Privacy Consent on FHIR (PCF)
1.1.1-current - ci-build
Privacy Consent on FHIR (PCF), published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 1.1.1-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.PCF/ and changes regularly. See the Directory of published versions
The Privacy Consent on FHIR (PCF) builds upon a basic Identity and Authorization model of Internet User Authorization (IUA) to provide consent-based access control. The Privacy Consent on FHIR is thus focused only on Access Control decisions regarding the parameters of the data subject (patient) privacy consent. The Privacy Consent on FHIR leverages these basic Identity and Authorization decisions as context setting for the authorization decision and enforcement. For example, a user that would never be allowed access would be denied access at the IUA level without invoking PCF, and where PCF will further evaluate authorization based on Privacy Consents.
This is to say that PCF does not define:
But PCF enhances and relies upon these other Implementation Guides to protect sensitive resources according to Patient-specific Consents.
This section defines the actors and transactions in this implementation guide.
The figure below shows the actors directly involved in the PCF Profile and the relevant transactions between them. Internet User Authorization (IUA) is shown as the PCF-specific actors are reliant on IUA actors.
The actors participate in the following transactions.
Table 1:53.1-1: PCF Profile - Actors and Transactions
Actors | Transactions | Direction | Optionality | Reference |
---|---|---|---|---|
Consent Recorder | Access Consent | Initiator | R | ITI TF-2: 3.108 |
Consent Registry | Access Consent | Responder | R | ITI TF-2: 3.108 |
Consent Authorization Server | Access Consent | Initiator | R (Note 1) | ITI TF-2: 3.108 |
Consent Enforcement Point | none |
Note 1: Consent Authorization Server, when operating only in an Implicit environment, does not need to demonstrate use of ITI-108.
The following is a repeat of the IUA actors and transactions for clarity. The PCF Implementation Guide places grouping requirements and behavior upon the IUA actors relative to the grouped PCF Actors.
Table 1:53.1-2: IUA Profile - Actors and Transactions
Actors | Transactions | Direction | Optionality | Reference |
---|---|---|---|---|
IUA: Authorization Client | Get Access Token | Initiator | R | ITI TF-2: 3.71 |
Incorporate Access Token | Initiator | R | ITI TF-2: 3.72 | |
Get Authorization Server metadata | Initiator | O | ITI TF-2: 3.103 | |
IUA: Authorization Server | Get Access Token | Responder | R | ITI TF-2: 3.71 |
Introspect Token | Responder | O (Note 1) | ITI TF-2: 3.102 | |
Get Authorization Server metadata | Responder | O | ITI TF-2: 3.103 | |
IUA: Resource Server | Introspect Token | Initiator | O (Note 1) | ITI TF-2: 3.102 |
Incorporate Access Token | Responder | R | ITI TF-2: 3.72 | |
Get Authorization Server metadata | Initiator | O | ITI TF-2: 3.103 |
Note 1: Authorization Server or Resource Server Actors shall support at least one of the following options: JWT Token, or Token Introspection.
The actors in this profile are described in more detail in the sections below.
The Consent Recorder is responsible for the capturing of consent from the Patient given policies available. This actor is responsible for assuring that:
The Consent Recorder may utilize other resources to interact with the Patient, and to capture the evidence of the Consent ceremony. The interaction with the Patient can be a very complex system that utilizes applications, web user interface, and forms; but may also be a paper process that results in ink signatures on paperwork. The workflow leading up to the Consent Recorder may also use FHIR Resources such as a FHIR Questionnaire or a DocumentReference / Binary. Where a DocumentReference and Binary are used to capture the Consent ceremony, the preservation should utilize the MHD implementation guide.
FHIR Capability Statement for Consent Recorder
The Consent Registry holds Consent resources. This includes active, inactive, and expired Consents. The Consent Registry does not have special understanding of the Consent other than as a FHIR Consent
Resource. It, thus, is not responsible for assuring that the Consent terms are acceptable or enforceable; this is the responsibility of the Consent Recorder.
