This page is part of the Structured Data Capture FHIR IG (v4.0.0-ballot: STU 4 Ballot 1) based on FHIR (HL7® FHIR® Standard) R4. The current version which supersedes this version is 3.0.0. For a full list of available versions, see the Directory of published versions
Page standards status: Informative |
Contents:
Some of the SDC transactions make use of patient-specific information. Even those that merely retrieve empty forms could be abused by malicious actors to corrupt the form - resulting in the potential subsequent exposure of patient data. For this reason, all SDC transactions must be appropriately secured with access limited to authorized individuals, data protected while in transit and appropriate audit measures taken.
Implementers should be aware of the security considerations associated with FHIR transactions, particularly those related to:
For the purposes of SDC, security conformance rules are as follows:
Secure Channel
In some cases, the recipient of a completed QuestionnaireResponse may require that the response be accompanied by additional information about the creation of the QuestionnaireResponse such as:
In FHIR, such information is represented using a Provenance or, more rarely an AuditEvent. (Audit is typically managed by the server and client locally or by a shared service that does not store the clinical information.) However, because this information is intrinsically tied to the QuestionnaireResponse instance, it needs to be conveyed alongside that instance as a single unit of work. This can be accomplished by mechanisms outside the scope of this implementation guide by using FHIR messages or FHIR documents. However, within the scope of this implementation guide, communicating both records together is accomplished in one of two ways:
X-Provenance
as described in the core
specification here.
Provenance.entity.reference
or AuditEvent.object.reference
The SDC workflow envisions the sharing of patient-identifiable healthcare information from SDC Form Filler systems to SDC Form Manager. It also envisions transmitting completed forms from SDC Form Filler to SDC Form Receiver systems. Where such exchanges take place across organizational or other custodial boundaries, patient consent may be required. Furthermore, the use of data for completing questionnaires for purposes unrelated to the initial gathering data may also require patient consent. It is the responsibility of the client systems to ensure that any necessary consent records exist and are reviewed prior to each exchange of patient-identifiable healthcare information. This verification SHOULD be logged in the same manner as other transactions, as discussed above under General Security Considerations.
When communicating RESTfully, AuditEvent and Provenance resources are typically submitted separately from the resource versions they're manipulating. This is for a couple of reasons:
In environments where the submission of audit and/or provenance information must be performed as part of a single unit of work, this should be done using transaction. Provenance information can be retrieved along with a QuestionnaireResponse using the _revinclude query parameter.
When populating a form from existing data, there is no expectation for consent to pass data to the form or for the form to query information where the user filling out the form would normally have access to such data. (The population mechanism merely saves the effort of looking it up manually and copying it across.) However, population does raise two important privacy/security considerations:
QuestionnaireResponses associated with an individual will generally have a subject
that will establish the 'compartment' the data belongs to and control
who has access to that QuestionnaireResponse and what consents or business rules, if any, apply when evaluating requests for access to that record. For example,
if QuestionnaireResponse.subject is set to a specific patient, then that record will be 'protected' by all of the rules that apply to accessing that particular
patient's data. However, QuestionnaireResponse.subject is optional, and there are some situations where a QuestionnaireResponse will contain information that is
patient or provider-identifiable and even sensitive, but will not yet have a QuestionnaireResponse.subject. For example, some workflows might involve filling out a
Questionnaire where the Form Filler isn't aware of the subject record to link to. Alternatively, a QuestionnaireResponse might be used to capture initial
registration information before the appropriate Patient or Practitioner instance has even been created.
Because of this, systems must be extremely careful around allowing access to QuestionnaireResponses with no specified subject. Some might be completely fine to share and access widely, while others might contain extremely sensitive information. It might be necessary to make use of security tags or other mechanisms to assert and manage the sensitivity of such records.