Da Vinci Clinical Data Exchange (CDex), published by HL7 International / Payer/Provider Information Exchange Work Group. This guide is not an authorized publication; it is the continuous build for version 2.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/davinci-ecdx/ and changes regularly. See the Directory of published versions
Page standards status: Trial-use |
This specification does not require signatures but supports the transmission of signatures if business agreements require them.
Data Consumers such as Payers may require signatures from a Data Source to attest to the information being exchanged. For example, for a Centers for Medicare and Medicaid Services (CMS) worker to adequately review a Provider's claim, the submitted information needs to be signed.12 In direct query transactions without human intervention, Data Consumers may require signatures from Data Sources attesting that they supplied the information. To comply with these signature requirements, this page documents how to create and verify FHIR Digital Signatures when using CDex Transactions.
As illustrated in the table below, the signatory depends on the transaction. For synchronous or automated transactions, it is a system-level signature; for asynchronous transactions involving a human, it is a provider signature.
Direct Query | Task Based Query | Attachments | |
---|---|---|---|
System Level | X | X | |
Human Provider | X | X |
System-level and provider signatures represent different levels of attestation:
* Consult with your Payer and your legal team for questions regarding legal liability associated with sharing and signing data.
The data returned in CDEX is not limited to FHIR resources but may also include C-CDA documents, PDFs, text files, and other formats. Depending on the data type and format returned, the signature may be in the actual payload or a FHIR Signature in the Bundle that envelopes the payload. The following table summarizes what artifacts are signed:
Data Type Returned | Location of Signature |
---|---|
Non-FHIR data formats attached to or referenced by DocumentReference (e.g., CCDA) | Referenced or attached data |
FHIR Documents (e.g., CCDA on FHIR, Task-based request*, Unsolicited Attachment*) | Document Bundle |
FHIR Search Bundle (e.g., a query response) | Search Bundle |
FHIR QuestionnaireResponse (e.g., a query response) | QuestionnaireResponse |
Combination of above (e.g., FHIR Search Bundle, FHIR Documents, or binary files referenced by DocumentReference) | Combination of Above |
* A signed FHIR Document is sent for task-based requests and some attachments transactions when the artifact would otherwise, if unsigned, be individual FHIR resources.
The corresponding sections on signatures for Direct Query, Task Based Approach, Sending attachments, Requesting Attachments Using Attachment Codes, and Requesting Attachments Using Questionnaires document how to indicate the signature requirement and how to respond with signed transactions. The sections below define the requirements for using FHIR Signatures to sign a Bundle or QuestionnaireResponse with electronic or digital signatures. Refer to the appropriate specifications for guidance on signing other documents, such as CDA or CCDA on FHIR Documents.
Signatures in CDex are an element in the signed Bundle or QuestionnaireResponse resource. This type of signature is referred to as an enveloped signature. The FHIR Bundle is the envelope for Bundles, and the signature populates the Bundle.signature
element. For QuestionnaireResponse, The envelope can be the resource, individual QuestionnaireResponse.item
elements, or both, and the signature populates the QuestionnaireResponse's signature extension.* The enveloped signatures must avoid including the signature element in calculating the digital signature.
* When using a FHIR Questionnaire to request data, the [DTR SDC Questionnaire] Profile is used to profile the Questionnaire. Both CDex Task Attachment Request Profile and the [DTR SDC Questionnaire] profile have the overlapping capability to indicate that a signature is required. Signers must meet both the Task and Questionnaire signature expectations. The Task's signature input parameter represents the need for a verification signature for the QuestionnaireResponse. The DTR Standard Questionnaire profile supports many reasons for signatures, including verification signatures using the FHIR standard signatureRequired extension at the QuestionnaireResponse resource or QuestionnareiResponse.item
level.
This guide defines three profiles for using signatures:
This Signature DataType profile enforces the various elements of signature documented in the CDex guide. It adds the following mandatory (min=1) constraints:
Signature.type
fixed to ASTM Standard, E1762-95(2013) code = “1.2.840.10065.1.12.1.5” (Verification Signature)Signature.who
for the organization or practitioner who signed the Bundle which is either:
Signature.data
representing the base64 encoded Signature (JWS, image, etc)In addition, the following mandatory (min=1) element is inherited from the base standard:
Signature.when
- a system timestamp when the signature was createdSee the CDex Signature Profile formal definition for further details.
This Bundle profile enforces the various elements of signature documented in the CDex guide to represent an enveloped signature. It adds the following mandatory (min=1) constraint:
Bundle.signature
element using the CDex Signature ProfileSee the CDex Signature Bundle Profile formal definition for further details.
This profile is derived from the US Core QuestionnaireResponse Profile profile and enforces the various elements of signature documented in the CDex guide to represent an enveloped signature. It adds the following constraints:
See the CDex SDC QuestionnaireResponse Profile formal definition for further details.
The term "electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.3
The various forms of electronic signatures include:
This guide specifies how to implement digital signatures in the following sections. Specific guidance for other electronic signatures is an implementation detail that is out of scope for this guide.
In this example, a Bundle.signature
is added to a FHIR Document. The electronic signature is a JPG Image that represents this handwritten signature:
0 {
1 "resourceType" : "Bundle",
2 "id" : "cdex-electronic-sig-example",
3 "meta" : {
4 "lastUpdated" : "2021-10-25T20:16:29-07:00"
5 },
6 "identifier" : {
7 "system" : "urn:ietf:rfc:3986",
8 "value" : "urn:uuid:c173535e-135e-48e3-ab64-38bacc68dba8"
9 },
10 "type" : "document",
11 "timestamp" : "2021-10-25T20:16:29-07:00",
12 "entry" : [{
13 "fullUrl" : "urn:uuid:17a80a8d-4cf1-4deb-a1fd-2db1130e5f76",
14 "resource" : {
15 "resourceType" : "Composition",
16 "id" : "17a80a8d-4cf1-4deb-a1fd-2db1130e5f76",
17 "text" : {
18 "status" : "generated",
19 "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><a name=\"Composition_17a80a8d-4cf1-4deb-a1fd-2db1130e5f76\"> </a><p class=\"res-header-id\"><b>Generated Narrative: Composition 17a80a8d-4cf1-4deb-a1fd-2db1130e5f76</b></p><a name=\"17a80a8d-4cf1-4deb-a1fd-2db1130e5f76\"> </a><a name=\"hc17a80a8d-4cf1-4deb-a1fd-2db1130e5f76\"> </a><a name=\"17a80a8d-4cf1-4deb-a1fd-2db1130e5f76-en-US\"> </a><p><b>status</b>: Final</p><p><b>type</b>: <span title=\"Codes:{http://loinc.org 11503-0}\">Medical records</span></p><p><b>encounter</b>: <a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-5ce5c83a-000f-47d2-941c-039358cc9112\">Example Encounter</a></p><p><b>date</b>: 2021-10-25 20:16:29-0700</p><p><b>author</b>: <a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-0820c16d-91de-4dfa-a3a6-f140a516a9bc\">Example Practitioner</a></p><p><b>title</b>: Active Conditions</p><h3>Attesters</h3><table class=\"grid\"><tr><td style=\"display: none\">-</td><td><b>Mode</b></td><td><b>Time</b></td><td><b>Party</b></td></tr><tr><td style=\"display: none\">*</td><td>Legal</td><td>2021-10-25 20:16:29-0700</td><td><a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-0820c16d-91de-4dfa-a3a6-f140a516a9bc\">Example Practitioner</a></td></tr></table></div>"
20 },
21 "status" : "final",
22 "type" : {
23 "coding" : [{
24 "system" : "http://loinc.org",
25 "code" : "11503-0"
26 }],
27 "text" : "Medical records"
28 },
29 "subject" : {
30 "reference" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece",
31 "display" : "Example Patient"
32 },
33 "encounter" : {
34 "reference" : "urn:uuid:5ce5c83a-000f-47d2-941c-039358cc9112",
35 "display" : "Example Encounter"
36 },
37 "date" : "2021-10-25T20:16:29-07:00",
38 "author" : [{
39 "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
40 "display" : "Example Practitioner"
41 }],
42 "title" : "Active Conditions",
43 "attester" : [{
44 "mode" : "legal",
45 "time" : "2021-10-25T20:16:29-07:00",
46 "party" : {
47 "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
48 "display" : "Example Practitioner"
49 }
50 }],
51 "section" : [{
52 "title" : "Active Condition 1",
53 "entry" : [{
54 "reference" : "urn:uuid:014a68ec-d691-49e0-b980-91b0d924e570"
55 }]
56 }]
57 }
58 },
59 {
60 "fullUrl" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
61 "resource" : {
62 "resourceType" : "Practitioner",
63 "id" : "0820c16d-91de-4dfa-a3a6-f140a516a9bc",
64 "meta" : {
65 "lastUpdated" : "2013-05-05T16:13:03Z"
66 },
67 "text" : {
68 "status" : "generated",
69 "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><a name=\"Practitioner_0820c16d-91de-4dfa-a3a6-f140a516a9bc\"> </a><p class=\"res-header-id\"><b>Generated Narrative: Practitioner 0820c16d-91de-4dfa-a3a6-f140a516a9bc</b></p><a name=\"0820c16d-91de-4dfa-a3a6-f140a516a9bc\"> </a><a name=\"hc0820c16d-91de-4dfa-a3a6-f140a516a9bc\"> </a><a name=\"0820c16d-91de-4dfa-a3a6-f140a516a9bc-en-US\"> </a><div style=\"display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%\"><p style=\"margin-bottom: 0px\">Last updated: 2013-05-05 16:13:03+0000</p></div><p><b>identifier</b>: <a href=\"http://terminology.hl7.org/5.3.0/NamingSystem-npi.html\" title=\"National Provider Identifier\">United States National Provider Identifier</a>/9941339100</p><p><b>name</b>: John Hancock </p></div>"
70 },
71 "identifier" : [{
72 "system" : "http://hl7.org/fhir/sid/us-npi",
73 "value" : "9941339100"
74 }],
75 "name" : [{
76 "family" : "Hancock",
77 "given" : ["John"]
78 }]
79 }
80 },
81 {
82 "fullUrl" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece",
83 "resource" : {
84 "resourceType" : "Patient",
85 "id" : "970af6c9-5bbd-4067-b6c1-d9b2c823aece",
86 "text" : {
87 "status" : "generated",
88 "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><a name=\"Patient_970af6c9-5bbd-4067-b6c1-d9b2c823aece\"> </a><p class=\"res-header-id\"><b>Generated Narrative: Patient 970af6c9-5bbd-4067-b6c1-d9b2c823aece</b></p><a name=\"970af6c9-5bbd-4067-b6c1-d9b2c823aece\"> </a><a name=\"hc970af6c9-5bbd-4067-b6c1-d9b2c823aece\"> </a><a name=\"970af6c9-5bbd-4067-b6c1-d9b2c823aece-en-US\"> </a><p style=\"border: 1px #661aff solid; background-color: #e6e6ff; padding: 10px;\">CDEX Example Patient Male, DoB Unknown ( Member Number)</p><hr/><table class=\"grid\"><tr><td style=\"background-color: #f3f5da\" title=\"Record is active\">Active:</td><td colspan=\"3\">true</td></tr></table></div>"
89 },
90 "identifier" : [{
91 "type" : {
92 "coding" : [{
93 "system" : "http://terminology.hl7.org/CodeSystem/v2-0203",
94 "code" : "MB"
95 }]
96 },
97 "system" : "http://example.org/cdex/payer/member-ids",
98 "value" : "Member123"
99 }],
100 "active" : true,
101 "name" : [{
102 "text" : "CDEX Example Patient",
103 "family" : "Patient",
104 "given" : ["CDEX Example"]
105 }],
106 "gender" : "male"
107 }
108 },
109 {
110 "fullUrl" : "urn:uuid:014a68ec-d691-49e0-b980-91b0d924e570",
111 "resource" : {
112 "resourceType" : "Condition",
113 "id" : "014a68ec-d691-49e0-b980-91b0d924e570",
114 "text" : {
115 "status" : "generated",
116 "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><a name=\"Condition_014a68ec-d691-49e0-b980-91b0d924e570\"> </a><p class=\"res-header-id\"><b>Generated Narrative: Condition 014a68ec-d691-49e0-b980-91b0d924e570</b></p><a name=\"014a68ec-d691-49e0-b980-91b0d924e570\"> </a><a name=\"hc014a68ec-d691-49e0-b980-91b0d924e570\"> </a><a name=\"014a68ec-d691-49e0-b980-91b0d924e570-en-US\"> </a><p><b>identifier</b>: <code>urn:oid:1.3.6.1.4.1.22812.4.111.0.4.1.2.1</code>/1</p><p><b>clinicalStatus</b>: <span title=\"Codes:{http://terminology.hl7.org/CodeSystem/condition-clinical active}\">Active</span></p><p><b>category</b>: <span title=\"Codes:{http://terminology.hl7.org/CodeSystem/condition-category problem-list-item}\">Problem List Item</span></p><p><b>code</b>: <span title=\"Codes:{http://snomed.info/sct 44054006}\">Type 2 Diabetes Mellitus</span></p><p><b>subject</b>: <a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-970af6c9-5bbd-4067-b6c1-d9b2c823aece\">Bundle: identifier = UUID:c173535e-135e-48e3-ab64-38bacc68dba8; type = document; timestamp = 2021-10-25 20:16:29-0700</a></p><p><b>onset</b>: 2006</p><p><b>asserter</b>: <a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-0820c16d-91de-4dfa-a3a6-f140a516a9bc\">Bundle: identifier = UUID:c173535e-135e-48e3-ab64-38bacc68dba8; type = document; timestamp = 2021-10-25 20:16:29-0700</a></p></div>"
117 },
118 "identifier" : [{
119 "system" : "urn:oid:1.3.6.1.4.1.22812.4.111.0.4.1.2.1",
120 "value" : "1"
121 }],
122 "clinicalStatus" : {
123 "coding" : [{
124 "system" : "http://terminology.hl7.org/CodeSystem/condition-clinical",
125 "code" : "active"
126 }]
127 },
128 "category" : [{
129 "coding" : [{
130 "system" : "http://terminology.hl7.org/CodeSystem/condition-category",
131 "code" : "problem-list-item",
132 "display" : "Problem List Item"
133 }],
134 "text" : "Problem List Item"
135 }],
136 "code" : {
137 "coding" : [{
138 "system" : "http://snomed.info/sct",
139 "code" : "44054006",
140 "display" : "Type 2 Diabetes Mellitus"
141 }]
142 },
143 "subject" : {
144 "reference" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece"
145 },
146 "onsetDateTime" : "2006",
147 "asserter" : {
148 "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc"
149 }
150 }
151 },
152 {
153 "fullUrl" : "urn:uuid:5ce5c83a-000f-47d2-941c-039358cc9112",
154 "resource" : {
155 "resourceType" : "Encounter",
156 "id" : "5ce5c83a-000f-47d2-941c-039358cc9112",
157 "text" : {
158 "status" : "generated",
159 "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><a name=\"Encounter_5ce5c83a-000f-47d2-941c-039358cc9112\"> </a><p class=\"res-header-id\"><b>Generated Narrative: Encounter 5ce5c83a-000f-47d2-941c-039358cc9112</b></p><a name=\"5ce5c83a-000f-47d2-941c-039358cc9112\"> </a><a name=\"hc5ce5c83a-000f-47d2-941c-039358cc9112\"> </a><a name=\"5ce5c83a-000f-47d2-941c-039358cc9112-en-US\"> </a><p><b>status</b>: Finished</p><p><b>class</b>: <a href=\"http://terminology.hl7.org/5.5.0/CodeSystem-v3-ActCode.html#v3-ActCode-EMER\">ActCode EMER</a>: emergency</p><p><b>type</b>: <span title=\"Codes:{http://snomed.info/sct 261665006}\">Unknown (qualifier value)</span></p><p><b>subject</b>: <a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-970af6c9-5bbd-4067-b6c1-d9b2c823aece\">CDEX Example Patient</a></p><h3>Participants</h3><table class=\"grid\"><tr><td style=\"display: none\">-</td><td><b>Individual</b></td></tr><tr><td style=\"display: none\">*</td><td><a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-0820c16d-91de-4dfa-a3a6-f140a516a9bc\">John Hancock</a></td></tr></table><p><b>period</b>: 2021-10-25 20:10:29-0700 --> 2021-10-25 20:16:29-0700</p><p><b>serviceProvider</b>: <a href=\"Bundle-cdex-document-digital-sig-example.html#urn-uuid-e37f004b-dc10-422b-b833-cdaa10a055a3\">CDEX Example Organization</a></p></div>"
160 },
161 "status" : "finished",
162 "class" : {
163 "system" : "http://terminology.hl7.org/CodeSystem/v3-ActCode",
164 "code" : "EMER"
165 },
166 "type" : [{
167 "coding" : [{
168 "system" : "http://snomed.info/sct",
169 "code" : "261665006",
170 "display" : "Unknown (qualifier value)"
171 }],
172 "text" : "Unknown (qualifier value)"
