STU 3 Ballot
Security and PrivacyThis page is part of the FHIR Specification (v1.6.0: STU 3 Ballot 4). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions 
. Page versions: R5 R4B R4 R3 R2
| Security Work Group | Maturity Level: 1 | Compartments: Device, Patient, Practitioner, RelatedPerson |
Provenance of a resource is a record that describes entities and processes involved in producing and delivering or otherwise influencing that resource. Provenance provides a critical foundation for assessing authenticity, enabling trust, and allowing reproducibility. Provenance assertions are a form of contextual metadata and can themselves become important records with their own provenance. Provenance statement indicates clinical significance in terms of confidence in authenticity, reliability, and trustworthiness, integrity, and stage in lifecycle (e.g. Document Completion - has the artifact been legally authenticated), all of which may impact security, privacy, and trust policies.
The Provenance resource tracks information about the activity that created a version of a resource, including the entities, and agents involved in producing a resource. This information can be used to form assessments about its quality, reliability or trustworthiness, or to provide pointers for where to go to further investigate the origins of the resource and the information in it.
Provenance resources are a record-keeping assertion that gathers information about the context in which the information in a resource was obtained. Provenance resources are prepared by the application that initiates the create/update etc. of the resource. An AuditEvent resource contains overlapping information, but is created as events occur, to track and audit the events. AuditEvent resources are often (though not exclusively) created by the application responding to the read/query/create/update, etc., event.
Many other FHIR resources contain some elements that represent information about how the resource was obtained, and therefore they overlap with the functionality of the Provenance resource. These properties in other resources should always be used in preference to the Provenance resource, and the Provenance resource should be used where additional information is required, though overlap can occur.
The relationship between a resource and it's provenance is established by a reference from the provenance resource to it's target. In this way, provenance may be provided about any resource or version, including past versions. There may be multiple provenance records for a given resource or version of a resource.
The Provenance resource is based on the W3C Provenance specification ,
and mappings are provided. The Provenance resource is tailored to fit the FHIR use-cases for provenance more directly.
In terms of W3C Provenance the FHIR Provenance resources covers "Generation" of "Entity" with
respect to FHIR defined resources for creation or updating;
whereas AuditEvent covers "Usage" of "Entity" and all other "Activity" as defined in W3C Provenance.
The W3C Provenance Specification has the following fundamental model:
Where:
The Provenance resource actually corresponds to a single activity that identifies a set of resources (target) generated by the activity. The activity also references other entities (entity) that were used and the agents (agent) that were associated with the activity. To record multiple activities that resulted in one (target), record each (activity) in independent Provenance records all pointing at that (target).
The Provenance resource depends upon having References to all of the resources, entities, and agents involved in the activity. These References need not be resolvable. The references must provide a unique and ambiguous identification. If a resource, entity, or agent can have different versions that must be identified, then the Reference must have versioning information included.
Versioning and unique identification are not mandated for all systems that provide Resources, entities, and agents. But, inclusion of Provenance requirements may introduce requirements for versioning and unique identification on those systems
This resource is referenced by DeviceUseRequest and DiagnosticRequest
Structure
| Name | Flags | Card. | Type | Description & Constraints |
|---|---|---|---|---|
  Provenance | Σ | DomainResource | Who, What, When for a set of resources | |
  target | Σ | 1..* | Reference(Any) | Target Reference(s) (usually version specific) |
 period | Σ | 0..1 | Period | When the activity occurred |
 recorded | Σ | 1..1 | instant | When the activity was recorded / updated |
| reason | Σ | 0..* | Coding | Reason the activity is occurring PurposeOfUse (Extensible) |
| activity | Σ | 0..1 | Coding | Activity that occurred ProvenanceEventCurrentState (Extensible) |
| location | Σ | 0..1 | Reference(Location) | Where the activity occurred, if relevant |