FHIR Capability Statement for Consent Registry
The Consent Authorization Server makes authorization decisions based on a given access requested context (e.g., oAuth, query/operation parameters), organizational policies, and current active Consent
resources. The Consent Authorization Server is often implemented utilizing other authorization services, taking input from the user identity (e.g., Open-ID-Connect), and application identity and authorization (e.g., IUA). These predicate authorizations provide the security context upon which the Privacy Consent
constraints are applied. The result is an authorization token used to request access resources, and is used by the Consent Enforcement Point.
The Consent Enforcement Point enforces consent decisions made by the Consent Authorization Server. This includes deny, permit, and permit with filtering of results. The Consent Enforcement Point must be grouped with an IUA Resource Server and is invoked when the authorization token includes consent-based rules to be enforced.
The transactions in this profile are summarized in the sections below.
This transaction is used to Create, Read, Update, Delete, and Search on Consent resources.
For more details see the detailed Access Consent.
The Consent Enforcement Point is invoked by the IUA Resource Server when there is consent rules to be enforced. There is no externally defined transaction but the Consent Enforcement Point indirectly gets the consent rules to be enforced from the IUA Resource Server, thereby implicitly learning the details of the token. How this is done, and how the enforcement is achieved is a Systems Design concern outside the scope of an Interoperability specification such as PCF.
Options that may be selected for each actor in this implementation guide, are listed in Table 1:53.2-1 below. Dependencies between options when applicable are specified in notes.
Table 1:53.2-1
Actor | Option Name |
---|---|
Consent Recorder | Explicit Basic |
Consent Recorder | Explicit Intermediate Data Timeframe |
Consent Recorder | Explicit Intermediate Data by id |
Consent Recorder | Explicit Intermediate Data Author |
Consent Recorder | Explicit Intermediate Data Relationship |
Consent Recorder | Explicit Intermediate Additional PurposeOfUse |
Consent Recorder | Explicit Advanced |
Consent Registry | none |
Consent Authorization Server | Implicit |
Consent Authorization Server | Explicit Basic |
Consent Authorization Server | Explicit Intermediate Data Timeframe |
Consent Authorization Server | Explicit Intermediate Data by id |
Consent Authorization Server | Explicit Intermediate Data Author |
Consent Authorization Server | Explicit Intermediate Data Relationship |
Consent Authorization Server | Explicit Intermediate Additional PurposeOfUse |
Consent Authorization Server | Explicit Advanced |
Consent Enforcement Point | Implicit |
Consent Enforcement Point | Explicit Basic |
Consent Enforcement Point | Explicit Intermediate Data Timeframe |
Consent Enforcement Point | Explicit Intermediate Data by id |
Consent Enforcement Point | Explicit Intermediate Data Author |
Consent Enforcement Point | Explicit Intermediate Data Relationship |
Consent Enforcement Point | Explicit Intermediate Additional PurposeOfUse |
Consent Enforcement Point | Explicit Advanced |
Note 1: Explicit Intermediate Options and Explicit Advanced Option require that Explicit Basic Option is selected.
Three levels of maturity are defined which are incrementally more difficult to implement: Support for these Basic, Intermediate, and Advanced policies is support for the ability to provide these capabilities. The actual policy provided to the Patient would be some subset of this support that the data custodian is willing to enforce.
When the Implicit Consent Option is not declared to be implemented, then PCF expects “Deny all” or “Permit all authorized uses” for the overarching policy.
The Implicit Policy Option indicates that there is a default policy that is used when there is no Consent found on file for a given patient. This Implicit Policy shall support the following “overarching” policies:
canonical URI | Definition |
---|---|
https://profiles.ihe.net/ITI/PCF/Policy-basic-normal |
Permit for clinicians that have authorization for Treatment use, but does not authorize other access. This presumes that basic user access control can differentiate legitimate clinical users and purposes of use. |
https://profiles.ihe.net/ITI/PCF/Policy-all-normal |
Permit for all authorized uses. This presumes that basic user access control will only allow authorized users and purposes of use. |
https://profiles.ihe.net/ITI/PCF/Policy-break-glass-only |
Deny for all use, except when the user is a clinician with authorization to declare a medical patient-safety override (a.k.a. Break-Glass). |
https://profiles.ihe.net/ITI/PCF/Policy-deny |
Deny all. |
Other overarching policies may also be implemented, but their behavior is not defined in PCF.
