Da Vinci Clinical Data Exchange (CDex)
2.0.0-preview - CI Build United States of America flag

Da Vinci Clinical Data Exchange (CDex), published by HL7 International - Patient Care Work Group. This is not an authorized publication; it is the continuous build for version 2.0.0-preview). This version is based on the current content of https://github.com/HL7/davinci-ecdx/ and changes regularly. See the Directory of published versions

Signatures

Data Consumers such as a Payer may require signatures from a Data Source to attest to the information being exchanged. For example, for a Centers for Medicare and Medicaid Services (CMS) worker to adequately review a Provider’s claim, the submitted information needs to be signed.12 In direct query transactions where there is no human intervention, Data Consumers may require signatures from Data Source attesting that they supplied the information. To comply with these signature requirements, this page documents how to create and verify FHIR Digital Signatures when using CDex Transactions.

The Signer

As illustrated in the table below, the signatory depends on the transaction. For synchronous or automated transactions it is a system-level signature, for asynchronous transactions involving a human it is a provider signature.

  Direct Query Task Based Query Attachments
System Level X X  
Human Provider   X X

System-level and provider signatures represent different levels of attestation:

  • The signature represents a provider signature attesting that the information is true and accurate to the best of their knowledge.*
  • The signature representing the sending system is a system-level attestation by the sending organization that they supplied the information and it is a complete and accurate representation of the shareable information available from that system meeting the requested criteria. This signature does NOT attest that the information itself is accurate because the system can’t make that determination.*

* Consult with your Payer and your legal team for questions regarding legal liability associated with sharing and signing data.

What is Signed?

The data returned in CDEX is not limited to FHIR resources, but may also include C-CDA documents, pdfs, text files, and other types of data. Depending on the data type and format returned, the signature may be in the actual payload or a FHIR Signature in the Bundle that envelopes the payload. The following table summarizes what artifacts are signed:

Data Type Returned Location of Signature
Non-FHIR data formats attached to or referenced by DocumentReference (e.g., CCDA) Referenced or attached data
FHIR Documents (e.g., CCDA on FHIR, Task-based request*, Unsolicited Attachment*) Document Bundle
FHIR Search Bundle (e.g., a query response) Search Bundle
Combination of above (e.g., FHIR Search Bundle, FHIR Documents, and/or binary files referenced by DocumentReference) Combination of Above

* A signed FHIR Document is sent for task-based requests and attachments transactions when the artifact would otherwise, if unsigned, be individual FHIR resources.

The details for how to indicate the signature requirement and how to respond with signed transactions are documented in the corresponding sections on signatures for FHIR RESTful queries, Task based requests and Sending and Requesting.

Requirements for using FHIR Signatures to sign a Bundle with electronic or digital signatures are documented in the sections below. For guidance on signing other types of documents such as CDA or CCDA on FHIR documents refer to their specifications.

CDex Signature Bundle Profile

Signatures in CDex are defined as an enveloped signature. The FHIR Bundle is the envelope. The Bundle.signature element is used for signing the document or payload. This Bundle profile enforces the various elements of signature documented in the CDex guide. It adds the following mandatory (min=1) constraints:

  • A Bundle.signature element representing the enveloped signature
  • A Bundle.signature.type fixed to ASTM Standard, E1762-95(2013) code = “1.2.840.10065.1.12.1.5” (Verification Signature)
  • A Bundle.signature.who for the organization or practitioner who signed the Bundle which is either:
    1. a reference to US-Core Practitioner, PractitionerRole or Organization or
    2. an NPI or Tax ID and name of the organization or practitioner
  • A Bundle.signature.data representing base64 encoded JWS-Signature

In addition, the following mandatory (min=1) element is inherited from the base standard:

  • Bundle.signature.when - system timestamp when the signature was created

See the CDex Task Attachment Request Profile formal definition for further details.

Electronic Signatures

The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.3

The various forms of electronic signatures include:

  • a typed-out name
  • a graphical image that represents a handwritten signature
  • a digitized handwritten signature
  • digital signature using encryption technology

This guide provides specific guidance on how to implement digital signatures in the following sections. Specific guidance for other types of electronic signatures is an implementation detail that is out of scope for this guide.

Electronic Signature Example

In this example, a Bundle.signature is added to a FHIR Document. The electronic signature is a JPG Image that represents this handwritten signature:

jh-signature.jpg


{
  "resourceType" : "Bundle",
  "id" : "cdex-electronic-sig-example",
  "meta" : {
    "extension" : [
      {
        "url" : "http://hl7.org/fhir/StructureDefinition/instance-name",
        "valueString" : "CDEX Document with Electronic Signature Example"
      },
      {
        "url" : "http://hl7.org/fhir/StructureDefinition/instance-description",
        "valueMarkdown" : "Electronic signature example showing how an image file can be used to sign a document Bundle.  The CDEX use case would be the target resource in response to a Task-based request where an electronic signature was required.  If no signature was required, the response would typically be in the form of an individual resource."
      }
    ],
    "lastUpdated" : "2021-10-25T20:16:29-07:00",
    "profile" : [
      "http://hl7.org/fhir/us/davinci-cdex/StructureDefinition/cdex-signature-bundle"
    ]
  },
  "identifier" : {
    "system" : "urn:ietf:rfc:3986",
    "value" : "urn:uuid:c173535e-135e-48e3-ab64-38bacc68dba8"
  },
  "type" : "document",
  "timestamp" : "2021-10-25T20:16:29-07:00",
  "entry" : [
    {
      "fullUrl" : "urn:uuid:17a80a8d-4cf1-4deb-a1fd-2db1130e5f76",
      "resource" : {
        "resourceType" : "Composition",
        "id" : "17a80a8d-4cf1-4deb-a1fd-2db1130e5f76",
        "text" : {
          "status" : "generated",
          "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p><b>Generated Narrative: Composition</b><a name=\"17a80a8d-4cf1-4deb-a1fd-2db1130e5f76\"> </a></p><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Resource Composition \"17a80a8d-4cf1-4deb-a1fd-2db1130e5f76\" </p></div><p><b>status</b>: final</p><p><b>type</b>: Medical records <span style=\"background: LightGoldenRodYellow; margin: 4px; border: 1px solid khaki\"> (<a href=\"https://loinc.org/\">LOINC</a>#11503-0)</span></p><p><b>encounter</b>: <a href=\"#Encounter_5ce5c83a-000f-47d2-941c-039358cc9112\">See above (urn:uuid:5ce5c83a-000f-47d2-941c-039358cc9112: Example Encounter)</a></p><p><b>date</b>: 2021-10-25 08:16:29-0700</p><p><b>author</b>: <a href=\"#Practitioner_0820c16d-91de-4dfa-a3a6-f140a516a9bc\">See above (urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc: Example Practitioner)</a></p><p><b>title</b>: Active Conditions</p><h3>Attesters</h3><table class=\"grid\"><tr><td>-</td><td><b>Mode</b></td><td><b>Time</b></td><td><b>Party</b></td></tr><tr><td>*</td><td>legal</td><td>2021-10-25 08:16:29-0700</td><td><a href=\"#Practitioner_0820c16d-91de-4dfa-a3a6-f140a516a9bc\">See above (urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc: Example Practitioner)</a></td></tr></table></div>"
        },
        "status" : "final",
        "type" : {
          "coding" : [
            {
              "system" : "http://loinc.org",
              "code" : "11503-0"
            }
          ],
          "text" : "Medical records"
        },
        "subject" : {
          "reference" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece",
          "display" : "Example Patient"
        },
        "encounter" : {
          "reference" : "urn:uuid:5ce5c83a-000f-47d2-941c-039358cc9112",
          "display" : "Example Encounter"
        },
        "date" : "2021-10-25T20:16:29-07:00",
        "author" : [
          {
            "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
            "display" : "Example Practitioner"
          }
        ],
        "title" : "Active Conditions",
        "attester" : [
          {
            "mode" : "legal",
            "time" : "2021-10-25T20:16:29-07:00",
            "party" : {
              "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
              "display" : "Example Practitioner"
            }
          }
        ],
        "section" : [
          {
            "title" : "Active Condition 1",
            "entry" : [
              {
                "reference" : "urn:uuid:014a68ec-d691-49e0-b980-91b0d924e570"
              }
            ]
          }
        ]
      }
    },
    {
      "fullUrl" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
      "resource" : {
        "resourceType" : "Practitioner",
        "id" : "0820c16d-91de-4dfa-a3a6-f140a516a9bc",
        "meta" : {
          "lastUpdated" : "2013-05-05T16:13:03Z"
        },
        "text" : {
          "status" : "generated",
          "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p><b>Generated Narrative: Practitioner</b><a name=\"0820c16d-91de-4dfa-a3a6-f140a516a9bc\"> </a></p><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Resource Practitioner \"0820c16d-91de-4dfa-a3a6-f140a516a9bc\" Updated \"2013-05-05 04:13:03+0000\" </p></div><p><b>identifier</b>: id: 9941339108</p><p><b>name</b>: John Hancock </p></div>"
        },
        "identifier" : [
          {
            "system" : "http://hl7.org/fhir/sid/us-npi",
            "value" : "9941339108"
          }
        ],
        "name" : [
          {
            "family" : "Hancock",
            "given" : [
              "John"
            ]
          }
        ]
      }
    },
    {
      "fullUrl" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece",
      "resource" : {
        "resourceType" : "Patient",
        "id" : "970af6c9-5bbd-4067-b6c1-d9b2c823aece",
        "text" : {
          "status" : "generated",
          "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p><b>Generated Narrative: Patient</b><a name=\"970af6c9-5bbd-4067-b6c1-d9b2c823aece\"> </a></p><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Resource Patient \"970af6c9-5bbd-4067-b6c1-d9b2c823aece\" </p></div><p><b>active</b>: true</p><p><b>name</b>: CDEX Example Patient</p></div>"
        },
        "active" : true,
        "name" : [
          {
            "text" : "CDEX Example Patient",
            "family" : "Patient",
            "given" : [
              "CDEX Example"
            ]
          }
        ]
      }
    },
    {
      "fullUrl" : "urn:uuid:014a68ec-d691-49e0-b980-91b0d924e570",
      "resource" : {
        "resourceType" : "Condition",
        "id" : "014a68ec-d691-49e0-b980-91b0d924e570",
        "text" : {
          "status" : "generated",
          "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p><b>Generated Narrative: Condition</b><a name=\"014a68ec-d691-49e0-b980-91b0d924e570\"> </a></p><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Resource Condition \"014a68ec-d691-49e0-b980-91b0d924e570\" </p></div><p><b>identifier</b>: id: 1</p><p><b>clinicalStatus</b>: Active <span style=\"background: LightGoldenRodYellow; margin: 4px; border: 1px solid khaki\"> (<a href=\"http://terminology.hl7.org/4.0.0/CodeSystem-condition-clinical.html\">Condition Clinical Status Codes</a>#active)</span></p><p><b>category</b>: Problem <span style=\"background: LightGoldenRodYellow; margin: 4px; border: 1px solid khaki\"> (<a href=\"https://browser.ihtsdotools.org/\">SNOMED CT</a>#55607006; <a href=\"https://loinc.org/\">LOINC</a>#75326-9)</span></p><p><b>code</b>: Type 2 Diabetes Mellitus <span style=\"background: LightGoldenRodYellow; margin: 4px; border: 1px solid khaki\"> (<a href=\"https://browser.ihtsdotools.org/\">SNOMED CT</a>#44054006)</span></p><p><b>subject</b>: <a href=\"#Patient_970af6c9-5bbd-4067-b6c1-d9b2c823aece\">See above (urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece)</a></p><p><b>onset</b>: 2006</p><p><b>asserter</b>: <a href=\"#Practitioner_0820c16d-91de-4dfa-a3a6-f140a516a9bc\">See above (urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc)</a></p></div>"
        },
        "identifier" : [
          {
            "system" : "urn:oid:1.3.6.1.4.1.22812.4.111.0.4.1.2.1",
            "value" : "1"
          }
        ],
        "clinicalStatus" : {
          "coding" : [
            {
              "system" : "http://terminology.hl7.org/CodeSystem/condition-clinical",
              "code" : "active"
            }
          ]
        },
        "category" : [
          {
            "coding" : [
              {
                "system" : "http://snomed.info/sct",
                "code" : "55607006",
                "display" : "Problem"
              },
              {
                "system" : "http://loinc.org",
                "code" : "75326-9",
                "display" : "Problem"
              }
            ]
          }
        ],
        "code" : {
          "coding" : [
            {
              "system" : "http://snomed.info/sct",
              "code" : "44054006",
              "display" : "Type 2 Diabetes Mellitus"
            }
          ]
        },
        "subject" : {
          "reference" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece"
        },
        "onsetDateTime" : "2006",
        "asserter" : {
          "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc"
        }
      }
    },
    {
      "fullUrl" : "urn:uuid:5ce5c83a-000f-47d2-941c-039358cc9112",
      "resource" : {
        "resourceType" : "Encounter",
        "id" : "5ce5c83a-000f-47d2-941c-039358cc9112",
        "text" : {
          "status" : "generated",
          "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p><b>Generated Narrative: Encounter</b><a name=\"5ce5c83a-000f-47d2-941c-039358cc9112\"> </a></p><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Resource Encounter \"5ce5c83a-000f-47d2-941c-039358cc9112\" </p></div><p><b>status</b>: finished</p><p><b>class</b>: emergency (Details: http://terminology.hl7.org/CodeSystem/v3-ActCode code EMER = 'emergency', stated as 'null')</p><p><b>type</b>: Unknown (qualifier value) <span style=\"background: LightGoldenRodYellow; margin: 4px; border: 1px solid khaki\"> (<a href=\"https://browser.ihtsdotools.org/\">SNOMED CT</a>#261665006)</span></p><p><b>subject</b>: <a href=\"#Patient_970af6c9-5bbd-4067-b6c1-d9b2c823aece\">See above (urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece: CDEX Example Patient)</a></p><h3>Participants</h3><table class=\"grid\"><tr><td>-</td><td><b>Individual</b></td></tr><tr><td>*</td><td><a href=\"#Practitioner_0820c16d-91de-4dfa-a3a6-f140a516a9bc\">See above (urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc: John Hancock)</a></td></tr></table><p><b>period</b>: 2021-10-25 08:10:29-0700 --&gt; 2021-10-25 08:16:29-0700</p><p><b>serviceProvider</b>: <a href=\"#Organization_e37f004b-dc10-422b-b833-cdaa10a055a3\">See above (urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3: CDEX Example Organization)</a></p></div>"
        },
        "status" : "finished",
        "class" : {
          "system" : "http://terminology.hl7.org/CodeSystem/v3-ActCode",
          "code" : "EMER"
        },
        "type" : [
          {
            "coding" : [
              {
                "system" : "http://snomed.info/sct",
                "code" : "261665006",
                "display" : "Unknown (qualifier value)"
              }
            ],
            "text" : "Unknown (qualifier value)"
          }
        ],
        "subject" : {
          "reference" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece",
          "display" : "CDEX Example Patient"
        },
        "participant" : [
          {
            "individual" : {
              "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
              "display" : "John Hancock"
            }
          }
        ],
        "period" : {
          "start" : "2021-10-25T20:10:29-07:00",
          "end" : "2021-10-25T20:16:29-07:00"
        },
        "serviceProvider" : {
          "reference" : "urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3",
          "display" : "CDEX Example Organization"
        }
      }
    },
    {
      "fullUrl" : "urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3",
      "resource" : {
        "resourceType" : "Organization",
        "id" : "e37f004b-dc10-422b-b833-cdaa10a055a3",
        "text" : {
          "status" : "generated",
          "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p><b>Generated Narrative: Organization</b><a name=\"e37f004b-dc10-422b-b833-cdaa10a055a3\"> </a></p><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Resource Organization \"e37f004b-dc10-422b-b833-cdaa10a055a3\" </p></div><p><b>active</b>: true</p><p><b>name</b>: CDEX Example Organization</p><p><b>telecom</b>: ph: (+1) 555-555-5555, <a href=\"mailto:customer-service@example.org\">customer-service@example.org</a></p><p><b>address</b>: 1 CDEX Lane Boston MA 01002 USA </p></div>"
        },
        "active" : true,
        "name" : "CDEX Example Organization",
        "telecom" : [
          {
            "system" : "phone",
            "value" : "(+1) 555-555-5555"
          },
          {
            "system" : "email",
            "value" : "customer-service@example.org"
          }
        ],
        "address" : [
          {
            "line" : [
              "1 CDEX Lane"
            ],
            "city" : "Boston",
            "state" : "MA",
            "postalCode" : "01002",
            "country" : "USA"
          }
        ]
      }
    }
  ],
  "signature" : {
    "type" : [
      {
        "system" : "urn:iso-astm:E1762-95:2013",
        "code" : "1.2.840.10065.1.12.1.5",
        "display" : "Verification Signature"
      }
    ],
    "when" : "2021-10-05T22:42:19-07:00",
    "who" : {
      "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
      "display" : "CDEX Example Practitioner"
    },
    "onBehalfOf" : {
      "reference" : "urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3",
      "display" : "CDEX Example Organization"
    },
    "sigFormat" : "image/jpg",
    "data" : "/9j/4AAQSkZJRgABAQAAKwArAAD/4QEGRXhpZgAATU0AKgAAAAgABwESAAMAAAABAAEAAAEaAAUAAAABAAAAYgEbAAUAAAABAAAAagEoAAMAAAABAAIAAAExAAIAAAARAAAAcoKYAAIAAABPAAAAhIdpAAQAAAABAAAA1AAAAAAAAAArAAAAAQAAACsAAAABd3d3Lmlua3NjYXBlLm9yZwAAQ0MwIFB1YmxpYyBEb21haW4gRGVkaWNhdGlvbiBodHRwOi8vY3JlYXRpdmVjb21tb25zLm9yZy9wdWJsaWNkb21haW4vemVyby8xLjAvAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABkKADAAQAAAABAAAAfgAAAAD/7QCaUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAGIcAVoAAxslRxwCAAACAAIcAnQATkNDMCBQdWJsaWMgRG9tYWluIERlZGljYXRpb24gaHR0cDovL2NyZWF0aXZlY29tbW9ucy5vcmcvcHVibGljZG9tYWluL3plcm8vMS4wLzhCSU0EJQAAAAAAEPRn0I1gKCCiMRUck2ip0t//wAARCAB+AZADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBAMDAwQFBAQEBAUHBQUFBQUHCAcHBwcHBwgICAgICAgICgoKCgoKCwsLCwsNDQ0NDQ0NDQ0N/9sAQwECAgIDAwMGAwMGDQkHCQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N/90ABAAZ/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAK+VPAP7XHgH4i/tL+NP2YdD07Uk13wRpzaheajMsQsZvKktopo4sOZd0b3cYyyAEh8cAFu7/aM+Ovhb9nH4Q698VvFREkemQ+XY2YbbJf6hNlba1j75kf7xAOxAzkYU1+SPwR/4JpfGzxxdt+0j8SPi5rvw6+IPjaW41i/s/DsD217arqMn2jypblbmNlJ+UtAI9seAhJK8AH7vVzHjDxr4Q+H2gXPirx1rVh4f0ezAM99qVxHa26Z6AvIyruY8KucseACa/K749+EtW/Zo8GWt140/ab+Kmsa3qrfY/D/h3SmsZdY1q9bCpFbobaWUjcwDyMSFyBy5VW87+EP/AATm+L3x7sbDxv8At3+P/E+qomZ9M8HnVGnks1k73c5DRRyMvDx26K3TdIDlFAPt3wb/AMFFP2TPiD8T9K+E3gzxdLqms61cfY7KWPTruOyluSCViE0sSDLkYVsbCcfNyK+36+Z/hB+x1+zR8CL+LWfhh4C03TNWgUrHqc/m39+m8YYpcXbzSx7hkHYygg46cV9LMyopdyFVQSSTgADuaAHV+efx8/b98OfDz4t6N+zt8HdAf4j/ABM1bUILCext7jyLDTGlILC5uFSUmSNMvIiriJAzSOm3afnf9pH9sj4rfH/xtc/su/sFxS6tqRJg8R+N7Rttnp8TEpIttd4KRIvIa6HzEjbbhn2tX1N+xt+wj8O/2UtMbX7iUeJ/iJqcRGqeI7lOU8z5pILNWyYoSfvOT5kp5cgbUQA+7qKKKACsvW9Z07w5ot/4h1iYW9hpdrNeXUzdI4LdDJIx9lVSas399aaXY3Op6hKsFraRPPPK33UijUs7H2Cgk1/Od+0H/wAFG/jN+1ovin9n39l3wBeXWha5ZzWk11BbT3uu3WmqwE8gigPlWsMyHy3DrIdj43KzAAA7v4Hf8FSdc+JH7XF3qfxF8T2PgP4Nx6dfx2mlXsMZ3FMC1kmnWN5TdyMQzBXEaqCoBxub9C/EX/BTf9iXw7A8j/EaLUZVB2wadpuoXLuR2DLbCMf8CcD3r4k/Zi+Ln/BPL4c2ekfBX4mfCtvhv41hSGC9m+I2gRXFxc3cgAMkl/NE7RRu2SPNjt4UHChRXqHj3WtM/a08cav+yx+yFaaV4Y8B6eBF8SfH2i2MEMLW0uVOlaa8Kqsz3AVlkcHa6hgCYg3mAHMa9/wVO+IHxk19vAH7Evwm1PxZrJGW1HXIsQQITt8x7a3mCxxk/dlnuolBwCpzivqvxj+2hb/ss/BzwXqv7YkMMXxI19ZRc6B4ORLxyElYCZVmuI41RIzGJT5xUylhEXA46zxVrP7PH/BOb9nee/0jTINK0jT1ENnYwlf7R17VWQ7FeUjfNPLtJkkbIjjBIARQo+TP2S/2U/HPxs+JJ/bd/a/txc+I9VaO88J+F50P2bSLRfmtZZIXztMakG3hbJQkzSZmb5AD9Y/CfiKLxd4X0nxTBZXumxavZwXqWepQ/Zr2BZ0DiOeHJ8uVQcMuTtPFdDRRQAUUUUAFFFFABRRRQAUUUUAFFFc54u8X+GPAPhrUfGPjPU7bRtE0mBrm9vruQRwwxL3YnuTgKBksxAAJIBAOiZlRS7kBVGSTwABX5tfHX/gqf+y/8F9Wl8NaXe3nj3WLd/LuIvDaxTWluwPzB7yWSOFmHTEJlweG2nOPyP8A22/+CkXjz9pLVJ/hN8Dxf6J4DuJfsZW3V11XxCznYBKI8vHbyE4S2X5nB/e5JEae/fsXf8ElLzVfsHxL/apgks7M7Liy8Go5S4mHVW1KRCDEuOfs6ESdpGQhoyAft18CPjT4W/aE+FeifFzwZbahZ6TriTGGDU4BBco0ErwyBlVnRgHRsMjsrDoeoHr1Z+k6Tpeg6XaaJodnBp+nWEKW1raWsawwQQxKFSOONAFRFUABQAAK0KACiiigAooooA//0f38ooooAKKKKACiiigAooooAKKKKACiiigAqveXdpp9pPf380dtbW0bzTTTOEjijjBZndmICqoBJJOAOTVivzu+LOr6z+2L8QdQ/Zu+Ht5PZfC/wzdLF8TfE1o5Q6hOhDf8I5YSr1duDfSKf3a/uyckpIAcj4B0e6/bq+ONp8ePE1vIPgl8Nb6WLwDptwpSPxHrMD7ZtamjYDdbwuu23DDkr/CRMjfQf7Vv7W3hr9m/R7DQ9Lsn8V/EnxSwtfC3hOyy91e3EreWksyplo7cScZxukYFEyQxXzH9pv8AbX+CX7JPwyi8LfDebRtd8WW8KaP4d8JaRPHMlo8SiOM3UduxaC3hwBsO15CAifxMnw3+x98Jv20B8TvEf7RfxH+FUOs/ETxJhNO8R+O9aXSrXSLeRSJRFpkFvc3qsykRqBHEI4R5aYDOCAfoT+zN+y5rnhrXZv2hP2jL5PF3xo8QRAzXUmJLLw5auDt07S05SJY1YrJIn3iWCnaWaT6Z+KHxm+FXwV0aPX/it4p0zwxZTs0cD6hOsb3DqMssMXMkrAckRqxA5r86P2qPiL+078KPA/2/xv8AGnQ/DXifXybDwz4Q8AeFP7Q1PV7+TCRRQzaldTTBA7KJJUhTbkbfnZEb88rH4Q+DvFPw4k+Jnxq8T6h8a/jFd+O9E8AXum3OoXkll4VvNSuDhHb5ResgR0Hlu1kZT5aCQKWYA/WOz/b+0/4q31xof7J3w48S/Fm6gcxyasYhoPhyBv8AptqF8AysB82zydzAfLXw1Y+LP2zf2/8A4seIvglc+KNH8K/Crw9ci08W6r4G817KdSBvsIb+4UTXk7fNG4QrbEBnKvHsEnTfta/theHPFOoy/shfsz6xp3hDwjpsLQeNPGGnRrHY6XpkbCOay0yK2A82R2YQhYBumldYIvvMw+bPixqXxIuvDfhj9jX4DadqXg46z5aaT4D06VY9cltpsSS6x4xvY+IZrmMGUaerKsMZ8y4YLHFG4B/Qd8IPgx8NfgR4LtPAPwu0S30XSbUAsIlzNcy4Aaa4lPzzTNjl3JPQDCgAehz6pplte22mXN3BFeXm/wCzW7yqss3ljc/loTufaoycA4HJr5M8Ax+Gf2F/2T9KtvjJ4xm1O18HWDfbtUupGmluLqd2kFpZo53uod/Jto+uxRnaAcfg/wDA64/an/a0/bM1D9p74UQjTotK1a7uU1vxIzzaNoOmSRywx2jsCglaK1lIEMOCSd7bVLPQB/VASAQCcZOB7nrS1/PZ8F7TxJ+0j+394c1LwN498UePfCnwmJ1LxF4t1W6I0+91L98rDTLOLba2drcyMIIYYhl4Elk3OvJ/ZD9of9oXw58AfDNrczWVx4i8WeIJjYeF/C2nDfqOtagQNscSKGKxJkGaYqVjX1YqrAHl/wC3J8cY/hb8ILzwP4YgfWPiJ8SYp/DPhPRLUb7u5ur5DBJcBAciK2STeWPy79ikjdkfEn7A1z4H/Yj8O6t8OP2jvCup/DbxxrGovJdeKtVtjPoGp2seBbRQ6vb+bawpCpYskjooZixfLBV+z/2bf2cPF+leL779pL9pG8g174veIYPJihh+fTvCumtkrpunAlgCAxE0wJLEsAzbpJJfz/8A+Cmv/BQ3T9M0zWP2a/gdqEd3qF7HNp/izW7dg8VrC4KTafbOMhpnBKXEgyIlzGP3hYxgHiX/AAVa/ak+GHxv8S+HfgT8MYtI1y50DUVlvvFu+IxRXE6mIWVreZ2C3G8Pcvu8veqDP7tjXsH7Dv7T3wt/Y0+EvxX+EXxk1fRBq3w88QNc2r6BKlzL4l+3oEAsifLN00bwhTIwQRxOnmbApNdZ/wAEqP2LNK8LeCJ/2iPjFoMT6x4giZPD1pq1urLZaQVBa88uUYWS7ydjEZECgqdsprwH4Ofsv+CP23/22fiD8XtH0W00z4IeGtcSNYrCBbWz1q4soooUhgWNVUR3RiN1csoDbJQDh5QwAPpb4J+Er79sH4k6X+15+2Bd6doHhKyLSfDfwHqF3HFbfZg4K39wkxTzldlDBio+0MoYgQLEjfpR8a/2pPgN+z1o1nrXxW8W2elJqSeZp9tEHvLy8T+/Db26ySNH28zAjBIywzXyl+2vqX7LXwYtbTWL/wCEnhTx78XPFvk6b4V0KTRLW9vNQuI1W3geZPKZzbQAIg4y2FiTHVfzO+MP7FPgj4Efs4eKPjz+1lq/2r4o+KYZIPDfhnR3istP03U7zLRRRxW4VJfsgJkkSLZbRopjUPlGYA/cDUf2w/gJpn7Ptv8AtN3Gvt/wg16GSzn+zyJd3Vysz25toraQJI0/mxOu3GAFZyfLBetDxN+1Z8GPCnwIs/2itU1cjwpqWmRapYIFVb+7jlKARQ28joXmVnCugPynOSAM1/PZ8APhTqnxA+Evhb4sftf63e6f8CPh+XsfB3hW1j8q78T6jPM8htrC2hCPM1xOzCWfmSTlFdUV3j9M/af8cXPg06J4z+N+jWI8Ym3CfCv4LW0aSaR4M02QLHBqGsW0ahJ7ttimO1K7XkGHXYpijAPs7wB/wV48IfEn44eH/hdoPw51Kx0LW7sQS65q2pQ2k9nblDK11NaLFJEsMUSmWRjdcRgtnjB6bxB/wVK8Ln9pXwT8GfAfhO51zwv4m1C009/Ebs8L3P2+f7NFc2FtsLS2qSfN5r485AxjXbtd/wAjNS+C9h+z9o9r8Zv2qIZPF/xf8bytqHhj4c3RaeaSe6c7dS8QhT5hjMpylkuGmcCNzjzUj/QP4NfDfwT+w/4Su/20f21L86n8W/EyyPo+iny5L20aWMKLa1hG1BcmIqkjKFhtIcRLtGdwB+z/AI/+IXgn4WeFL/xz8Q9ZtNB0LTU8y5vbx9ka+iqOWd2PCIgZ3bAUEkCvz2+BH/BTbwN+0T+0na/A34f+EdR/sS9tb6W38RXk6xSSSWUTTZNkI2McLqjBXaYPkrlFJIHg/wAKPgH8Wf8Agob4nsf2if2t2uNF+GMUn2jwd4AtZpIYri2P3bicja4jkXrLhZrgHKGKDyw3ovx4/a2/Y+/ZKvvsH7Pngzwr4l+K9zaDRrC08KWFqot0dlCQ3l5ZpvK71X/Ro2aV2ABCAhwAfeH7RP7Svwr/AGYfA0njb4m6j5Pm7o9O0y32yahqVwoz5VtESu7GRvdiI0BBZhkZ/n8v/wDgrj8etf8Aj54c8SX8yeEvhzput239p+G9OtYbu4m0oTKt0s006CSW58jeF2NCgfBCqRmudt9O/aE+NPxse61EN48/aG1ZQIbclW0T4cWGf9dc43QQ30O793CMizc7n8y+YJF+tvwP/Yi/Zt/Yt+H2ofFv4vyWPiXxFpdq2o634p1yETw2jjlhYQSB9hLnajYa4mdsA/MIwAeh+Cv+Chfwk+JepafZfDjwh8QvEtpezRRS6rY+HJBpljHIwDT3d1NLFHFDEDukfJwoJGa+WP2jv+CjHj3xr4pu/gf+wXoVx438SQK41DxNZWZv7a1CHaxsoyGikCtwbmYGDPCLJuDjwTUPip+0f/wVK8cah8Pfho8/w3+A+kTbNZ1Aja89svIW7dWAnnkT5ls42EMYIaVm2q59f1D9tr9ij9gjwhN8Hv2cNIfxxrVoMXt3p8kf2a7vkBBkv9VIPnvk9LeOSNBlF8sDaAD239lr46/Hr4MfALxb48/4KDTzaDbaTqCNol/qptV1O/jmjYvaJa2uHeRZEzEGXewdv+WceR+PP7RP7UvxP/4KBfEZfCltreifD/4eaZN5tjYeIdattKs40zsF5fSSyK13c4PEcCSmJSRGh+d3n8T+KPEf7WmuN8fP21vH8XgzwBpyNJo3hzTWU6pfxMf+PfQ9Ld2cJKV2yahcAx7gMu4QiP334Pf8E8/FP7VHj3TfH3iTwLF8FPg5p0MMOmaQqn+39VskYurTSSgzyTz7syXdxjClRCjIBtAP1A/Yx/YA+DH7NGk2HjSCW38a+Nby2Sb/AISaVVeCFJkBxpkYLLFEyn/W5aWRSfmCNsH6F1l6HomleGtE0/w5oVsllpulWsNlZ20f3Ibe3QRxRrnJ2oigD2FalABRRRQAUUUUAFFFFAH/0v38ooooAKKKKACiiigAooooAKKKzdY1nSPD2l3Wua/fW2m6dYxNNdXl5KkFvBEnLPJI5VEUDqSQBQBpVyHjjx/4I+Gfh648WfEHXdP8O6Paj97e6jcJbwg4JCguRudsfKi5ZjwATXxTeftd+OPjlrNz4K/Ys8ML4ljgka3v/iF4gSaz8J6ewOG+z8LPqMynokQVc7WyyEmtHw7+wP4D13xDF8QP2mfEGqfGzxcmWSTxARDodmWwSllpEJ+zxRHuj+Yp64BoA8D8X/tjfFT9sBdZ+EP7B2g3iQEtZaz8SNbB07TtNgkGCbMYeYzSqfkYoJ0GWWHOJE+ZPjp8L/h/+xB8CtJ8PfGz4k698RvEb2lxB4a8A6Vdv4e8PPJMzPNdX9vYPHc3MKSsTJPNMJLg/Jjlin6IftW/tT/CD9gf4Y2OieFPDunQ63qqXH/CN+FtJtorCyVlI8y5nS3VEht1dxnaoeVvlX+N0/G/9kH9nD4l/wDBQr446l8f/wBoC7ub/wAH2F8smqXMuY11O4jw0el2YGBHbxqV83y8COMhVw7hgAe+f8Epf2IP7Uu7X9qn4r6Yq2sUhk8GaZcR/LJKDzqbI38EZ+W1z1bMo+7Ex/Xj9qr9qDwL+yp8MLnx74tYXmoXBa20PRo3C3Gp32MrGvBKxJkNNLghF7FmRW9W8eeNvBHwT+G2q+N/ErxaR4Y8J6cZ5VgjCrFb26hY4YYlwNzHbHFGuMsVUdRX8tSfF79oz9uD9rePx54D8MrrWrWjND4YsbyNrjSPCttkiC8uCR5O+3OZzJKCslyFOxwEhIB9R6JoXxx+IPxNGr6jcjVf2ofiZaB4VZWFj8KfB9wvNzIvzfZb6WCTbBF/rokk3H/SJfnwvj34h8O2XhOx/wCCaf7E+g/8JrqU97HP4v8AECRxyz3+r2kiSysszHy42jkiUz3BcJAiCFWwGNfUXx3+D3xu/ZZ+AmnfCT9mTQPEXjn4k/Fy9uX8d/ECytprq+MihDIZLkbvsiztOyQPLIBHGsrbvNYyD6n/AOCfn7FNn+yZ8Pri/wDE5t774heJ1jk1m7iAdLKFfmjsIJMZKIx3SsMCSTnlUTAB+SMXwYj/AGOtY8NfDjwHpVl48/at8ZQwpYW9opu9N8FwypxdIs5ZJNRdQ0nnSbYoFDShUiCmb9FNE+Cmm/8ABPX9l/xx8cNS1201f4v3lvFqWs+JNWYz/wBoXrXEcp0q3eYGUxXLboi/+tldvObbtQR9d+zF+w/8UPhJ+0145/aR+J3j6y8Q33ieTUYYrW0s98k1teTLJE009wu62MSRooht8qAoXzCi7Wyf2t/2J/jj+178ZdFTxd430rQ/g1oTRyQaRp5uH1aSUoPtEzxvCLY3Eh3RxyNIywx9I2JcOAfCvwis/HP/AAVo+Nt54o+M2tweH/hn4FeOW38G6Zej7Q/nZ2oq8SHeBi4vWRTyI4Qmf3frXxf+It/+074ztv8Agn1+w7HZ+Gvh5osTReMPEenR7LFLGFws8MBjIMkG87XYNuvJm27hFvkk/Qjxb/wT9/ZW8U+ANP8AAVt4Mt/D/wDY9o1ppus6IxstZttykF2vE/eXDMSWYXHmqxJJUk18wfBT/gmH40/Z7j1q8+Evx/1vw7q+tbIp7i10GyktpIIWdoVlt7iWbeybz86yJnJwBmgD9AP2fP2fPhz+zT8OLL4bfDezMNrCfOvLybDXeo3bACS5uHAG52wAAAFRQFUBQBXE3Hg/4RfA3xV4j/aL+NHiy0k8Qam00EOveIJorWLStJDs0Gl6ZEzYijVCPM8vdNcylncksEXwTVf2Nf2n/EVs0HiH9rTxf864ZtK0e20g/gbW5Vl/Bs+9fCfxC/4J5fs2SazJefGH9raK41dG2Sya9qenm8HP3Sbq+eTOfWgDlv22f+CsN343sL/4W/sxyXWl6Ncq9vqHiuRWt727ibKtHYRnD20bDrM4WYg4VY8bm+Yv+Ccf7Ft/+038So/GnjOzcfDfwndRzak8qkJqt4mHj0+Mn7ynhrgj7sRC5DSKa+s/Bn/BOP8AYK8S6vb6fZ/tK2euzSSBRZadq+ixXM3P3UUtMxJ6ZCGv3Z8EfC/wv8LfhtafDH4WW0XhzS9LsXtNN8qMTeRI6nE7hzmaQyHzHLnMjEljyaAPz3/bX+OetfETxHZfsHfs53HmeOfGOy18S6ja/wDHt4d0IqGuRMyfdeSD76jlYTtH7yWMV7P4/wDHfwW/4Jt/su6dptjCrwaRbmx0TTAypea5qzqXkkkYDgySEy3EuNsanCj/AFaHov2TP2NvB37Ldprmr/2vc+MfHPiq4efXfFWoxeVdXW9zJ5caeZKYoy5MjgyO0kh3OxCoE+cP2uv+CePjj9rr476f418UfEWLR/AulafBZ2WlW9m897b4O+58vc6wB535Mx3EKEUowQZAPj79mP4h3cXjC8/am+KUB+Jn7QPxDtp5fB3hS1lSODw74fUFW1C+nkLQ6TZFOEeQ7hb/ADLvMzsPjvTPHep/tf8A7TV54t/aG1efx5a6Fcm20Lwh4VSUHX5TK4ttP0qFwr21hJ5ZmuruYK6QLmRhK6Y/ov8Ah7+xZ+z18M/hDrPwV8M+Hnj0PxLaGz127NzLHquqxsMN9ovYGimwef3aFIgGZVQKzA73wO/ZK/Z7/Zxlu7z4Q+ELbR7++QRXGoSzT3t68ec+WJ7qSWRIyQCyIVRiASCQKAPzW+Mfj+9/Za03Tvix8brDSfE3x51mI6b8Lvh/o4a40TwXpzKkMYt7dFUNKjYSWdV3zuqwQMsauw6X4Q/s03X7Nvwx8Xftx/tH6dc/EP43HTbnxF9juR9oGl3DJmGGNVBVZ1yommVdttGCkICoWf8AUSL4N/DGP4nXPxmfw/az+Nbm0hsP7YuN09xBawBgsVv5jMtup3Nv8lULkneWr02gD+Z39i648TfFD4l+I/2sfGXhrVvi18XL/Umg8K6KlrLDpOn3OxP+Jnf38qCzs7S2VlhtUDtIuxikZZUdeh+Lv7I37bvir9p/Rvip+0L4PHxi0KG9jmey8Manbw6abWEmSLT4or0wyWtt5m0Sl4vnUuS7uSx/pBooA/O3xL8Bv2h/2j9AuLr49X9p4P8AD9tbTS6T8MvC9/IkF1cJGwt49d1mHZJPFuIV4bRY4sYYMWFfmt+y/wD8Evf2rNC16/vvF+qaT8M7a8QW02q2jw6r4iitju81NMeFnhs2nU7HnEqzKvyqCrSI/wDR3RQB4n8B/wBnr4V/s3+C08EfCzSVsbZiJb28mIlv9QuAMGa7nwGkc5OBwiA4RVXivzH/AOCuHhb9pv4mR+Avhj8J/C2qa94N1KWW5vzo8L3DzatESIYrsIP3UEMWZEZyI2dmLHMSkftJRQB+Pn7Pf7C3xt8RfDXQfAf7S3iCHwn8PdKgRV+G3gp/sceoyEAyy65qELNLcPM43SxpNIpYgq8eNtch4N/4JZN4p/ah8VfEb4022kW3w10nU9vhPwzoirBBfafCB9jjuI4wvkwwx7VnUnzLicOzHaxaT9sqKAPxy/4Ktn4dWnw78I/Bfwr4Q0K7+I/xH1PTtD0KdNPthfWGnWU8W0QTCMywo0rRW6IpVSjyAcKRX6u/Dzwp/wAIH4A8M+B/tcl//wAI7o9hpX2uYlpbj7FAkHmuSSSz7NxJJOTX89fjv4lp8Vv+CxPhqDWZQ2leEfEtp4c02OQ/LE+lxSMQPdtRaRh7sB2r+kSgAoopkkkcSNJKwRFGWZjgADuSaAH0Vy0XjnwVPff2ZB4g0uS8JC/Z1vYWlyeg2B92T9K6mgAooooAKKKKAP/T/fyiiigAooooAKKKKACiuV8beOfCHw38MX/jTx5q9poWh6ZGZbq+vZBFFGvQDJ5ZmPCooLMxCqCSBX5eXPxn/ab/AG7dSn8P/syrdfCr4PJK9vffEPUYWj1bVkU7XXSocq6A84ZGVhj55omzEQD6p/aB/bX+FHwL1SLwJYJd+O/iPfsIdO8GeG1+16lLM4yiz7Ay2yngneDIV+ZI3ANeH+HP2YvjT+0/rdp8RP24L5LPw7bTLd6N8KdFuGGl2xU5jfVpo2/0yde6BmXP8SqWhr6f/Z6/ZM+C/wCzVpkkfw/0jz9cvFP9p+I9SYXWsag7Hc7S3DDKqzfMY4wkeedpbJP0rQBQ0rStL0PTrbR9Es7fT7CzjWG2tbWJYYIYkGFSONAFRQOAAABXyx+13+198O/2SfALeIfEjrqPiPUUkTQdAikC3F9Ooxvc8mK2jJHmykcfdUM5VSv7VP7Zvwg/ZI0Syu/H8l1qGs6usraZommosl3cCHAaRy7KkMIZgC7nJ52K5UgfgL8HfgH8Yv8Agpv+0L4g+LvjS4vtI8Dtqcj3+qTv532OzDl7fSNOZkVJJYomC7ggSMHzZFLOEkAMz4D/AAM+OX/BTT49al8TvifqFxD4ZguUGu60qbIbeBPmj0vTEbcocIcKPmESsZZdzsBJ/Up4D8B+Efhj4P0rwF4E0yDR9B0W3W2srO3GEjReSSTlmd2JZ3YlnYlmJYkmp8Nvht4J+EXgrS/h58PNLh0fQdHhENrawj8Wd2OWkkkYlndiWdiSSSa7mgDA8UeFPDHjfQbvwt4z0ix17Rr8It1p+pW0d3aTiN1kUSQyqyPtdVYZBwwBHIFJ4a8J+FvBmmJong/RtP0LTozlLTTbWKzt1PTiOFUQcD0roKKACiszVtb0bQLNtQ12/tdOtU+9PdzJBEuPV3IUfnXyNf8A/BQb9jzSfEmteFtT+JekwXehSxwzSL5lxazl4llzbXFuksM4TcUfYxKyKykdMgH2ZRXwvH/wUb/ZV1SVrbwZrmt+L7hTt8nQPDWr3jFvQN9kVCfoxq9P+2Xqd5A0vhb4E/FjUEA3C41HRLfQ7Tb6tLqN3Ayj3KY96APtqvKPjT8ZvA/wF+H998RfH1zJFYWrJBb21unm3l/eTHEFpaxAgyzzNwqjAABZiFVmHwh4q/4KD+LfD++HUvCPgPwlIM8eJviXpb3KD1ax0iDUZz9Acjp1r89PiH+1Z+1h8XPj14b+JPhL4eWPxC0n4bxT3WgWGgaF4i1PQrjUbpRG12GktbS4luoFbMUkkccSCMmPLMGYA/UvwX8H/jL+01cnx5+1qZfD/g+6Qto3wp026lggSF+Um164haOS8uCuD9mJEKHG5A26MfNX7Zsw+IvibQv+Cc37KmkaZoTat9n1LxxcaVaR2tjo2jwMkscc4gVVXPyzSDhm/cxgkzEV88eM/wBuP/gp7L490H4QjwHovhXxh4wtludH0y00syXxt5C6id0u7y6WBUKOXadVVAjFgApx8v8Ag34T/t4wfGL4kfAb4ZeIYdX8T+K445fiLqel3ME8UDXBlLQ3+rywCSGX97Jvit5csSVAZlZVAPsjRvgF4O/bJ+I3hj4D/Cuz/s/9nT4BmSw1HxJCirdeJtak2m7W3uAvzmZly8ifKFZpf+WkCj6P8F+Mdc/Yt/bF0H9l671e41H4P/E2zWfwbBqV1Jd3HhzUBujFlHPOzytbyTR7ERiwHnRkHcJS/l3ws/Yi/wCCjnw18DWHgHw38dPDXhLQNOR/IsNKtjMIvNYySEytp0MjOWYlmZiSe9fF/wAJ/wBk/wCMH7bv7RviW1+I/wAT77xh4S+H0j6XdeOreSSeKeaPLxWml+eAv+uZnYqPLVAXBPmRlwD+oysPVfE/hrQv+Q3q1jp/f/SrmOD/ANDYV+U0H/BIjwDeWv2bxT8X/iJqi4ACx30EUeB22Swz/wA639F/4I6/si6WQ2oy+LNbbqxvtVjTce+fsttb0AffmofH34E6Rn+1fiP4SssdftGuWMWP++5hXC6j+2T+ydpeftXxf8FNjqLfXLO5P/kGV68d0T/gmN+xDoYDR/DeO8kHWS91TU7jP1R7sx/kor03S/2Hv2QtIx9k+EfhSTb0+1adHd/n54kz+NAHM6h/wUO/Yu0wkXPxV0d8f8+8d1c/+iYHrm5v+CnP7DUGd/xPhOM/c0fWJOn+7Ymvomx/Zs/Z10sAab8LPBVpt6eR4e0+P/0GAU7WvgD+zvdWMz+Ifhx4Lls0Vnma80PT2iVRyWYyQ4AHcmgD5uT/AIKf/sLuoYfE5AD66JrQP5GwBqzF/wAFNf2G5jhPifAOcfPpGrJ/6FZCvjf9omP/AIJAeGxcaZrGh6PrOvO3lxaf8PGne784nAVG0+aKxWQNxslkHPG2vHf+Cdf7J3jU/tKar8adP8I614J+ElpBeW1lpnjS3im1LVY7mMCKHbLBH8kUoE5nRABsWIPIS7UAfp7D/wAFHv2Jp8bPinpwz/fs79On+9aitWH/AIKC/sZXGNnxX0MZx9/z06/70Q/+tX09/wAIJ4I/6F7Sv/AKD/4iqz/Dj4eSZ8zwvorbs5zp9uc565/d0AeAQ/t2fsez/c+LfhgZ/v3gTp/vAVrQ/tpfskz/AHPi/wCDRn+/rFsn/oTivW5vhL8KrgbZ/Bnh6QdMPpdqw5+sVY8/wE+Bd1n7V8OvCc2c58zQ7Fs569YaAOLT9sH9lGQ7V+MPgYHr83iCwUfmZhVa6/bL/ZMs0Z5vjB4LYLnPla3aTHj0EcjE/hVjxZ+yj+z/AK9od/ZaV8M/ANjqlxA8drfXXhPTr1baZgQsphMcXmbM5C71BPU44r59+FH/AATB/ZT+HN3/AG94h8PDxzrzzNcy3euLGLISudzLDplssNhHCD9yNoX2DgHFAH8/37Wvi/wf4R/bL1L44fAHxJF4i0251+38WWGowxTLbxaskq3NxbiR1jEwS4G4mMldkiqTuBr9wvhh8c/26f2tPDVh4/8Ag7p3w++GvgfUw4i1DU7ubxFq2+F2ikURQCOFXVlJMc0UZAx8x7/Tn7Uf7Hvwx/af+Flt8OdZiGgzaJvl8O6hp0SoNLnZNuFgXbG8DgASRfKCANpVgrD+ciw8T/tbf8EvPjDc+HXbybK8k857OcPc+HvENqh2ieL7hDgYG9DHPEflfAJUgH74S/smftC+Llx8UP2n/Gk6v9+Lwhp9h4VCg/wpJAsz8dAxJJ6msG+/4Jgfs7+Ivm8f61478aS5yZdf8S3Fy7H1JRYxn8Ko/s1/8FQv2d/jtBDpHiu9T4deKT5UZ0/XLiNbK4lkz/x63x2RuMgDbKIXJICq3Wv0kR0lRZYmDo4DKynIIPIII6g0Afmdqv8AwSQ/Yw1Gye1s9D1rS5XBAubTWbhpU9wLgzR5+qEV4XefsHftkfs5XB1n9j742Xuq6ZbZdPC3iaTETIP+WarIJrCR2HG8xWpA6MDg1+09FAH52fs3ftq+LPE/jq2+AP7Uvgq4+GXxSuInfThIjLpOuiIEubKRmkUSAAkKsssb4O2Qt8g/ROvyJ+Keof8ADV//AAUL+G3gbwBcfavDf7Pkk3iDxRq1ucwRarLLEyWIcfK7+ZawxsoORmcYzEwr9dqACiiigD//1P38ooooAKKKKACvnn47ftLfDz4EQWOl6vK+teMtedLfw54S0wiXV9Xupn8uJIo/+WcTScNPJtjUA8lgFPmXxW/aO8X+IPGN78CP2VtNtvFHjy2Ii1zXrsk+HfCKvxvvpkB8+8HPl2ce58glxhSp3/gX+yH4E+EmtT/EnxVd3HxA+KeqEy6p4011RLetIy7SlnEd0dlAq/IkcXIT5CzKAAAfOfhP9k34v/tH+O1+K37d09tLpel3Il8M/DPSrrztFsRjiW/aP5bqYZwRuYPg7m8oiIfptY2NlpllBpum28VpaWsaQwQQIscUUUYCqiIoCqqgAAAAAdKtVynjXx14N+HHhy68XePtbsfD+i2QBnvtRnS3gQn7q7nIBdjwqjLMeACeKAOrr84v2wv+Cjnwg/Zy0TVPDXhDUrTxb8RwjwWuk2b+fbWFwRgSahMh2RiI8mAN5znC4RSXX8z/ANsf/gpT4+/aB1tvgX+ydDqtvoWoymyk1CwglGta8zZBitYkHnQWzc8ACaVfvbFLIfTv2N/+CRlwlzY/Ef8AarVNsZW4tfBsEgfeeqnUp4yVwDybeJjnje+N0ZAPlv8AZK/Yk+Lf7c3j27+Onxw1DULXwdqF893qOsXHy32uzBvngsQw2pEuPLMoXy4gPLjUlSqf08+CfBHhL4b+FdN8D+BdKttF0LSIFt7OytU2RRRjn3LMxJZ3YlnYlmJYkne0/T7DSbC30vSraGzsrOJILe3t41ihhijAVEjRQFVVUABQAABgVcoAKZIzJGzqhcqCQq4yxHYZIGT7kCn0UAfjLf8A7TH/AAUB8d65qdr/AMKv8X/DfS47h49Pj0Lwla63fPCCRumvtW1C3tA47GO0ZD1ziqieEf2qPFrGbxR4U+PHivzP9Zb3Pjvw94MsXU9Q0GmNFIAe48w+wr9paKAPxaP7LHxB1aXz9L/ZO8D2d8wx9v8AHvj288UuT/ekULIx9SA59q8O+Lf7Ff7WnwsE/wC0n4Q0/wCGWg6t4asfKm0D4eeHRdhdPZ91xcwW2q20kc91EhJJ4kMalUfs39C1FAH53fDn4C6r8afBWkeOU/ac+IXiTw7q1sk9nJ4Yn07w3AynqjCxtBJGyHKvGGR0YFTggivRLT9gP9mJ5kvfFvh/UfG18h3G68V65qWsux9WjubloM/SMVH4t/ZP1Tw74q1H4lfsueL5fhd4j1WU3Wq6T9mW/wDCusz93utNYqIJnxhri2ZH5J2sxJL9F+I/7bPhoNZ/EH4P+HPFzRqf+Jh4K8TR2iSsP7tprKQFQfe446c9aAPoDwh8FPg58P8AZ/wgvgXw34faPG19M0m1tHyO+6KJWJ9yc14r+15bfGLw94O034zfAVb3VPF3gG4e5PhmEzzWviHS73ZFeWk1pCwM0qKEngYAyI0ZCcuQeNuv2mv2nnvH0/Rv2W/E09wvQ3niTRrSA/8AbfzZY/yJrTh8X/t7+MlC6Z8PPAHw5RxhpPEHiC68Q3EQPUrDptvbxOw7AzKvue4B+XfhT46a74UWO78TzXfhH9pj473tzZa14r8d6bN4e0vwToFs7Kkdg2oLFG6JAitAkTnfMVErF0jRvvbwz8dv2Kv2Kfh1p/w78E+KYPF+tXsolez8NSJ4g8ReIdWuMb57g2zMpuLhvu+dIi4wicACtT4gfsJeIf2hbWztv2o/i7rfiy0spvtNvpXh7TNP8P6bBIRggZivLlx23NNuPHTpVPSf+CUX7FGmbGm8JajfumCHuNc1BGyO/wDo88OD9MUAcx4h8F/tn/tlwvpXjKT/AIZ/+E1+NlxpNtILvxhq9o3VLmRcR2aSrw0eVZclZEmWvv34TfCbwF8EPAWmfDb4baZHpWh6VHtiiX5pJZG5kmmkPzSTSN8zu3JPoAAPmFP+Cbv7HC7S3gm+crjBbxNr56e39o4/Sp2/4JxfsYSDFx8OluBjH+kazq83/oy+agD681Txf4T0MMda1vTtPC/e+1XcUOMeu9hivHfEP7Wn7MHhXcuu/FfwdbyJndCut2c0wx/0yileT/x2vPbD/gn3+xlpuPs/wo0N8f8APwJ7n/0dK9ek6H+yp+zJ4a2tonwo8GWsidJRoNk03H/TRoS//j1AHk0v/BQb9mC886DwTrmreOb6Hj7F4V0DVNVmY9gHitfJBPbdIK5Rf2rv2kvHU5tvg7+zR4pSFzhdR8eX1t4WjiHZ2tpPOmkH+yh3V956dpmm6PZx6fpFpBY2sQxHBbRrFEg/2UQBR+Aq9QB8CzeBP+Ch3xD48R/ErwN8K7OT/ll4S0WbXr0If4Xm1Ro4w+ON0a4HUViTf8E4vAPja4jvv2gfiL8QPivKrBms9a1p7bSwRz+6tLQRtEM9llr9FaKAPDfhf+zR8AfguyTfDDwFoegXUa7RfQWiyX+0jGDdy77gj2Mhr3KiigAooooAKKKKACiiigArzT4rfB74Z/HDwnN4I+Kvh+08Q6PM28Q3KkPDIAQJYJUKywyAEgPGytgkZwSD6XRQB+OfxD/4Iufs+eIIjL8PPE/iLwldEnCztFq1oB/1ydYJsj18/wDCuP8AD/7Dn/BQL9mm1itf2avjjZa9o0Bz/YutRPbW4HdYbW6GoW0ee5SSI+hzX7eUUAfjWPHX/BZ3TXWxPw78FaqM7TeG409R/vEf2tAffiP8K9M0f4M/8FGvjTbSaV8d/ipovw28NXa+Xd2Hga0STV7iM8PGLx1/0XcD/rI5pD2KY6/qRRQB4r8Cf2ffhZ+zh4LXwN8K9JGn2byefeXMzma9v7nGDNczt80jkdBwijhFUcV7VRRQAUUUUAf/1f38ooooAK+OvGfxA8Q/Hzxlr3wJ+COvyaHp3hx0tfHXjOyAeewkmznSdJc5Q6k6Amec7lslI4aZgE8t/wCCkP7TPiP4C/C7RfBvw9uBY+NfiZfSaLpeoM2xdOt18tbu6V/4ZU8+JIz/AAGTzOqAH7A+Cnwc8GfAf4caT8N/A9qsFnp8Stc3GP39/eso8+8uH5LzzsNzsSccKMKqgAGt8MPhZ4D+Dfg+z8CfDnSYdI0izywjjy0k0z/6yeeViZJp5CMvI5LMep6V6DXmfxO+Mvwq+DGiN4h+KfinTPDVkFZka/uFSWbb1WCEZlnf/ZiRmPpX49fF3/gqf47+LevH4Q/sMeDNS1rXdQLRR69d2nmzKvQy2tidyxouQfPuyEQffiHUAH6V/tPftf8Awc/ZU8MnVfiBqIudbuYmfS/D1kyvqN8wyAQmf3UO4YaaTCDBA3PhD+D1t4c/a9/4Kv8AxJi1/Vlbwz8NNNumWCZxIuiaXGDh1t0O1r+/K8O45yQGaGMqo+1f2ff+CVV9r3iM/GL9tfxBceNPFF/Kt3Loa3ck8PmcEC/vM77grwvkwlYl27d8ifLX7QaPo2keHtKtdD0Cxt9N02xiWC1s7SJYLeCJBhUjjQBUVRwAAAKAPnr9nn9kb4F/sx6Qtn8MfD0UWqSQiK81y8/0jVbvpu3zsMojEZMUQSLPO3PNfS9FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAf/W/fyiiigD5Q/a8/ZK8D/tdfDmPwf4muJNJ1fSpXu9D1mBBJJY3LqFcNGSolglAUSR7lJ2qQysoI/PC4/ZH/4KuXGmweDB+0Fo8OhWMYt4LqDUb23vjAo2rumh0xblpAMZLzsf9s1+31FAH4h+BP8AgjZpmqa8PFn7RnxQ1bxleyuJLm3sFaFpmHOJb66e4nkU9DtjjbHRgeR+tfwq+Cfwn+CGgjw18KPC2neGrEhRKLOICa4KdGuJ23TTuP70rs3vXqNFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB//9k="
  }
}


Digital Signatures

Digital Signatures are a type of Electronic signature that meet the following functional requirements:

  1. authentication - They verify the identity of a person.
  2. integrity - They ensure the signed document has not been altered.
  3. non-repudiation - The signer can not dispute their authorship (For example, if there is subsequent legal activity related to the signed document).

Digital Signatures employ encryption technology and a digital certificate issued by a certification authority (CA). The encryption ensures the integrity of the data has been attested by the signee. A certificate issued by a CA that the Data Consumer trusts ensure that the Data Consumer can trust that the signature is authentic and non-repudiable.

Digital Signature Rules For CDEX FHIR Bundles:

  1. SHALL use the CDex Signature Bundle Profile
  2. SHALL use JSON Web Signature (JWS)(see RFC 7515)

    JSON Web Signature (JWS) is a means of representing content secured with digital signatures or Hash-based Message Authentication Codes (HMACs) using JSON data structures. Cryptographic algorithms and identifiers used with this specification are enumerated in the separate JSON Web Algorithms (JWA). 4

    Implementers that choose to support XML need to be aware that JSON Web Signatures can only be created and validated in the original native JSON. Transforms to and from XML will invalidate signatures.

  3. JSON Signature rules specified in the FHIR specification. (reproduced below for reader convenience):

    When the signature is a JSON Digital Signature (contentType = application/jose), the following rules apply:

    • The Signature.data is base64 encoded JWS-Signature RFC 7515: JSON Web Signature (JWS)
    • The signature is a Detached Signature (where the content that is signed is separate from the signature itself)
    • When FHIR Resources are signed, the signature is across the Canonical JSON form of the resource(s)
    • The Signature SHOULD use the hashing algorithm SHA256. The signature validation policy will apply to the signature and determine acceptability
    • The Signature SHALL include a “CommitmentTypeIndication” element for the purpose(s) of the signature. The Purpose can be the action being attested to, or the role associated with the signature. The value shall come from ASTM E1762-95(2013). The Signature.type shall contain the same values as the CommitmentTypeIndication element.

    There is no “CommitmentTypeIndication” element in JWS. This is an error in the FHIR specification and a tracker (FHIR-36158) has been logged. As documented in the CDex Signature Bundle Profile, Signature.type shall contain the value “1.2.840.10065.1.12.1.5” (Verification Signature).

  4. Additional JWS rules for this guide:
    • SHALL support JWS compact serialization format for single signatures
      • Note that the complete JWS is in the form Header.Payload.Signature with period (‘.’) characters between the base64_url encoded parts. This Signature.data value must be base64 encoded again as indicated above. Otherwise it will fail validation since the base64Binary regex: (\s([0-9a-zA-Z+=]){4}\s)+ does not include the period (‘.’) character.
    • SHOULD support JWS JSON Serialization format to represent multiple signatures with all parameter values identical except "x5c".
      • The signer may have more than one certificate (for example, the signer participates in more than one trust community)
    • SHALL use X.509 certificates to verify the identity of the entity signing the Bundle
      1. The KeyUsage should include ‘DigitalSignature’
      2. The Issuer should be a trusted CA for the Consumer
      3. The Subject (or Subject Alternative Name (SAN)) should match the data Source
      4. The Validity Dates should be appropriate/long enough as determined by the business partners.
    • SHALL use the IETF JSON Canonicalization Scheme (JCS) (see RFC 8785) to generate the canonical form of the resource. JCS is a well-documented and standardized canonicalization algorithm, with multiple open-source implementations across several programming languages.
      • The Bundle.id, Bundle.metadata and Bundle.signature elements on the root Bundle resource SHALL be removed before canonicalization. In other words, everything in a Bundle is signed except for these elements.
Sender/Signer Steps
  1. Prepare JWS Header
    1. SHALL have "alg": "RS256" (preferred) or some other JSON Web Algorithms (JWA) (see RFC 7518)
    2. SHALL have "kty": "RS"
    3. SHALL have "x5c" (X.509 certificate chain) equal to an array of one or more base64-encoded (not base64url-encoded) DER representations of the public certificate or certificate chain (see RFC 7517). The public key is listed in the first certificate in the "x5c" specified by the “Modulus” and “Exponent” parameters of the entry.
  2. Prepare JWS Payload
    1. Prepare a valid FHIR Bundle
    2. Canonicalize the Bundle resource
    3. base64_url encode the payload
  3. Create the JWS signature using the supported algorithm.
  4. Remove the payload element from the JWS.
  5. base64 encode the JWS
  6. Add the Signature element to the CDex Signature Bundle Profile and populate the mandatory Signature datatype elements and actual signature content:
    • Signature.type - Fixed to code = “1.2.840.10065.1.12.1.5” (Verification Signature)
    • Signature.when - System timestamp when signature created
    • Signature.who - Reference or identifier of the organization or practitioner who signed the Bundle
    • Signature.data - base64 encoded JWS
  7. Send data to the consumer:
    1. For direct queries, the search set Bundle is returned directly as the payload.
    2. For Task-based requests and Attachments, the document Bundle is used
Receiver/Validation Steps

The following steps outline the process for verifying the Signature on a Bundle.

  1. Retrieve and store the Bundle:
    1. For direct queries, the search set Bundle is this payload response.
    2. For Task-based requests the completed Task.output is either:
      • a contained FHIR document and must first be ‘decontained’
      • a reference to a FHIR document and must be fetched from the referenced endpoint.
    3. For Attachments a FHIR Document is submitted in the operation payload.
  2. Remove the Bundle.signature element from the Bundle resource.
  3. Canonicalize the Bundle resource.
  4. Transform the canonicalized Bundle to a base64-url format.
  5. Get the base64 encoded JWS from the Bundle.signature.data element
  6. Base64 decode the encoded JWS
  7. Insert the base64 encoded Bundle into the JWS payload element.
  8. Obtain the public key from the first certificate in the JWS header "x5c" key
    • base64 decode the key value
    • Use the “Subject Public Key Info”
  9. Verify Issuer, Validity Dates, Subject, and KeyUsage of the certificate,
  10. Validate the JWS using the public key or the X.509 Certificate
Step-by-Step Examples

Although self-signed certificates are used for these examples, they are not recommended for production systems.

In these examples, a detached JWS signature is created using a signer’s private key and self-signed certificate. The Bundle.signature element is added to the Bundle with the base64 encoded JWS Signature as the signature.data property value.

FHIR search-set bundle signatures occur when performing direct queries where signatures are required on the returned results. In this case, the digital signature represents a system-level attestation by the sending organization that they are the source of the information.

FHIR document bundle signatures occur when performing Task-based requests or Attachment transactions where signatures are required and the returned results are individual FHIR resources (in other words, not CCDA, CCDA on FHIR, or other binary formats referenced by DocumentReference). In this case, the digital signature represents a practitioner attesting that the information is true and accurate.


  1. MLN Fact Sheet: Complying with Medicare Signature Requirements MLN Fact Sheet https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Signature_Requirements_Fact_Sheet_ICN905364.pdf 

  2. CMS signature requirements outlined in the Medicare Program Integrity Manual (CMS Pub.100-08), Chapter 3, Section 3.3.2.4. https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c03.pdf#page=44 

  3. “15 U.S. Code § 7006 - Definitions”, LII / Legal Information Institute”. Law.cornell.edu. Retrieved 2021-10-06. https://www.law.cornell.edu/uscode/text/15/7006#5 

  4. RFC 7515 Jones, M., et. al., “JSON Web Signature (JWS)”, RFC 7515, ISSN: 2070-1721, May 2015, https://tools.ietf.org/html/rfc7515