This page is part of the PACIO Re-Assessment Timepoints Implementation Guide (v1.0.0: STU 1) based on FHIR R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions
Security and Privacy
General Considerations
Implementation of the Re-Assessment Timepoints IG involves communication of patient-specific clinical information across multiple parties, which requires proper security and privacy protections to avoid malicious or unintentional exposure of such information. All exchange of data under this IG must be appropriately secured in transit and have access limited only to authorized individuals, which may include the person the information is about, that person’s caregivers, payers paying for the associated services, or other individuals or entities who have permission to use the information.
Security Considerations and Guidance
All implementers of the Re-Assessment Timepoints IG SHOULD follow the FHIR® Security guidance, Security and Privacy Module, the FHIR® Implementer’s Safety Checklist guidance as defined in the FHIR® standard, and US Core security recommendations where applicable and not otherwise superseded by this Section of the Re-Assessment Timepoints IG.
- The FHIR® Security specification provides guidance related to communication security, authentication, authorization/access control, audit, digital signatures, attachments, labels, narrative, and input validation. The FHIR® security specification is available here.
- The FHIR® Security and Privacy Module describes access control and authorization considerations to protect a FHIR® server, how to document permissions granted, and how to keep records of performed events. The FHIR® Security and privacy module is available here.
- The FHIR® Implementer’s Safety Checklist helps implementers be sure that they have considered all the parts of FHIR® that impact their system design regarding safety. The FHIR® safety check list is available here.
- The US Core IG provides specific requirements and guidance for US Realm IGs around security, privacy, and auditing. The US Core IG is available here.
Security Requirements
For the purposes of the Re-assessment Timepoints IG, additional security conformance requirements are as follows:
Exchange Security
- In order to protect sensitive patient data while in transit between systems, the exchange of information using the Re-Assessment Timepoints IG SHALL support Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246) or a more recent version of TLS for transport layer security.
- Server implementations that expect to support browser-based javascript applications SHOULD enable Cross-Origin Resource Sharing (CORS) for REST operations. See the Communications section of the FHIR® security page for additional details and recommendations on safely enabling CORS.
Authentication and Authorization
To prevent unauthorized access to sensitive data, implementers SHALL use at least one of the following:
- The security requirements from the US Core Implementation Guide,
- The SMART on FHIR® App Launch Framework,
- SMART on FHIR® Backend Services,
- Mutually authenticated TLS, or
- Unified Data Access Profiles (UDAP) recommended by the ONC FHIR® At Scale Taskforce (FAST) security tiger team.