The operational environment chooses which of these policies they will use, so in operational use only one of these is in effect as the “implicit policy”.
Neither the definition of permitted use, nor how break-glass is declared is defined here. These are policy expectations of the environment and are expected to be configured into the IUA authorization decisions and enforcement.
Implicit Consent Option has no ability to have Patient-specific parameters. When Patient-specific parameters are needed, Explicit options are required.
The Explicit Basic Option allows for patient-specific consent to be recorded and changed. This option sets the foundation for consents that expire, and consents that change based on agreements between the organization and the patient. The lack of a consent for a given patient would be covered by the Implicit Consent Option in place.
Typically the Implicit Consent Option is either a Deny-All or a Permit-All-Authorized-Uses. The Deny-All sets the groundwork for an environment where Consent is required for any activity to happen (often called OPT-IN). The Permit-All-Authorized-Uses sets the groundwork for an environment where Consent can be used to refine or dissent (often called OPT-OUT). In all cases, once a Consent is recorded then the terms of the Consent override any Implicit policy.
The Explicit Basic Option indicates that there is support for a basic set of patient-specific parameters. The following set of patient-specific parameters may be used to permit or deny:
.identifier
element (e.g., Practitioner.identifier
would hold the user id).See Basic Consent Content Profile
The following Options shall be used in conjunction with Explicit Basic Option, and may be used with Explicit Advanced Option. The Explicit Intermediate Options can be implemented and/or used individually or combined. When combined within one parameter, the logic provided by each option is combined. The data scoping Explicit Intermediate options are not expected to be found combined on one parameter, but may be combined within a Consent providing different data scoping capability. For example, a consent that indicates that a data timeframe is used to deny insurance access, with a different parameter indicting that a data relationship is allowed access to a research project.
See Intermediate Consent Content Profile.
This data scoping option provides for the Consent to have one or more permit/deny parameter that indicates a timeframe within which data has been authored or last updated.
This data scoping option provides for the Consent to have one or more permit/deny parameter that indicates a FHIR Resources by .id
value.
This data scoping option provides for the Consent to have one or more permit/deny parameter that indicates data is subject to the rule by way of an indicated author. This option is useful when the consent provision is limiting access to data that was authorized by a given doctor.
This data scoping option provides for the Consent to have one or more permit/deny parameter that indicates data is subject to the rule by way of that data being related in a given way to a given identified data object. This option is useful for indicating a consent provision that is limiting/authorizing access to data that was created as part of an encounter, care plan, or episode of care.
This option provides for the Consent to have one or more permit/deny parameter that indicates a purposeOfUse that is not listed in the Explicit Basic Option vocabulary. This would tend to be used with Clinical Research projects, where the purposeOfUse is a code assigned to a specific Clinical Research Project. This may also be used for other purposeOfUse codes. Where Explicit Basic Option has some well-known purposeOfUse codes, this option is used for other codes.
One specific use of this Option is to enable Break-Glass access. Where the Consent can have a permission explicitly allowing the PurposeOfUse of Break-Glass (#BTG). In this case the Consent would have restrictions, that can be overridden by an authorized Break-Glass. The logic that determines that the given user is authorized, and has declared Break-Glass is out-of-scope of this implementation guide as it is very user-interface- and policy-specific. So, only the encoding in the Consent, and the encoding in the Access Token is defined here.