| policy | Σ | 0..* | uri | Policy or plan the activity was defined by |
 agent | Σ | 1..* | BackboneElement | Actor involved |
 role | Σ | 1..1 | Coding | What the agents involvement was ProvenanceParticipantRole (Extensible) |
| actor | Σ | 0..1 | Reference(Practitioner | RelatedPerson | Patient | Device | Organization) | Individual, device or organization playing role |
| userId | Σ | 0..1 | Identifier | Authorization-system identifier for the agent |
 relatedAgent | Σ | 0..* | BackboneElement | Track delegation between agents |
 type | Σ | 1..1 | CodeableConcept | Type of relationship between agents v3 Code System RoleLinkType (Example) |
| target | Σ | 1..1 | uri | Reference to other agent in this resource by identifier |
| entity | Σ | 0..* | BackboneElement | An entity used in this activity |
| role | Σ | 1..1 | code | derivation | revision | quotation | source | removal ProvenanceEntityRole (Required) |
| type | Σ | 1..1 | Coding | The type of resource in this entity ResourceType (Extensible) |
| reference | Σ | 1..1 | uri | Identity of entity |
| display | Σ | 0..1 | string | Human description of entity |
 agent | Σ | 0..* | see agent | Entity is attributed to this agent |
| signature | Σ | 0..* | Signature | Signature on target |
| Documentation for this format | ||||
UML Diagram (Legend)
XML Template
<Provenance xmlns="http://hl7.org/fhir"><!-- from Resource: id, meta, implicitRules, and language --> <!-- from DomainResource: text, contained, extension, and modifierExtension --> <target><!-- 1..* Reference(Any) Target Reference(s) (usually version specific) --></target> <period><!-- 0..1 Period When the activity occurred --></period> <recorded value="[instant]"/><!-- 1..1 When the activity was recorded / updated --> <reason><!-- 0..* Coding Reason the activity is occurring --></reason> <activity><!-- 0..1 Coding Activity that occurred --></activity> <location><!-- 0..1 Reference(Location) Where the activity occurred, if relevant --></location> <policy value="[uri]"/><!-- 0..* Policy or plan the activity was defined by --> <agent> <!-- 1..* Actor involved --> <role><!-- 1..1 Coding What the agents involvement was --></role> <actor><!-- 0..1 Reference(Practitioner|RelatedPerson|Patient|Device| Organization) Individual, device or organization playing role --></actor> <userId><!-- 0..1 Identifier Authorization-system identifier for the agent --></userId> <relatedAgent> <!-- 0..* Track delegation between agents --> <type><!-- 1..1 CodeableConcept Type of relationship between agents --></type> <target value="[uri]"/><!-- 1..1 Reference to other agent in this resource by identifier --> </relatedAgent> </agent> <entity> <!-- 0..* An entity used in this activity --> <role value="[code]"/><!-- 1..1 derivation | revision | quotation | source | removal --> <type><!-- 1..1 Coding The type of resource in this entity --></type> <reference value="[uri]"/><!-- 1..1 Identity of entity --> <display value="[string]"/><!-- 0..1 Human description of entity --> <agent><!-- 0..* Content as for Provenance.agent Entity is attributed to this agent --></agent> </entity> <signature><!-- 0..* Signature Signature on target --></signature> </Provenance>
JSON Template
{
"resourceType" : "Provenance",
// from Resource: id, meta, implicitRules, and language
// from DomainResource: text, contained, extension, and modifierExtension
"target" : [{ Reference(Any) }], // R! Target Reference(s) (usually version specific)
"period" : { Period }, // When the activity occurred
"recorded" : "<instant>", // R! When the activity was recorded / updated
"reason" : [{ Coding }], // Reason the activity is occurring
"activity" : { Coding }, // Activity that occurred
"location" : { Reference(Location) }, // Where the activity occurred, if relevant
"policy" : ["<uri>"], // Policy or plan the activity was defined by
"agent" : [{ // R! Actor involved
"role" : { Coding }, // R! What the agents involvement was
"actor" : { Reference(Practitioner|RelatedPerson|Patient|Device|
Organization) }, // Individual, device or organization playing role
"userId" : { Identifier }, // Authorization-system identifier for the agent
"relatedAgent" : [{ // Track delegation between agents
"type" : { CodeableConcept }, // R! Type of relationship between agents
"target" : "<uri>" // R! Reference to other agent in this resource by identifier
}]
}],
"entity" : [{ // An entity used in this activity
"role" : "<code>", // R! derivation | revision | quotation | source | removal
"type" : { Coding }, // R! The type of resource in this entity
"reference" : "<uri>", // R! Identity of entity
"display" : "<string>", // Human description of entity
"agent" : [{ Content as for Provenance.agent }] // Entity is attributed to this agent
}],
"signature" : [{ Signature }] // Signature on target
}
Turtle Template
@prefix fhir: <http://hl7.org/fhir/> .
