragment shows data tagged with both alcohol use sensitive data and thus that the confidentiality evaluation is Restricted. The complete Observation of Alcohol Use example.
...
* meta.security[+] = http://terminology.hl7.org/CodeSystem/v3-ActCode#ETHUD
* meta.security[+] = http://terminology.hl7.org/CodeSystem/v3-Confidentiality#R
* code = http://loinc.org#74013-4
* valueQuantity = 5 '{wine glasses}/d'
...
The classification of the data may be a manual process, but that is not a very scalable solution. The HL7 Security Workgroup proposes that the classification of data into sensitive topics is the role of the Security Labeling Service (SLS). The SLS inspects the data, and may use the context of the data to identify the sensitivity classification. It is expected that most data will not be considered sensitive, or “Normal”.
Some data are direct and clearly in a sensitive category. But there can be indirect relationships, such as three medications prescribed together are a clear indication of a sensitive category but are not individually sensitive.
Some data may also not be sensitive in the coding, but rather sensitive in the narrative, this would be poor data quality but it is a reality that should be considered. Thus an SLS may need to include some Natural Language Processing to find sensitive human words in narrative.
Some approaches use well-defined ValueSets, where others use a list of words. The list of words can be search across the data without regard for the data structure, which has the benefit of not needing to have the SLS data schema aware. The list of words can be codes, such as SNOMED numeric codes.
When the SLS is executed is a systems design decision. General alternatives are:
Tagging the data as it is created, updated, or imported.
Which has the advantage that the access to the data does not need to assess the data, it just uses the existing sensitivity tag.
This solution is likely to be more performant on use of data, but may not have as accurate sensitivity tags due to the dynamic nature of policies around sensitivity, and dynamic nature of data relationships. This solution also requires that the EHR database support data tags.
Alternative is that the data are temporarily tagged prior to use, thus the sensitivity is freshly determined and used only for that access enforcement.
This solution does not require that the EHR database be updated to support tagging of data, but may incur a performance impact on data use.
One way to understand a very basic SLS is that it looks for clinical codes in the data. It might do this using ValueSets, but likely would need to do this in a more performing way. The following are some examples of ValueSets of codes that when these codes are found within data, that the data could be considered of the identified sensitivity classification. ValueSets like this should not be considered authoritative or stable, as the sensitive classes are dynamic in nature and thus the ValueSets you use would need to be revised on a regular basis. Thus these valueSets might be used as advice, but the content of them needs to be vetted and adjusted to meet current understanding and the practice of medicine within your organization.
Note these ValueSets are also focused on directly identifying codes. These ValueSets do not address when different objects may be normal sensitive alone, but when they appear in a patient record the combination is sensitive. These ValueSets also do not address narrative text that might indicate sensitivity.
For example since these valueSets were originally authored ICD10 and ICD11 codeSystems have been published and are used. Thus the valueSets indicating codes in ICD9 may still find data in historic records, but to catch new data there would need to be codes from ICD10 or ICD11 defined.
The following examples show where the sensitivity tag is maintained.
ETHUD
Given the using the model of “Query/Use enforcement” discussed above. The raw output from a FHIR search would include all observations, and they would not have security tags. That would look like:
This Bundle would then be processed by the SLS and sensitivity and confidentiality tags would be added:
The tagged Bundle would then be processed by the policy enforcement point. In the following example the policy enforcement point is instructed to remove any Alcohol use Disorder information. Thus the first entry would be removed and the total decremented. The result would look like: