This page is part of the Standard Personal Health Record (v1.0.0-ballot: STU1 Ballot 1) based on FHIR (HL7® FHIR® Standard) R4. . For a full list of available versions, see the Directory of published versions
Once an encrypted Personal Health Record is generated, that has been cryptographically signed, patients, clinicians, and others may have an interest in correcting, amending, or annotating the record, without breaking the cryptographic signature. The SPHR standard offers the Annotation functionality for such cases.
Some patient summary distribution systems are focusing on retaining the document so that the patient doesn't keep their own copy, while other systems are focused on getting the IPS to the patient directly, either by push or pull.
If a patient doesn't actually get their health record or patient summary, and instead receive only a token to it such as a QR code or URL, what exactly do they get?
If would be good to have a consistent workflow around IPS handling whether the document is held directly by the patient or not.
Patients will need software support for managing their patient summaries. The software will have concerns around:
Furthermore, consultation with patients brings forward a very clear requirement indeed: if we're going to pass the summary on, we need to be able to comment on it, or correct it. Most clinical records contain inaccuracies, or information that a patient wishes to clarify or extend because the summary is too brief or too clinical. A patient may (should) hesitate to pass on a patient summary containing information. For this reason, the IPS infrastructure needs to make allowance for patient corrections to the summary.
On the other hand, not all patient corrections will be correct or appropriate, or even well-meaning. It is of critical importance for clinical practice to know whether the information that a clinician is presented is patient sourced, or from a clinician, and if so, who, and whether it is reliable.
It's easy to sign documents such that it's digitally provable that the document has not been changed since it was created, but equally, integrating information between different information contexts requires transformation of coded values, record identity, and even language translation, and none of those are compatible with digital signatures (it's for this reason that digital signatures are associated with past information).
One of the key challenges IPS adoption faces is how the transformation requirements that interoperability imposes with the integrity requirements clinicians identity, while allowing patients to manage information that they believe is wrong or unclear in context.
This specification describes a wrapper format for an IPS document that treats the IPS as a series of versions of the same document, each of which is able to be digitally signed, and a mix of human and algorithmic approaches can ensure integrity from beginning to end.
An PHR annotation is a .zip file that contains the SPHR file, along with a file manifest.json that describes the contents of the package. The package may contain more than one version of the IPS, along with associated supporting collateral - attachments, stylesheets and branding information. In addition the document may be signed or encrypted.
The file manifest.json always contains two properties:
format
: a fixed string that specifies the version of the wrapper. Current value: ips-wrapper/1
description
: A short label that describes the content that may be used when describing the document in a user interface. This should not include any patient specific information. A typical value would be "Patient Summary from Good Health Hospital". Note that not all institutions should be named e.g. specialist clinical services such as reproductive or mental health should not be namedThe manifest file may contain a combination of three additional properties:
encrypted
: a JSON Web encrypted string that contains the actual IPS, keyed to a user provided pass-phrase. When successfully decrypted, it contains another PHR Annotation.versions
: A list of JSON objects describing the versions of the IPS contained in the wrapper. Note that all the IPS documents are different versions of the same IPSattachments
: A list JSON objects describing attachments to the IPSThe mainfest will contain either encrypted
or versions
, but not both. The encrypted wrapper may
contain unencrypted attachments; these are combined with the encrypted attachments.
The PHR annotation SHALL not contain any files not described in the manifest.
When encrypted, the content is contained as a JWE encrypted string. Encryption is performed using JOSE JWE compact serialization with "alg": "dir" and "enc": "A256GCM", as is done for SHLinks. The key for decryption is generated from a patient provided passphrase using the following procedure:
Each version of the IPS represented in the manifest is a JSON object with the following properties:
source
(required): a url that references the source of this version of the IPS. The reference may be relative, in which case it is a reference to a file contained in the PHR annotation, or it might an absolute URL that references the location of the IPS in some storage service. The following URL protocols are allowed: https or shlink:. Authentication may be required; if so, it should be conformant with the IPA specification (https) or conform to the Smart Health Links Specificationdate
(required): Epoch seconds at the time at which this version was createdkind
(required): what kind of version of the IPS this is. Allowed values:
original
: The originally produced IPS from the source clinical systemtransform
: A post-production algorithm transform of the IPS. (see below for transform details)annotation
: The same IPS, but with additional annotations added (usually by a patient, but it doesn't have to be)agent
(required): A human readable label for the agency (organization) that produced the document e.g. "Good Health Clinic System",signature
(optional): A SHC based verifiable credential, but where the fhirBundle is not provided, it is assumed to be whatever is in source
transform
(depends): If kind=transform or annotation, required details about the transform. The transform property is a JSON object with two properties:
source
(optional) : A url that references the source of this transform. If present, it SHALL be equal to the source value of one of the other versions in the wrapperrecode
- original codes (e.g. clinical codes - problems, medications) were changed to internationally conformant codesre-id
- the resource identities were changed (to align to a secondary data repository)translate
- the language was translated (where possible/appropriate)shrink
- attachments were reduced in size (usually by reducing their resolution)annotate
- An annotation section was added at the top of the documentAnnotation: if kind = annotation, then this is a claim that an agent (usually a human, most often the patient) added a correction/clarification section at the start of the IPS where the patient (usually), clarifies or corrects information found in the rest of the document (see above). Authoring software SHALL not allow the patient to correct information found in the other sections, and the document should be identical with regard to other sections (this can be verified by removal of the top-most (first) annotation section; the document should be identical, to the point of maintaining digital signature)
The default version to display is the most recent, though displaying software should display the kind clearly along with the document, and may let users choose other versions.
Each attachment represented in the manifest is a JSON object with the following properties:
source
(required): A url that references the attachment. The reference may be relative, in which case it is a reference to a file contained in the PHR annotation, or it might an absolute URL that references the location of the attachment in some storage service. The following protocols are allowed: https, http. Authentication SHALL not be required to access the attachmentcontentType
(required): the mime type of the attachmentkind
(required): the purpose of the attachment. One of the following values:
icon
: an image of size 32x32 or 64x64 that is recommended to use when displaying this IPS in a list of known IPS documentsbrand
: a FHIR bundle that represents the brand of the source (as defined by smart-app-launch)attachment
: a file that is referred to from the narrative or data of the IPS. Typically, an image, video, or pdfstylesheet
: A CSS stylesheet that may be used when rendering the IPSauthor-image
: a plain text representation or image of the content that the original author saw and signed (for legal non-repudiation reasons)when an IPS encryption wrapper contains an attachment, and the unecryption of it contains an attachment with the same name, the encrpyted attachment takes precedence
A valid way to send an IPS is as a PDF (signed or not) that contains a file attachment named 'patient-summary.ips.zip'. This way, any device that supports PDF (almost all of them) can display the PDF, and the data attachment may be accessed by IPS aware software