The Explicit Advanced Option indicates that there is support for an advanced set of patient-specific parameters. The Advanced policies allow for Patient-specific permit/deny parameters on sensitive health topics and require the use of security-tagged data. The security-tagged data might be implemented either using a Security Labeling Service that is not defined here, or other systems design. This option is required to support sensitive health topic segmentation such as substance abuse, mental health, sexuality and reproductive health, etc.
See Advanced Consent Content Profile.
PCF leverages other IHE Profiles for the critical functionality they provide. This includes Audit Trails and Node Authentication (ATNA) to provide system security and audit infrastructure, Basic Audit Log Patterns (BALP) to provide audit log patterns for privacy and security sensitive access control activities, and Internet User Authorization (IUA) to provide the oAuth interaction pattern between clients that want to access protected resources and the needs to protect those resources.
The Consent Recorder shall be grouped with an ATNA Secure Application, a BALP Audit Creator, and shall record the BALP RESTful activities.
The Consent Registry shall be grouped with an ATNA Secure Application, a BALP Audit Creator, and shall record the BALP RESTful activities.
The Consent Authorization Server shall be grouped with an IUA: Authorization Server. The IUA Authorization Server takes care of the IUA transactions and invokes the Consent Authorization Server when a request for a token, that would be impacted by a Patient Privacy Consent, is invoked.
The IUA Authorization Server shall implement the JWT Token, or Token Introspection options, and should implement the Get Authorization Server Metadata option. There is no use of the IUA Authorization Server SAML Token option.
Note that PCF adds requirements to the ITI-71 transaction to carry in the token extensions informed from the consents. These oAuth extensions affect JWT encoding and response from use of the Introspect Token Transaction.
The Consent Authorization Server shall be grouped with an ATNA Secure Application, a BALP Audit Creator, and shall record the BALP RESTful activities.
The Consent Enforcement Point shall be grouped with an IUA: Resource Server. The IUA Resource Server takes care of the IUA transactions and invokes the Consent Enforcement Point when a token includes enforcement rules informed by Patient Privacy Consent.
The IUA Resource Server shall implement the JWT Token, or Token Introspection options, and should implement the Get Authorization Server Metadata option. There is no use of the IUA Authorization Server SAML Token option.
Note that PCF adds requirements to the ITI-71 transaction to carry in the token extensions informed from the consents. These oAuth extensions affect JWT encoding and response from use of the Introspect Token Transaction.
The Consent Enforcement Point shall be grouped with an ATNA Secure Application, a BALP Audit Creator, and shall record the BALP RESTful activities. Only one BALP RESTful activity AuditEvent needs to be recorded within the Grouped Server.
The PCF Profile enables authorized access to data according to terms agreed by the Patient and the Organization protecting the data. These terms represent Privacy controls on the use of the data. The Privacy controls augment an overarching policy upon which these Privacy controls build. The writing of overarching policies, and the act of informing the patient and capturing their agreement is a predicate to the use cases of the PCF.
Consent is a patient-specific set of parameters that work within an overarching policy. For a discussion of policy, consent policy, and other concepts see Appendix P: Privacy Access Policies. The concepts outlined in Appendix P: Privacy Access Policies are critical to understanding this implementation guide.
PCF defines some transactions and some content. The content specifications define the variations on Consent that are used to enable consent parameters. The transactions utilize the content and carry out the privacy protection defined within a patient-specific consent.
When a patient does not have a consent on file, and there is a need to capture consent, the Capture New Consent use case is used to record the details of the Consent ceremony.
Scenario Outline: Capture New Consent Use Case
Given an Organization controlling some Patient-identifiable Data
And they have written and published Patient Privacy Policies
And there is no consent on file for a given Patient
When they present their Patient Privacy Policies to a given Patient
And the Patient either agrees, disagrees, or adds acceptable parameters
Then a Consent is captured by the **Consent Recorder** and stored in the **Consent Registry**
Note: the above use case is written in Gherkin, a use case language optimized for automated testing.
The Consent details are specific to the Patient Privacy Policy, the parameters agreed to in the ceremony, and the Consent profile (Basic, Intermediate, Advance) that was used.