173 }],
174 "subject" : {
175 "reference" : "urn:uuid:970af6c9-5bbd-4067-b6c1-d9b2c823aece",
176 "display" : "CDEX Example Patient"
177 },
178 "participant" : [{
179 "individual" : {
180 "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
181 "display" : "John Hancock"
182 }
183 }],
184 "period" : {
185 "start" : "2021-10-25T20:10:29-07:00",
186 "end" : "2021-10-25T20:16:29-07:00"
187 },
188 "serviceProvider" : {
189 "reference" : "urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3",
190 "display" : "CDEX Example Organization"
191 }
192 }
193 },
194 {
195 "fullUrl" : "urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3",
196 "resource" : {
197 "resourceType" : "Organization",
198 "id" : "e37f004b-dc10-422b-b833-cdaa10a055a3",
199 "text" : {
200 "status" : "generated",
201 "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><a name=\"Organization_e37f004b-dc10-422b-b833-cdaa10a055a3\"> </a><p class=\"res-header-id\"><b>Generated Narrative: Organization e37f004b-dc10-422b-b833-cdaa10a055a3</b></p><a name=\"e37f004b-dc10-422b-b833-cdaa10a055a3\"> </a><a name=\"hce37f004b-dc10-422b-b833-cdaa10a055a3\"> </a><a name=\"e37f004b-dc10-422b-b833-cdaa10a055a3-en-US\"> </a><p><b>identifier</b>: <a href=\"http://terminology.hl7.org/5.3.0/NamingSystem-npi.html\" title=\"National Provider Identifier\">United States National Provider Identifier</a>/1234567893</p><p><b>active</b>: true</p><p><b>name</b>: CDEX Example Organization</p><p><b>telecom</b>: ph: (+1) 555-555-5555, <a href=\"mailto:customer-service@example.org\">customer-service@example.org</a></p><p><b>address</b>: 1 CDEX Lane Boston MA 01002 USA </p></div>"
202 },
203 "identifier" : [{
204 "system" : "http://hl7.org/fhir/sid/us-npi",
205 "value" : "1234567893"
206 }],
207 "active" : true,
208 "name" : "CDEX Example Organization",
209 "telecom" : [{
210 "system" : "phone",
211 "value" : "(+1) 555-555-5555"
212 },
213 {
214 "system" : "email",
215 "value" : "customer-service@example.org"
216 }],
217 "address" : [{
218 "line" : ["1 CDEX Lane"],
219 "city" : "Boston",
220 "state" : "MA",
221 "postalCode" : "01002",
222 "country" : "USA"
223 }]
224 }
225 }],
226 "signature" : {
227 "type" : [{
228 "system" : "urn:iso-astm:E1762-95:2013",
229 "code" : "1.2.840.10065.1.12.1.5",
230 "display" : "Verification Signature"
231 }],
232 "when" : "2021-10-05T22:42:19-07:00",
233 "who" : {
234 "reference" : "urn:uuid:0820c16d-91de-4dfa-a3a6-f140a516a9bc",
235 "display" : "CDEX Example Practitioner"
236 },
237 "onBehalfOf" : {
238 "reference" : "urn:uuid:e37f004b-dc10-422b-b833-cdaa10a055a3",
239 "display" : "CDEX Example Organization"
240 },
241 "sigFormat" : "image/jpg",
242 "data" : "/9j/4AAQSkZJRgABAQAAKwArAAD/4QEGRXhpZgAATU0AKgAAAAgABwESAAMAAAABAAEAAAEaAAUAAAABAAAAYgEbAAUAAAABAAAAagEoAAMAAAABAAIAAAExAAIAAAARAAAAcoKYAAIAAABPAAAAhIdpAAQAAAABAAAA1AAAAAAAAAArAAAAAQAAACsAAAABd3d3Lmlua3NjYXBlLm9yZwAAQ0MwIFB1YmxpYyBEb21haW4gRGVkaWNhdGlvbiBodHRwOi8vY3JlYXRpdmVjb21tb25zLm9yZy9wdWJsaWNkb21haW4vemVyby8xLjAvAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABkKADAAQAAAABAAAAfgAAAAD/7QCaUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAGIcAVoAAxslRxwCAAACAAIcAnQATkNDMCBQdWJsaWMgRG9tYWluIERlZGljYXRpb24gaHR0cDovL2NyZWF0aXZlY29tbW9ucy5vcmcvcHVibGljZG9tYWluL3plcm8vMS4wLzhCSU0EJQAAAAAAEPRn0I1gKCCiMRUck2ip0t//wAARCAB+AZADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBAMDAwQFBAQEBAUHBQUFBQUHCAcHBwcHBwgICAgICAgICgoKCgoKCwsLCwsNDQ0NDQ0NDQ0N/9sAQwECAgIDAwMGAwMGDQkHCQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N/90ABAAZ/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAK+VPAP7XHgH4i/tL+NP2YdD07Uk13wRpzaheajMsQsZvKktopo4sOZd0b3cYyyAEh8cAFu7/aM+Ovhb9nH4Q698VvFREkemQ+XY2YbbJf6hNlba1j75kf7xAOxAzkYU1+SPwR/4JpfGzxxdt+0j8SPi5rvw6+IPjaW41i/s/DsD217arqMn2jypblbmNlJ+UtAI9seAhJK8AH7vVzHjDxr4Q+H2gXPirx1rVh4f0ezAM99qVxHa26Z6AvIyruY8KucseACa/K749+EtW/Zo8GWt140/ab+Kmsa3qrfY/D/h3SmsZdY1q9bCpFbobaWUjcwDyMSFyBy5VW87+EP/AATm+L3x7sbDxv8At3+P/E+qomZ9M8HnVGnks1k73c5DRRyMvDx26K3TdIDlFAPt3wb/AMFFP2TPiD8T9K+E3gzxdLqms61cfY7KWPTruOyluSCViE0sSDLkYVsbCcfNyK+36+Z/hB+x1+zR8CL+LWfhh4C03TNWgUrHqc/m39+m8YYpcXbzSx7hkHYygg46cV9LMyopdyFVQSSTgADuaAHV+efx8/b98OfDz4t6N+zt8HdAf4j/ABM1bUILCext7jyLDTGlILC5uFSUmSNMvIiriJAzSOm3afnf9pH9sj4rfH/xtc/su/sFxS6tqRJg8R+N7Rttnp8TEpIttd4KRIvIa6HzEjbbhn2tX1N+xt+wj8O/2UtMbX7iUeJ/iJqcRGqeI7lOU8z5pILNWyYoSfvOT5kp5cgbUQA+7qKKKACsvW9Z07w5ot/4h1iYW9hpdrNeXUzdI4LdDJIx9lVSas399aaXY3Op6hKsFraRPPPK33UijUs7H2Cgk1/Od+0H/wAFG/jN+1ovin9n39l3wBeXWha5ZzWk11BbT3uu3WmqwE8gigPlWsMyHy3DrIdj43KzAAA7v4Hf8FSdc+JH7XF3qfxF8T2PgP4Nx6dfx2mlXsMZ3FMC1kmnWN5TdyMQzBXEaqCoBxub9C/EX/BTf9iXw7A8j/EaLUZVB2wadpuoXLuR2DLbCMf8CcD3r4k/Zi+Ln/BPL4c2ekfBX4mfCtvhv41hSGC9m+I2gRXFxc3cgAMkl/NE7RRu2SPNjt4UHChRXqHj3WtM/a08cav+yx+yFaaV4Y8B6eBF8SfH2i2MEMLW0uVOlaa8Kqsz3AVlkcHa6hgCYg3mAHMa9/wVO+IHxk19vAH7Evwm1PxZrJGW1HXIsQQITt8x7a3mCxxk/dlnuolBwCpzivqvxj+2hb/ss/BzwXqv7YkMMXxI19ZRc6B4ORLxyElYCZVmuI41RIzGJT5xUylhEXA46zxVrP7PH/BOb9nee/0jTINK0jT1ENnYwlf7R17VWQ7FeUjfNPLtJkkbIjjBIARQo+TP2S/2U/HPxs+JJ/bd/a/txc+I9VaO88J+F50P2bSLRfmtZZIXztMakG3hbJQkzSZmb5AD9Y/CfiKLxd4X0nxTBZXumxavZwXqWepQ/Zr2BZ0DiOeHJ8uVQcMuTtPFdDRRQAUUUUAFFFFABRRRQAUUUUAFFFc54u8X+GPAPhrUfGPjPU7bRtE0mBrm9vruQRwwxL3YnuTgKBksxAAJIBAOiZlRS7kBVGSTwABX5tfHX/gqf+y/8F9Wl8NaXe3nj3WLd/LuIvDaxTWluwPzB7yWSOFmHTEJlweG2nOPyP8A22/+CkXjz9pLVJ/hN8Dxf6J4DuJfsZW3V11XxCznYBKI8vHbyE4S2X5nB/e5JEae/fsXf8ElLzVfsHxL/apgks7M7Liy8Go5S4mHVW1KRCDEuOfs6ESdpGQhoyAft18CPjT4W/aE+FeifFzwZbahZ6TriTGGDU4BBco0ErwyBlVnRgHRsMjsrDoeoHr1Z+k6Tpeg6XaaJodnBp+nWEKW1raWsawwQQxKFSOONAFRFUABQAAK0KACiiigAooooA//0f38ooooAKKKKACiiigAooooAKKKKACiiigAqveXdpp9pPf380dtbW0bzTTTOEjijjBZndmICqoBJJOAOTVivzu+LOr6z+2L8QdQ/Zu+Ht5PZfC/wzdLF8TfE1o5Q6hOhDf8I5YSr1duDfSKf3a/uyckpIAcj4B0e6/bq+ONp8ePE1vIPgl8Nb6WLwDptwpSPxHrMD7ZtamjYDdbwuu23DDkr/CRMjfQf7Vv7W3hr9m/R7DQ9Lsn8V/EnxSwtfC3hOyy91e3EreWksyplo7cScZxukYFEyQxXzH9pv8AbX+CX7JPwyi8LfDebRtd8WW8KaP4d8JaRPHMlo8SiOM3UduxaC3hwBsO15CAifxMnw3+x98Jv20B8TvEf7RfxH+FUOs/ETxJhNO8R+O9aXSrXSLeRSJRFpkFvc3qsykRqBHEI4R5aYDOCAfoT+zN+y5rnhrXZv2hP2jL5PF3xo8QRAzXUmJLLw5auDt07S05SJY1YrJIn3iWCnaWaT6Z+KHxm+FXwV0aPX/it4p0zwxZTs0cD6hOsb3DqMssMXMkrAckRqxA5r86P2qPiL+078KPA/2/xv8AGnQ/DXifXybDwz4Q8AeFP7Q1PV7+TCRRQzaldTTBA7KJJUhTbkbfnZEb88rH4Q+DvFPw4k+Jnxq8T6h8a/jFd+O9E8AXum3OoXkll4VvNSuDhHb5ResgR0Hlu1kZT5aCQKWYA/WOz/b+0/4q31xof7J3w48S/Fm6gcxyasYhoPhyBv8AptqF8AysB82zydzAfLXw1Y+LP2zf2/8A4seIvglc+KNH8K/Crw9ci08W6r4G817KdSBvsIb+4UTXk7fNG4QrbEBnKvHsEnTfta/theHPFOoy/shfsz6xp3hDwjpsLQeNPGGnRrHY6XpkbCOay0yK2A82R2YQhYBumldYIvvMw+bPixqXxIuvDfhj9jX4DadqXg46z5aaT4D06VY9cltpsSS6x4xvY+IZrmMGUaerKsMZ8y4YLHFG4B/Qd8IPgx8NfgR4LtPAPwu0S30XSbUAsIlzNcy4Aaa4lPzzTNjl3JPQDCgAehz6pplte22mXN3BFeXm/wCzW7yqss3ljc/loTufaoycA4HJr5M8Ax+Gf2F/2T9KtvjJ4xm1O18HWDfbtUupGmluLqd2kFpZo53uod/Jto+uxRnaAcfg/wDA64/an/a0/bM1D9p74UQjTotK1a7uU1vxIzzaNoOmSRywx2jsCglaK1lIEMOCSd7bVLPQB/VASAQCcZOB7nrS1/PZ8F7TxJ+0j+394c1LwN498UePfCnwmJ1LxF4t1W6I0+91L98rDTLOLba2drcyMIIYYhl4Elk3OvJ/ZD9of9oXw58AfDNrczWVx4i8WeIJjYeF/C2nDfqOtagQNscSKGKxJkGaYqVjX1YqrAHl/wC3J8cY/hb8ILzwP4YgfWPiJ8SYp/DPhPRLUb7u5ur5DBJcBAciK2STeWPy79ikjdkfEn7A1z4H/Yj8O6t8OP2jvCup/DbxxrGovJdeKtVtjPoGp2seBbRQ6vb+bawpCpYskjooZixfLBV+z/2bf2cPF+leL779pL9pG8g174veIYPJihh+fTvCumtkrpunAlgCAxE0wJLEsAzbpJJfz/8A+Cmv/BQ3T9M0zWP2a/gdqEd3qF7HNp/izW7dg8VrC4KTafbOMhpnBKXEgyIlzGP3hYxgHiX/AAVa/ak+GHxv8S+HfgT8MYtI1y50DUVlvvFu+IxRXE6mIWVreZ2C3G8Pcvu8veqDP7tjXsH7Dv7T3wt/Y0+EvxX+EXxk1fRBq3w88QNc2r6BKlzL4l+3oEAsifLN00bwhTIwQRxOnmbApNdZ/wAEqP2LNK8LeCJ/2iPjFoMT6x4giZPD1pq1urLZaQVBa88uUYWS7ydjEZECgqdsprwH4Ofsv+CP23/22fiD8XtH0W00z4IeGtcSNYrCBbWz1q4soooUhgWNVUR3RiN1csoDbJQDh5QwAPpb4J+Er79sH4k6X+15+2Bd6doHhKyLSfDfwHqF3HFbfZg4K39wkxTzldlDBio+0MoYgQLEjfpR8a/2pPgN+z1o1nrXxW8W2elJqSeZp9tEHvLy8T+/Db26ySNH28zAjBIywzXyl+2vqX7LXwYtbTWL/wCEnhTx78XPFvk6b4V0KTRLW9vNQuI1W3geZPKZzbQAIg4y2FiTHVfzO+MP7FPgj4Efs4eKPjz+1lq/2r4o+KYZIPDfhnR3istP03U7zLRRRxW4VJfsgJkkSLZbRopjUPlGYA/cDUf2w/gJpn7Ptv8AtN3Gvt/wg16GSzn+zyJd3Vysz25toraQJI0/mxOu3GAFZyfLBetDxN+1Z8GPCnwIs/2itU1cjwpqWmRapYIFVb+7jlKARQ28joXmVnCugPynOSAM1/PZ8APhTqnxA+Evhb4sftf63e6f8CPh+XsfB3hW1j8q78T6jPM8htrC2hCPM1xOzCWfmSTlFdUV3j9M/af8cXPg06J4z+N+jWI8Ym3CfCv4LW0aSaR4M02QLHBqGsW0ahJ7ttimO1K7XkGHXYpijAPs7wB/wV48IfEn44eH/hdoPw51Kx0LW7sQS65q2pQ2k9nblDK11NaLFJEsMUSmWRjdcRgtnjB6bxB/wVK8Ln9pXwT8GfAfhO51zwv4m1C009/Ebs8L3P2+f7NFc2FtsLS2qSfN5r485AxjXbtd/wAjNS+C9h+z9o9r8Zv2qIZPF/xf8bytqHhj4c3RaeaSe6c7dS8QhT5hjMpylkuGmcCNzjzUj/QP4NfDfwT+w/4Su/20f21L86n8W/EyyPo+iny5L20aWMKLa1hG1BcmIqkjKFhtIcRLtGdwB+z/AI/+IXgn4WeFL/xz8Q9ZtNB0LTU8y5vbx9ka+iqOWd2PCIgZ3bAUEkCvz2+BH/BTbwN+0T+0na/A34f+EdR/sS9tb6W38RXk6xSSSWUTTZNkI2McLqjBXaYPkrlFJIHg/wAKPgH8Wf8Agob4nsf2if2t2uNF+GMUn2jwd4AtZpIYri2P3bicja4jkXrLhZrgHKGKDyw3ovx4/a2/Y+/ZKvvsH7Pngzwr4l+K9zaDRrC08KWFqot0dlCQ3l5ZpvK71X/Ro2aV2ABCAhwAfeH7RP7Svwr/AGYfA0njb4m6j5Pm7o9O0y32yahqVwoz5VtESu7GRvdiI0BBZhkZ/n8v/wDgrj8etf8Aj54c8SX8yeEvhzput239p+G9OtYbu4m0oTKt0s006CSW58jeF2NCgfBCqRmudt9O/aE+NPxse61EN48/aG1ZQIbclW0T4cWGf9dc43QQ30O793CMizc7n8y+YJF+tvwP/Yi/Zt/Yt+H2ofFv4vyWPiXxFpdq2o634p1yETw2jjlhYQSB9hLnajYa4mdsA/MIwAeh+Cv+Chfwk+JepafZfDjwh8QvEtpezRRS6rY+HJBpljHIwDT3d1NLFHFDEDukfJwoJGa+WP2jv+CjHj3xr4pu/gf+wXoVx438SQK41DxNZWZv7a1CHaxsoyGikCtwbmYGDPCLJuDjwTUPip+0f/wVK8cah8Pfho8/w3+A+kTbNZ1Aja89svIW7dWAnnkT5ls42EMYIaVm2q59f1D9tr9ij9gjwhN8Hv2cNIfxxrVoMXt3p8kf2a7vkBBkv9VIPnvk9LeOSNBlF8sDaAD239lr46/Hr4MfALxb48/4KDTzaDbaTqCNol/qptV1O/jmjYvaJa2uHeRZEzEGXewdv+WceR+PP7RP7UvxP/4KBfEZfCltreifD/4eaZN5tjYeIdattKs40zsF5fSSyK13c4PEcCSmJSRGh+d3n8T+KPEf7WmuN8fP21vH8XgzwBpyNJo3hzTWU6pfxMf+PfQ9Ld2cJKV2yahcAx7gMu4QiP334Pf8E8/FP7VHj3TfH3iTwLF8FPg5p0MMOmaQqn+39VskYurTSSgzyTz7syXdxjClRCjIBtAP1A/Yx/YA+DH7NGk2HjSCW38a+Nby2Sb/AISaVVeCFJkBxpkYLLFEyn/W5aWRSfmCNsH6F1l6HomleGtE0/w5oVsllpulWsNlZ20f3Ibe3QRxRrnJ2oigD2FalABRRRQAUUUUAFFFFAH/0v38ooooAKKKKACiiigAooooAKKKzdY1nSPD2l3Wua/fW2m6dYxNNdXl5KkFvBEnLPJI5VEUDqSQBQBpVyHjjx/4I+Gfh648WfEHXdP8O6Paj97e6jcJbwg4JCguRudsfKi5ZjwATXxTeftd+OPjlrNz4K/Ys8ML4ljgka3v/iF4gSaz8J6ewOG+z8LPqMynokQVc7WyyEmtHw7+wP4D13xDF8QP2mfEGqfGzxcmWSTxARDodmWwSllpEJ+zxRHuj+Yp64BoA8D8X/tjfFT9sBdZ+EP7B2g3iQEtZaz8SNbB07TtNgkGCbMYeYzSqfkYoJ0GWWHOJE+ZPjp8L/h/+xB8CtJ8PfGz4k698RvEb2lxB4a8A6Vdv4e8PPJMzPNdX9vYPHc3MKSsTJPNMJLg/Jjlin6IftW/tT/CD9gf4Y2OieFPDunQ63qqXH/CN+FtJtorCyVlI8y5nS3VEht1dxnaoeVvlX+N0/G/9kH9nD4l/wDBQr446l8f/wBoC7ub/wAH2F8smqXMuY11O4jw0el2YGBHbxqV83y8COMhVw7hgAe+f8Epf2IP7Uu7X9qn4r6Yq2sUhk8GaZcR/LJKDzqbI38EZ+W1z1bMo+7Ex/Xj9qr9qDwL+yp8MLnx74tYXmoXBa20PRo3C3Gp32MrGvBKxJkNNLghF7FmRW9W8eeNvBHwT+G2q+N/ErxaR4Y8J6cZ5VgjCrFb26hY4YYlwNzHbHFGuMsVUdRX8tSfF79oz9uD9rePx54D8MrrWrWjND4YsbyNrjSPCttkiC8uCR5O+3OZzJKCslyFOxwEhIB9R6JoXxx+IPxNGr6jcjVf2ofiZaB4VZWFj8KfB9wvNzIvzfZb6WCTbBF/rokk3H/SJfnwvj34h8O2XhOx/wCCaf7E+g/8JrqU97HP4v8AECRxyz3+r2kiSysszHy42jkiUz3BcJAiCFWwGNfUXx3+D3xu/ZZ+AmnfCT9mTQPEXjn4k/Fy9uX8d/ECytprq+MihDIZLkbvsiztOyQPLIBHGsrbvNYyD6n/AOCfn7FNn+yZ8Pri/wDE5t774heJ1jk1m7iAdLKFfmjsIJMZKIx3SsMCSTnlUTAB+SMXwYj/AGOtY8NfDjwHpVl48/at8ZQwpYW9opu9N8FwypxdIs5ZJNRdQ0nnSbYoFDShUiCmb9FNE+Cmm/8ABPX9l/xx8cNS1201f4v3lvFqWs+JNWYz/wBoXrXEcp0q3eYGUxXLboi/+tldvObbtQR9d+zF+w/8UPhJ+0145/aR+J3j6y8Q33ieTUYYrW0s98k1teTLJE009wu62MSRooht8qAoXzCi7Wyf2t/2J/jj+178ZdFTxd430rQ/g1oTRyQaRp5uH1aSUoPtEzxvCLY3Eh3RxyNIywx9I2JcOAfCvwis/HP/AAVo+Nt54o+M2tweH/hn4FeOW38G6Zej7Q/nZ2oq8SHeBi4vWRTyI4Qmf3frXxf+It/+074ztv8Agn1+w7HZ+Gvh5osTReMPEenR7LFLGFws8MBjIMkG87XYNuvJm27hFvkk/Qjxb/wT9/ZW8U+ANP8AAVt4Mt/D/wDY9o1ppus6IxstZttykF2vE/eXDMSWYXHmqxJJUk18wfBT/gmH40/Z7j1q8+Evx/1vw7q+tbIp7i10GyktpIIWdoVlt7iWbeybz86yJnJwBmgD9AP2fP2fPhz+zT8OLL4bfDezMNrCfOvLybDXeo3bACS5uHAG52wAAAFRQFUBQBXE3Hg/4RfA3xV4j/aL+NHiy0k8Qam00EOveIJorWLStJDs0Gl6ZEzYijVCPM8vdNcylncksEXwTVf2Nf2n/EVs0HiH9rTxf864ZtK0e20g/gbW5Vl/Bs+9fCfxC/4J5fs2SazJefGH9raK41dG2Sya9qenm8HP3Sbq+eTOfWgDlv22f+CsN343sL/4W/sxyXWl6Ncq9vqHiuRWt727ibKtHYRnD20bDrM4WYg4VY8bm+Yv+Ccf7Ft/+038So/GnjOzcfDfwndRzak8qkJqt4mHj0+Mn7ynhrgj7sRC5DSKa+s/Bn/BOP8AYK8S6vb6fZ/tK2euzSSBRZadq+ixXM3P3UUtMxJ6ZCGv3Z8EfC/wv8LfhtafDH4WW0XhzS9LsXtNN8qMTeRI6nE7hzmaQyHzHLnMjEljyaAPz3/bX+OetfETxHZfsHfs53HmeOfGOy18S6ja/wDHt4d0IqGuRMyfdeSD76jlYTtH7yWMV7P4/wDHfwW/4Jt/su6dptjCrwaRbmx0TTAypea5qzqXkkkYDgySEy3EuNsanCj/AFaHov2TP2NvB37Ldprmr/2vc+MfHPiq4efXfFWoxeVdXW9zJ5caeZKYoy5MjgyO0kh3OxCoE+cP2uv+CePjj9rr476f418UfEWLR/AulafBZ2WlW9m897b4O+58vc6wB535Mx3EKEUowQZAPj79mP4h3cXjC8/am+KUB+Jn7QPxDtp5fB3hS1lSODw74fUFW1C+nkLQ6TZFOEeQ7hb/ADLvMzsPjvTPHep/tf8A7TV54t/aG1efx5a6Fcm20Lwh4VSUHX5TK4ttP0qFwr21hJ5ZmuruYK6QLmRhK6Y/ov8Ah7+xZ+z18M/hDrPwV8M+Hnj0PxLaGz127NzLHquqxsMN9ovYGimwef3aFIgGZVQKzA73wO/ZK/Z7/Zxlu7z4Q+ELbR7++QRXGoSzT3t68ec+WJ7qSWRIyQCyIVRiASCQKAPzW+Mfj+9/Za03Tvix8brDSfE3x51mI6b8Lvh/o4a40TwXpzKkMYt7dFUNKjYSWdV3zuqwQMsauw6X4Q/s03X7Nvwx8Xftx/tH6dc/EP43HTbnxF9juR9oGl3DJmGGNVBVZ1yommVdttGCkICoWf8AUSL4N/DGP4nXPxmfw/az+Nbm0hsP7YuN09xBawBgsVv5jMtup3Nv8lULkneWr02gD+Z39i648TfFD4l+I/2sfGXhrVvi18XL/Umg8K6KlrLDpOn3OxP+Jnf38qCzs7S2VlhtUDtIuxikZZUdeh+Lv7I37bvir9p/Rvip+0L4PHxi0KG9jmey8Manbw6abWEmSLT4or0wyWtt5m0Sl4vnUuS7uSx/pBooA/O3xL8Bv2h/2j9AuLr49X9p4P8AD9tbTS6T8MvC9/IkF1cJGwt49d1mHZJPFuIV4bRY4sYYMWFfmt+y/wD8Evf2rNC16/vvF+qaT8M7a8QW02q2jw6r4iitju81NMeFnhs2nU7HnEqzKvyqCrSI/wDR3RQB4n8B/wBnr4V/s3+C08EfCzSVsbZiJb28mIlv9QuAMGa7nwGkc5OBwiA4RVXivzH/AOCuHhb9pv4mR+Avhj8J/C2qa94N1KWW5vzo8L3DzatESIYrsIP3UEMWZEZyI2dmLHMSkftJRQB+Pn7Pf7C3xt8RfDXQfAf7S3iCHwn8PdKgRV+G3gp/sceoyEAyy65qELNLcPM43SxpNIpYgq8eNtch4N/4JZN4p/ah8VfEb4022kW3w10nU9vhPwzoirBBfafCB9jjuI4wvkwwx7VnUnzLicOzHaxaT9sqKAPxy/4Ktn4dWnw78I/Bfwr4Q0K7+I/xH1PTtD0KdNPthfWGnWU8W0QTCMywo0rRW6IpVSjyAcKRX6u/Dzwp/wAIH4A8M+B/tcl//wAI7o9hpX2uYlpbj7FAkHmuSSSz7NxJJOTX89fjv4lp8Vv+CxPhqDWZQ2leEfEtp4c02OQ/LE+lxSMQPdtRaRh7sB2r+kSgAoopkkkcSNJKwRFGWZjgADuSaAH0Vy0XjnwVPff2ZB4g0uS8JC/Z1vYWlyeg2B92T9K6mgAooooAKKKKAP/T/fyiiigAooooAKKKKACiuV8beOfCHw38MX/jTx5q9poWh6ZGZbq+vZBFFGvQDJ5ZmPCooLMxCqCSBX5eXPxn/ab/AG7dSn8P/syrdfCr4PJK9vffEPUYWj1bVkU7XXSocq6A84ZGVhj55omzEQD6p/aB/bX+FHwL1SLwJYJd+O/iPfsIdO8GeG1+16lLM4yiz7Ay2yngneDIV+ZI3ANeH+HP2YvjT+0/rdp8RP24L5LPw7bTLd6N8KdFuGGl2xU5jfVpo2/0yde6BmXP8SqWhr6f/Z6/ZM+C/wCzVpkkfw/0jz9cvFP9p+I9SYXWsag7Hc7S3DDKqzfMY4wkeedpbJP0rQBQ0rStL0PTrbR9Es7fT7CzjWG2tbWJYYIYkGFSONAFRQOAAABXyx+13+198O/2SfALeIfEjrqPiPUUkTQdAikC3F9Ooxvc8mK2jJHmykcfdUM5VSv7VP7Zvwg/ZI0Syu/H8l1qGs6usraZommosl3cCHAaRy7KkMIZgC7nJ52K5UgfgL8HfgH8Yv8Agpv+0L4g+LvjS4vtI8Dtqcj3+qTv532OzDl7fSNOZkVJJYomC7ggSMHzZFLOEkAMz4D/AAM+OX/BTT49al8TvifqFxD4ZguUGu60qbIbeBPmj0vTEbcocIcKPmESsZZdzsBJ/Up4D8B+Efhj4P0rwF4E0yDR9B0W3W2srO3GEjReSSTlmd2JZ3YlnYlmJYkmp8Nvht4J+EXgrS/h58PNLh0fQdHhENrawj8Wd2OWkkkYlndiWdiSSSa7mgDA8UeFPDHjfQbvwt4z0ix17Rr8It1p+pW0d3aTiN1kUSQyqyPtdVYZBwwBHIFJ4a8J+FvBmmJong/RtP0LTozlLTTbWKzt1PTiOFUQcD0roKKACiszVtb0bQLNtQ12/tdOtU+9PdzJBEuPV3IUfnXyNf8A/BQb9jzSfEmteFtT+JekwXehSxwzSL5lxazl4llzbXFuksM4TcUfYxKyKykdMgH2ZRXwvH/wUb/ZV1SVrbwZrmt+L7hTt8nQPDWr3jFvQN9kVCfoxq9P+2Xqd5A0vhb4E/FjUEA3C41HRLfQ7Tb6tLqN3Ayj3KY96APtqvKPjT8ZvA/wF+H998RfH1zJFYWrJBb21unm3l/eTHEFpaxAgyzzNwqjAABZiFVmHwh4q/4KD+LfD++HUvCPgPwlIM8eJviXpb3KD1ax0iDUZz9Acjp1r89PiH+1Z+1h8XPj14b+JPhL4eWPxC0n4bxT3WgWGgaF4i1PQrjUbpRG12GktbS4luoFbMUkkccSCMmPLMGYA/UvwX8H/jL+01cnx5+1qZfD/g+6Qto3wp026lggSF+Um164haOS8uCuD9mJEKHG5A26MfNX7Zsw+IvibQv+Cc37KmkaZoTat9n1LxxcaVaR2tjo2jwMkscc4gVVXPyzSDhm/cxgkzEV88eM/wBuP/gp7L490H4QjwHovhXxh4wtludH0y00syXxt5C6id0u7y6WBUKOXadVVAjFgApx8v8Ag34T/t4wfGL4kfAb4ZeIYdX8T+K445fiLqel3ME8UDXBlLQ3+rywCSGX97Jvit5csSVAZlZVAPsjRvgF4O/bJ+I3hj4D/Cuz/s/9nT4BmSw1HxJCirdeJtak2m7W3uAvzmZly8ifKFZpf+WkCj6P8F+Mdc/Yt/bF0H9l671e41H4P/E2zWfwbBqV1Jd3HhzUBujFlHPOzytbyTR7ERiwHnRkHcJS/l3ws/Yi/wCCjnw18DWHgHw38dPDXhLQNOR/IsNKtjMIvNYySEytp0MjOWYlmZiSe9fF/wAJ/wBk/wCMH7bv7RviW1+I/wAT77xh4S+H0j6XdeOreSSeKeaPLxWml+eAv+uZnYqPLVAXBPmRlwD+oysPVfE/hrQv+Q3q1jp/f/SrmOD/ANDYV+U0H/BIjwDeWv2bxT8X/iJqi4ACx30EUeB22Swz/wA639F/4I6/si6WQ2oy+LNbbqxvtVjTce+fsttb0AffmofH34E6Rn+1fiP4SssdftGuWMWP++5hXC6j+2T+ydpeftXxf8FNjqLfXLO5P/kGV68d0T/gmN+xDoYDR/DeO8kHWS91TU7jP1R7sx/kor03S/2Hv2QtIx9k+EfhSTb0+1adHd/n54kz+NAHM6h/wUO/Yu0wkXPxV0d8f8+8d1c/+iYHrm5v+CnP7DUGd/xPhOM/c0fWJOn+7Ymvomx/Zs/Z10sAab8LPBVpt6eR4e0+P/0GAU7WvgD+zvdWMz+Ifhx4Lls0Vnma80PT2iVRyWYyQ4AHcmgD5uT/AIKf/sLuoYfE5AD66JrQP5GwBqzF/wAFNf2G5jhPifAOcfPpGrJ/6FZCvjf9omP/AIJAeGxcaZrGh6PrOvO3lxaf8PGne784nAVG0+aKxWQNxslkHPG2vHf+Cdf7J3jU/tKar8adP8I614J+ElpBeW1lpnjS3im1LVY7mMCKHbLBH8kUoE5nRABsWIPIS7UAfp7D/wAFHv2Jp8bPinpwz/fs79On+9aitWH/AIKC/sZXGNnxX0MZx9/z06/70Q/+tX09/wAIJ4I/6F7Sv/AKD/4iqz/Dj4eSZ8zwvorbs5zp9uc565/d0AeAQ/t2fsez/c+LfhgZ/v3gTp/vAVrQ/tpfskz/AHPi/wCDRn+/rFsn/oTivW5vhL8KrgbZ/Bnh6QdMPpdqw5+sVY8/wE+Bd1n7V8OvCc2c58zQ7Fs569YaAOLT9sH9lGQ7V+MPgYHr83iCwUfmZhVa6/bL/ZMs0Z5vjB4LYLnPla3aTHj0EcjE/hVjxZ+yj+z/AK9od/ZaV8M/ANjqlxA8drfXXhPTr1baZgQsphMcXmbM5C71BPU44r59+FH/AATB/ZT+HN3/AG94h8PDxzrzzNcy3euLGLISudzLDplssNhHCD9yNoX2DgHFAH8/37Wvi/wf4R/bL1L44fAHxJF4i0251+38WWGowxTLbxaskq3NxbiR1jEwS4G4mMldkiqTuBr9wvhh8c/26f2tPDVh4/8Ag7p3w++GvgfUw4i1DU7ubxFq2+F2ikURQCOFXVlJMc0UZAx8x7/Tn7Uf7Hvwx/af+Flt8OdZiGgzaJvl8O6hp0SoNLnZNuFgXbG8DgASRfKCANpVgrD+ciw8T/tbf8EvPjDc+HXbybK8k857OcPc+HvENqh2ieL7hDgYG9DHPEflfAJUgH74S/smftC+Llx8UP2n/Gk6v9+Lwhp9h4VCg/wpJAsz8dAxJJ6msG+/4Jgfs7+Ivm8f61478aS5yZdf8S3Fy7H1JRYxn8Ko/s1/8FQv2d/jtBDpHiu9T4deKT5UZ0/XLiNbK4lkz/x63x2RuMgDbKIXJICq3Wv0kR0lRZYmDo4DKynIIPIII6g0Afmdqv8AwSQ/Yw1Gye1s9D1rS5XBAubTWbhpU9wLgzR5+qEV4XefsHftkfs5XB1n9j742Xuq6ZbZdPC3iaTETIP+WarIJrCR2HG8xWpA6MDg1+09FAH52fs3ftq+LPE/jq2+AP7Uvgq4+GXxSuInfThIjLpOuiIEubKRmkUSAAkKsssb4O2Qt8g/ROvyJ+Keof8ADV//AAUL+G3gbwBcfavDf7Pkk3iDxRq1ucwRarLLEyWIcfK7+ZawxsoORmcYzEwr9dqACiiigD//1P38ooooAKKKKACvnn47ftLfDz4EQWOl6vK+teMtedLfw54S0wiXV9Xupn8uJIo/+WcTScNPJtjUA8lgFPmXxW/aO8X+IPGN78CP2VtNtvFHjy2Ii1zXrsk+HfCKvxvvpkB8+8HPl2ce58glxhSp3/gX+yH4E+EmtT/EnxVd3HxA+KeqEy6p4011RLetIy7SlnEd0dlAq/IkcXIT5CzKAAAfOfhP9k34v/tH+O1+K37d09tLpel3Il8M/DPSrrztFsRjiW/aP5bqYZwRuYPg7m8oiIfptY2NlpllBpum28VpaWsaQwQQIscUUUYCqiIoCqqgAAAAAdKtVynjXx14N+HHhy68XePtbsfD+i2QBnvtRnS3gQn7q7nIBdjwqjLMeACeKAOrr84v2wv+Cjnwg/Zy0TVPDXhDUrTxb8RwjwWuk2b+fbWFwRgSahMh2RiI8mAN5znC4RSXX8z/ANsf/gpT4+/aB1tvgX+ydDqtvoWoymyk1CwglGta8zZBitYkHnQWzc8ACaVfvbFLIfTv2N/+CRlwlzY/Ef8AarVNsZW4tfBsEgfeeqnUp4yVwDybeJjnje+N0ZAPlv8AZK/Yk+Lf7c3j27+Onxw1DULXwdqF893qOsXHy32uzBvngsQw2pEuPLMoXy4gPLjUlSqf08+CfBHhL4b+FdN8D+BdKttF0LSIFt7OytU2RRRjn3LMxJZ3YlnYlmJYkne0/T7DSbC30vSraGzsrOJILe3t41ihhijAVEjRQFVVUABQAABgVcoAKZIzJGzqhcqCQq4yxHYZIGT7kCn0UAfjLf8A7TH/AAUB8d65qdr/AMKv8X/DfS47h49Pj0Lwla63fPCCRumvtW1C3tA47GO0ZD1ziqieEf2qPFrGbxR4U+PHivzP9Zb3Pjvw94MsXU9Q0GmNFIAe48w+wr9paKAPxaP7LHxB1aXz9L/ZO8D2d8wx9v8AHvj288UuT/ekULIx9SA59q8O+Lf7Ff7WnwsE/wC0n4Q0/wCGWg6t4asfKm0D4eeHRdhdPZ91xcwW2q20kc91EhJJ4kMalUfs39C1FAH53fDn4C6r8afBWkeOU/ac+IXiTw7q1sk9nJ4Yn07w3AynqjCxtBJGyHKvGGR0YFTggivRLT9gP9mJ5kvfFvh/UfG18h3G68V65qWsux9WjubloM/SMVH4t/ZP1Tw74q1H4lfsueL5fhd4j1WU3Wq6T9mW/wDCusz93utNYqIJnxhri2ZH5J2sxJL9F+I/7bPhoNZ/EH4P+HPFzRqf+Jh4K8TR2iSsP7tprKQFQfe446c9aAPoDwh8FPg58P8AZ/wgvgXw34faPG19M0m1tHyO+6KJWJ9yc14r+15bfGLw94O034zfAVb3VPF3gG4e5PhmEzzWviHS73ZFeWk1pCwM0qKEngYAyI0ZCcuQeNuv2mv2nnvH0/Rv2W/E09wvQ3niTRrSA/8AbfzZY/yJrTh8X/t7+MlC6Z8PPAHw5RxhpPEHiC68Q3EQPUrDptvbxOw7AzKvue4B+XfhT46a74UWO78TzXfhH9pj473tzZa14r8d6bN4e0vwToFs7Kkdg2oLFG6JAitAkTnfMVErF0jRvvbwz8dv2Kv2Kfh1p/w78E+KYPF+tXsolez8NSJ4g8ReIdWuMb57g2zMpuLhvu+dIi4wicACtT4gfsJeIf2hbWztv2o/i7rfiy0spvtNvpXh7TNP8P6bBIRggZivLlx23NNuPHTpVPSf+CUX7FGmbGm8JajfumCHuNc1BGyO/wDo88OD9MUAcx4h8F/tn/tlwvpXjKT/AIZ/+E1+NlxpNtILvxhq9o3VLmRcR2aSrw0eVZclZEmWvv34TfCbwF8EPAWmfDb4baZHpWh6VHtiiX5pJZG5kmmkPzSTSN8zu3JPoAAPmFP+Cbv7HC7S3gm+crjBbxNr56e39o4/Sp2/4JxfsYSDFx8OluBjH+kazq83/oy+agD681Txf4T0MMda1vTtPC/e+1XcUOMeu9hivHfEP7Wn7MHhXcuu/FfwdbyJndCut2c0wx/0yileT/x2vPbD/gn3+xlpuPs/wo0N8f8APwJ7n/0dK9ek6H+yp+zJ4a2tonwo8GWsidJRoNk03H/TRoS//j1AHk0v/BQb9mC886DwTrmreOb6Hj7F4V0DVNVmY9gHitfJBPbdIK5Rf2rv2kvHU5tvg7+zR4pSFzhdR8eX1t4WjiHZ2tpPOmkH+yh3V956dpmm6PZx6fpFpBY2sQxHBbRrFEg/2UQBR+Aq9QB8CzeBP+Ch3xD48R/ErwN8K7OT/ll4S0WbXr0If4Xm1Ro4w+ON0a4HUViTf8E4vAPja4jvv2gfiL8QPivKrBms9a1p7bSwRz+6tLQRtEM9llr9FaKAPDfhf+zR8AfguyTfDDwFoegXUa7RfQWiyX+0jGDdy77gj2Mhr3KiigAooooAKKKKACiiigArzT4rfB74Z/HDwnN4I+Kvh+08Q6PM28Q3KkPDIAQJYJUKywyAEgPGytgkZwSD6XRQB+OfxD/4Iufs+eIIjL8PPE/iLwldEnCztFq1oB/1ydYJsj18/wDCuP8AD/7Dn/BQL9mm1itf2avjjZa9o0Bz/YutRPbW4HdYbW6GoW0ee5SSI+hzX7eUUAfjWPHX/BZ3TXWxPw78FaqM7TeG409R/vEf2tAffiP8K9M0f4M/8FGvjTbSaV8d/ipovw28NXa+Xd2Hga0STV7iM8PGLx1/0XcD/rI5pD2KY6/qRRQB4r8Cf2ffhZ+zh4LXwN8K9JGn2byefeXMzma9v7nGDNczt80jkdBwijhFUcV7VRRQAUUUUAf/1f38ooooAK+OvGfxA8Q/Hzxlr3wJ+COvyaHp3hx0tfHXjOyAeewkmznSdJc5Q6k6Amec7lslI4aZgE8t/wCCkP7TPiP4C/C7RfBvw9uBY+NfiZfSaLpeoM2xdOt18tbu6V/4ZU8+JIz/AAGTzOqAH7A+Cnwc8GfAf4caT8N/A9qsFnp8Stc3GP39/eso8+8uH5LzzsNzsSccKMKqgAGt8MPhZ4D+Dfg+z8CfDnSYdI0izywjjy0k0z/6yeeViZJp5CMvI5LMep6V6DXmfxO+Mvwq+DGiN4h+KfinTPDVkFZka/uFSWbb1WCEZlnf/ZiRmPpX49fF3/gqf47+LevH4Q/sMeDNS1rXdQLRR69d2nmzKvQy2tidyxouQfPuyEQffiHUAH6V/tPftf8Awc/ZU8MnVfiBqIudbuYmfS/D1kyvqN8wyAQmf3UO4YaaTCDBA3PhD+D1t4c/a9/4Kv8AxJi1/Vlbwz8NNNumWCZxIuiaXGDh1t0O1r+/K8O45yQGaGMqo+1f2ff+CVV9r3iM/GL9tfxBceNPFF/Kt3Loa3ck8PmcEC/vM77grwvkwlYl27d8ifLX7QaPo2keHtKtdD0Cxt9N02xiWC1s7SJYLeCJBhUjjQBUVRwAAAKAPnr9nn9kb4F/sx6Qtn8MfD0UWqSQiK81y8/0jVbvpu3zsMojEZMUQSLPO3PNfS9FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAf/W/fyiiigD5Q/a8/ZK8D/tdfDmPwf4muJNJ1fSpXu9D1mBBJJY3LqFcNGSolglAUSR7lJ2qQysoI/PC4/ZH/4KuXGmweDB+0Fo8OhWMYt4LqDUb23vjAo2rumh0xblpAMZLzsf9s1+31FAH4h+BP8AgjZpmqa8PFn7RnxQ1bxleyuJLm3sFaFpmHOJb66e4nkU9DtjjbHRgeR+tfwq+Cfwn+CGgjw18KPC2neGrEhRKLOICa4KdGuJ23TTuP70rs3vXqNFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB//9k="
243 }
244 }
Digital Signatures are a type of Electronic signature that meet the following functional requirements:
Digital Signatures employ encryption technology and a digital certificate issued by a certification authority (CA). The encryption ensures the signee has attested to the integrity of the data. A certificate issued by a CA that the Data Consumer trusts, ensures that the Data Consumer can trust that the signature is authentic and non-repudiable.
JSON Web Signature (JWS) is a means of representing content secured with digital signatures or Hash-based Message Authentication Codes (HMACs) using JSON data structures. Cryptographic algorithms and identifiers used with this specification are enumerated in the separate JSON Web Algorithms (JWA). 4
Implementers that support XML must be aware that JSON Web Signatures can only be created and validated in the original native JSON. Transforms to and from XML will invalidate signatures.
When the signature is a JSON Digital Signature (contentType = application/jose), the following rules apply:
- The Signature.data is base64 encoded JWS-Signature RFC 7515: JSON Web Signature (JWS)
- The signature is a Detached Signature (where the content that is signed is removed from the JWS)
- When FHIR Resources are signed, the signature is across the Canonical JSON form of the resource(s)
- The Signature SHOULD use the hashing algorithm SHA256. The signature validation policy will apply to the signature and determine the acceptability
- The Signature SHALL include a "CommitmentTypeIndication" element for the purpose(s) of the signature. The Purpose can be the action being attested to or the role associated with the signature. The value shall come from ASTM E1762-95(2013). The
Signature.type
shall contain the same values as the CommitmentTypeIndication element.
There is no "CommitmentTypeIndication" element in JWS, and a tracker (FHIR-36158) has been logged to update the FHIR specification. As documented in the CDex Profiles, Signature.type
shall contain the value "1.2.840.10065.1.12.1.5" (Verification Signature).
.
character between the base64_url encoded parts. This Signature.data
value must be base64 encoded again as indicated above. Otherwise, it will fail validation since the base64Binary regex: (\s([0-9a-zA-Z+=]){4}\s)+ does not include the period .
character."x5c"
.
id
, meta
, and signature
elements on the root Bundle resource SHALL be removed before canonicalization. In other words, everything in a Bundle is signed except for these elements.id
, meta
, and the signature extension on the root QuestionnaireResponse resource SHALL be removed before canonicalization. In other words, everything in a QuestionnaireResponse is signed except for these elements.id
and the signature extension on the item resource SHALL be removed before canonicalization. In other words, everything in the QuestionnaireResponse.item
is signed except for these elements.The following steps outline the process for creating the Signature.
"alg": "RS256"
(preferred) or some other JSON Web Algorithms (JWA) (see RFC 7518)"kty": "RS"
"x5c"
(X.509 certificate chain) equal to an array of one or more base64-encoded (not base64url-encoded) DER representations of the public certificate or certificate chain (see RFC 7517).
The public key is listed in the first certificate in the "x5c"
specified by the entry's "Modulus" and "Exponent" parameters.id
and meta
elements.Signature.type
- Fixed to code = "1.2.840.10065.1.12.1.5" (Verification Signature)Signature.when
- System timestamp when signature createdSignature.who
- Reference or identifier of the organization or practitioner who signed itSignature.data
- base64 encoded JWSThe following steps outline the process for verifying the Signature.
Task.output
is either:
id
, meta
and Bundle.signature
element from the Bundle resource or the signature extension(s) from the QuestionnaireResponse or QuestionnaireResponse.item.signature.data
element"x5c"
key
Although self-signed certificates are used for these examples, they are not recommended for production systems.
In these examples, a detached JWS signature is created using a signer's private key and self-signed certificate. Then, the Bundle.signature
element is added to the Bundle with the base64 encoded JWS Signature as the signature.data
property value. Finally, the signature is verified.
Signed SearchSet Bundle Example : FHIR search-set bundle signatures occur when performing direct queries where signatures are required on the returned results. In this case, the digital signature represents a system-level attestation by the sending organization that they are the source of the information.
Signed Document Bundle Example : FHIR Document bundle signatures occur when performing Task-based requests or Attachment transactions where signatures are required. The returned results are individual FHIR resources (in other words, not C-CDA, C-CDA on FHIR, or other binary formats referenced by DocumentReference). In this case, the digital signature represents a practitioner attesting that the information is true and accurate to the best of their knowledge.
MLN Fact Sheet: Complying with Medicare Signature Requirements MLN Fact Sheet https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Signature_Requirements_Fact_Sheet_ICN905364.pdf ↩
CMS signature requirements outlined in the Medicare Program Integrity Manual (CMS Pub.100-08), Chapter 3, Section 3.3.2.4. https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c03.pdf#page=44 ↩
"15 U.S. Code § 7006 - Definitions", LII / Legal Information Institute". Law.cornell.edu. Retrieved 2021-10-06. https://www.law.cornell.edu/uscode/text/15/7006#5 ↩
RFC 7515 Jones, M., et al., "JSON Web Signature (JWS)", RFC 7515, ISSN: 2070-1721, May 2015, https://tools.ietf.org/html/rfc7515 ↩