Changes since DSTU2
| Provenance | |
| Provenance.reason | Type changed from CodeableConcept to Coding |
| Provenance.activity | Type changed from CodeableConcept to Coding |
| Provenance.agent | Min Cardinality changed from 0 to 1 |
| Provenance.entity.agent | Max Cardinality changed from 1 to * |
See the Full Difference for further information
Structure
| Name | Flags | Card. | Type | Description & Constraints |
|---|---|---|---|---|
| Provenance | Σ | DomainResource | Who, What, When for a set of resources | |
| target | Σ | 1..* | Reference(Any) | Target Reference(s) (usually version specific) |
| period | Σ | 0..1 | Period | When the activity occurred |
| recorded | Σ | 1..1 | instant | When the activity was recorded / updated |
| reason | Σ | 0..* | Coding | Reason the activity is occurring PurposeOfUse (Extensible) |
| activity | Σ | 0..1 | Coding | Activity that occurred ProvenanceEventCurrentState (Extensible) |
| location | Σ | 0..1 | Reference(Location) | Where the activity occurred, if relevant |
| policy | Σ | 0..* | uri | Policy or plan the activity was defined by |
| agent | Σ | 1..* | BackboneElement | Actor involved |
| role | Σ | 1..1 | Coding | What the agents involvement was ProvenanceParticipantRole (Extensible) |
| actor | Σ | 0..1 | Reference(Practitioner | RelatedPerson | Patient | Device | Organization) | Individual, device or organization playing role |
| userId | Σ | 0..1 | Identifier | Authorization-system identifier for the agent |
| relatedAgent | Σ | 0..* | BackboneElement | Track delegation between agents |
| type | Σ | 1..1 | CodeableConcept | Type of relationship between agents v3 Code System RoleLinkType (Example) |
| target | Σ | 1..1 | uri | Reference to other agent in this resource by identifier |
| entity | Σ | 0..* | BackboneElement | An entity used in this activity |
| role | Σ | 1..1 | code | derivation | revision | quotation | source | removal ProvenanceEntityRole (Required) |
| type | Σ | 1..1 | Coding | The type of resource in this entity ResourceType (Extensible) |
| reference | Σ | 1..1 | uri | Identity of entity |
| display | Σ | 0..1 | string | Human description of entity |
| agent | Σ | 0..* | see agent | Entity is attributed to this agent |
| signature | Σ | 0..* | Signature | Signature on target |
| Documentation for this format | ||||
XML Template
<Provenance xmlns="http://hl7.org/fhir">
JSON Template
{
"resourceType" : "Provenance",
// from Resource: id, meta, implicitRules, and language
// from DomainResource: text, contained, extension, and modifierExtension
"target" : [{ Reference(Any) }], // R! Target Reference(s) (usually version specific)
"period" : { Period }, // When the activity occurred
"recorded" : "<instant>", // R! When the activity was recorded / updated
"reason" : [{ Coding }], // Reason the activity is occurring
"activity" : { Coding }, // Activity that occurred
"location" : { Reference(Location) }, // Where the activity occurred, if relevant
"policy" : ["<uri>"], // Policy or plan the activity was defined by
"agent" : [{ // R! Actor involved
"role" : { Coding }, // R! What the agents involvement was
"actor" : { Reference(Practitioner|RelatedPerson|Patient|Device|
Organization) }, // Individual, device or organization playing role
"userId" : { Identifier }, // Authorization-system identifier for the agent
"relatedAgent" : [{ // Track delegation between agents
"type" : { CodeableConcept }, // R! Type of relationship between agents
"target" : "<uri>" // R! Reference to other agent in this resource by identifier
}]
}],
"entity" : [{ // An entity used in this activity
"role" : "<code>", // R! derivation | revision | quotation | source | removal
"type" : { Coding }, // R! The type of resource in this entity
"reference" : "<uri>", // R! Identity of entity
"display" : "<string>", // Human description of entity
"agent" : [{ Content as for Provenance.agent }] // Entity is attributed to this agent
}],
"signature" : [{ Signature }] // Signature on target
}
Turtle Template
@prefix fhir: <http://hl7.org/fhir/> .