The following flow shows the activities involved in the Capture new Consent flow.
The diagrammed steps:
When a patient has an existing consent on file, and there is a need to capture a new consent. The Update Existing Consent use case is used to record the details of the new Consent ceremony and assure that the previous consent is no longer used.
Scenario Outline: Update Existing Consent use Case
Given an Organization controlling some Patient-identifiable Data
And they have written and published Patient Privacy Policies
And there is a consent on file for a given Patient
When they present their Patient Privacy Policies to a given Patient
And the Patient either agrees, disagrees, or adds acceptable parameters
Then a Consent is captured by the **Consent Recorder** and stored in the **Consent Registry**
And the new Consent overwrites or invalidates the previous Consent
The Consent details are specific to the Patient Privacy Policy, the parameters agreed to in the ceremony, and the Consent profile (Basic, Intermediate, Advance) that was used.
The following flow shows the activities involved in the Update Existing Consent flow.
The diagrammed steps:
Given that an application needs access to resources, the following use case assures that any data made available is authorized by the Consent. Note that this use case presumes that business rules and security access control are incorporated into either the foundational oAuth flow, or some other process outside of this flow.
Scenario Outline: Consent Access Control Use Case
Given an Organization controlling some Patient-identifiable Data
And they have written and published Patient Privacy Policies
And there is a consent on file for a given Patient
When a request for patient-identifiable data is made
Then the Consents are used by the **Consent Authorization Server** as stored in the **Consent Registry** to make Access Control Decisions
And the **Consent Enforcement Point** assures that only data authorized by the Consent Access Control Decision are allowed to be exposed.
The Consent details are specific to the Patient Privacy Policy, the parameters agreed to in the ceremony, and the Consent profile (Basic, Intermediate, Advance) that was used.
The following flow shows the activities involved in the Consent Access Control flow.
The diagrammed steps:
Not shown, for simplicity of the diagram, is the recording AuditEvent by all actors to support Security and Privacy audit analysis use-cases.
These use cases will outline the justification for the alternatives within the Implicit Consent Option.
Pre-conditions:
Given there is no consent for a given patient. This may be because:
Main Flow:
Post-conditions:
Permits access by clinicians that have authorization for Treatment use, but does not authorize other access. This presumes that basic user access control can differentiate legitimate clinical users and legitimate clinical purpose.
Pre-conditions:
The controlling Organization has identified Clinical roles that would have access for Treatment, and has mechanisms in place to prevent any inappropriate use.
Main Flow:
Post-conditions:
Business Access Controls control appropriate access, thus clinical users get access for clinical treatment need.
Permits access by all authorized users. This presumes that basic user access control will only allow authorized users and for authorized purpose of use.
Pre-conditions:
The controlling Organization has identified various roles that would have access for a given purpose, and has mechanisms in place to prevent any inappropriate use. This is distinct from the previous use case in that the roles and the purpose are not limited to Clinical and Treatment.
Main Flow:
Post-conditions:
Business Access Controls control appropriate access.
Deny all uses without exceptions. This is an unusual setting for a purely Implicit consent environment, but is intended to be paired with an Explicit consent. When paired with an Explicit consent, the Deny All functions as the default policy when no explicit consent is on record. This might also be used in a system that is designed simply to record data with no access to that data (e.g., an Audit log repository).
Pre-conditions:
The controlling Organization has controls in place to prevent all access.
Main Flow:
Post-conditions:
Business Access Controls control appropriate access.
The Basic Consent content provides for recording that a Consent has been given and this content is the basis of all explicit consent options. The goal of a basic consent content is to express how a Consent is recorded, Updated, Removed, and Expired. The basic consent content also shows how one finds relevant Consent instances, and determines if they are still valid.
Pre-conditions:
The controlling Organization has identified various roles and the kinds of purpose of use those roles are authorized to participate in.
The Controlling Organization defines the default policy to be used when no consent is found, possibly choosing from the Implicit Consent Options policies.
