Da Vinci Unsolicited Notifications Implementation Guide (Release 0.2.0 STU1 Ballot)

This page is part of the Da Vinci Unsolicited Notifications (v0.2.0: STU 1 Ballot 1) based on FHIR R4. The current version which supercedes this version is 1.0.0. For a full list of available versions, see the Directory of published versions

Security and Privacy

In order to be responsible stewards of data, we will need to follow the data governance laws around sensitive conditions. Sensitive conditions are defined to support masking of clinical data that protects consumer’s privacy and are subject to special disclosure rules which govern the distribution of data to external parties.

The FHIR Security and Privacy Module describes how to protect a patients privacy through de-Identification, pseudonymization, anonymization. FHIR does not mandate a single technical approach to security and privacy; rather, the specification provides a set of building blocks that can be applied to create secure, private systems.

The DaVinci project is actively seeking input on security approaches and expectations for authentication and authorization between Senders and Receivers of sensitive patient data (e.g., will TLS, mutual-TLS, OAuth, etc. be required to interoperate?). There are several implementation guides and ongoing initiatives to address these issues including:

Once an approach has been agreed upon, it will be documented in the the Da Vinci Health Record Exchange (HRex) Implementation Guide.