Changes since DSTU2
| Provenance | |
| Provenance.reason | Type changed from CodeableConcept to Coding |
| Provenance.activity | Type changed from CodeableConcept to Coding |
| Provenance.agent | Min Cardinality changed from 0 to 1 |
| Provenance.entity.agent | Max Cardinality changed from 1 to * |
See the Full Difference for further information
Alternate definitions: Master Definition (XML, JSON), XML Schema/Schematron (for ) + JSON Schema, ShEx (for Turtle)
| Path | Definition | Type | Reference |
|---|---|---|---|
| Provenance.reason | The reason the activity took place. | Extensible | PurposeOfUse |
| Provenance.activity | The activity that took place. | Extensible | ProvenanceEventCurrentState |
| Provenance.agent.role | The role that a provenance agent played with respect to the activity. | Extensible | ProvenanceParticipantRole |
| Provenance.agent.relatedAgent.type | Type of relationship between two provenance agents. | Example | v3 Code System RoleLinkType |
| Provenance.entity.role | How an entity was used in an activity. | Required | ProvenanceEntityRole |
| Provenance.entity.type | The type of an entity used in an activity. | Extensible | ResourceType |
The Provenance resource identifies information about another resource (the reference element). The Provenance resource may be used in several different ways:
When used in a document bundle, the references are often not explicitly versioned, but they always implicitly pertain to the version of the resource found in the document. On a RESTful system, the target resource reference should be version specific, but this requires special care: For new resources that need to have a corresponding Provenance resource, the version-specific reference is often not knowable until after the target resource has been updated. This can create an integrity problem for the system - what if the Provenance resource cannot be created after the target resource has been updated? To avoid any such integrity problems, the target resource and the Provenance resources should be submitted as a pair using a transaction.
The Provenance resource includes a signature element (digital signature) which can be used for standards based integrity verification and non-repudiation purposes. The Signature datatype provides details on use of the signature element. The Signature.type coded value of "Source" should be used when the signature is for simply proving that the resource content is the same as it was when the resource was updated or created.
Because the Provenance resource often refers to parties that are not represented as FHIR resources, agent and entity references are allowed to be either references to other resources, or they can refer to other entities that are not FHIR resources.
For Provenance.agent, the actor element is used to reference an existing resource. To reference an entity that is not a FHIR resource, the userId element is used.
A version specific reference to a FHIR resource on the same server:
<agent>
<actor>
<reference value="Patient/34/_history/3"/>
</actor>
</agent>
A reference to a user (a person) not represented by a FHIR resource:
<agent>
<userId>
<value value="http://acme.com/users/34"/>
</userId>
</agent>
For Provenance.entity, the code in the .type element is used to differentiate between the two cases: if the code is in the system "http://hl7.org/fhir/resource-types", then the reference is to a resource, and the element reference functions exactly the same as in a resource reference.
A version specific reference to a FHIR resource on the same server:
<entity>
<type>
<system value="http://hl7.org/fhir/resource-types"/>
<code value="Patient"/>
</type>
<reference value="Patient/34/_history/3"/>
</entity>
In effect, this is the same pattern as a standard resource reference, but the type becomes extensible to allow referencing other kinds of resources.
A reference to a entity (a person) not represented by a FHIR resource:
<entity>
<type>
<system value="http://hl7.org/fhir/provenance-participant-type"/>
<code value="person"/>
</type>
<reference value="http://acme.com/users/34"/>
</entity>
One subtle issue with the use of the Provenance resource is to differentiate between whether the reference is to the resource itself, or whether the the reference is to the real world thing that the resource represents, e.g. was it the person involved in the activity, or the record of the person. For agents, it should be understood that the reference is to the real world thing that the resource represents.
A Provenance record can be recorded to indicate who Deleted a Resource. If versioning is supported, the version that was deleted is referenced in Provenance.target; if versioning is not supported then Provenance.target contains the non-version reference. Provenance.entity is not used unless there is a business requirement to do so.
Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.
| Name | Type | Description | Paths |
| agent | reference | Individual, device or organization playing role | Provenance.agent.actor (Practitioner, Organization, Device, Patient, RelatedPerson) |
| end | date | End time with inclusive boundary, if not ongoing | Provenance.period.end |
| entity | uri | Identity of entity | Provenance.entity.reference |
| entity-type | token | The type of resource in this entity | Provenance.entity.type |
| location | reference | Where the activity occurred, if relevant | Provenance.location (Location) |
| patient | reference | Target Reference(s) (usually version specific) | Provenance.target (Patient) |
| sig | token | Indication of the reason the entity signed the object(s) | Provenance.signature.type |
| start | date | Starting time with inclusive boundary | Provenance.period.start |
| target | reference | Target Reference(s) (usually version specific) | Provenance.target (Any) |
| userid | token | Authorization-system identifier for the agent | Provenance.agent.userId |
© HL7.org 2011+. FHIR STU3 Ballot (v1.6.0-9663) generated on Thu, Aug 11, 2016 17:07+1000. QA Page
Links: Search |
Version History |
Table of Contents |
Compare to DSTU2 |
|
Propose a change