The Controlling Organization defines the policy to be used with the Explicit Basic option, the policy that will be enforced when the patient has agreed to a consent.
Main Flow:
Post-conditions:
Appropriate use is allowed, inappropriate use is denied
Content:
The following set of patient specific parameters may be used to permit or deny:
.identifier
element (e.g., Practitioner.identifier would hold the user id).The Intermediate Consent contents shall be used in conjunction with Basic Consent content, and may be used with Advanced Consent content. Whereas the Basic Consent is used to record the fundamental aspects of the Consent ceremony, the Intermediate Consent contents can be used independently or together.
Pre-conditions:
The controlling Organization has identified various roles and the purpose of use in which those roles are authorized to participate.
The Controlling Organization defines the default policy to be used when no consent is found, possibly choosing from the Implicit Consent option policies.
The Controlling Organization defines the policy to be used with the Explicit Basic option, the policy that will be enforced when the patient agrees to a consent.
The controlling Organization provides for the patient to choose from the intermediate parameters that the controlling organization is willing to enforce, recognizing that some parameters may not be appropriate or allowed.
The Consent Recorder is responsible for assuring that the recorded Consent is enforceable and appropriate.
Main Flow:
Post-conditions:
This data scoping content provides for the Consent to have one or more permit/deny parameter that indicates a timeframe within which data has been authored or last updated.
The use case would be where a patient knows that there was a period of time where they received care, and for which the patient indicates they want to segment out that data for permit or deny. The user interface is not defined here or constrained.
This data scoping content provides for the Consent to have one or more permit/deny parameter that indicates a FHIR Resources by .id
value.
The use case would be where a patient knows specific data artifacts that the patient indicates they want to segment out for permit or deny. The user interface is not defined here or constrained.
This data scoping content provides for the Consent to have one or more permit/deny parameter that indicates that data is subject to the rule by way of a given author. This content is useful when the consent provision is limiting access to data that was authorized by a given practitioner.
The use case would be where a patient wants to segment out data authored by an author known to the patient (organization or practitioner) for permit or deny. Note that this capability depends on proper recording and attribution of data to the author. The user interface is not defined here or constrained.
This data scoping content provides for the Consent to have one or more permit/deny parameter that indicates that data is subject to the rule by way of that data being related in a given way to a given identified data object. This content is useful for indicating a consent provision that is limiting/authorizing access to data that was created as part of an encounter, care plan, or episode of care.
The use case would be where a patient knows an encounter, care plan, or episode of care that can identify the data that the patient wants to segment out for permit or deny. Note that this capability depends on proper attribution of the data to the encounter, care plan, or episode of care. The user interface is not defined here or constrained.
This content provides for the Consent to have one or more permit/deny parameter that indicates a purposeOfUse not listed in the Basic Consent vocabulary. This would tend to be used with Clinical Research projects, where the purposeOfUse is a code assigned to a specific Clinical Research Project. This may also be used for other purposeOfUse codes. Whereas Basic Consent has some well-known purposeOfUse codes, this content is used for other codes.
The use case would be where a patient authorizes a purposeOfUse beyond those defined in the Basic Consent. An example would be a Privacy Consent allowing an identified clinical research project to have access to the patient data.
This would also be used to indicate that the Consent has provisions enabling Break-Glass access using the PurposeOfUse for Break-Glass (BTG). The Consent and Access Token encodings are defined, but the rules around who is authorized and how they declare Break-Glass are not defined as they are dependent on User-Interface, User-Experience, and Policy.
The Advanced Consent contents shall be used in conjunction with Basic Consent content, and may be used with Intermediate Consent content. Whereas the Basic Consent is used to record the fundamental aspects of the Consent ceremony, the Advanced Consent Content provides for parameters in a Consent that express rules around data classified by sensitivity and confidentiality.
Support for the Advanced Consent relies on the data being tagged with sensitivity codes and confidentiality codes. This data tagging is not defined in PCF. There are a few established ways to get the data tagged including using a Security labeling Service, which has a few established architectures. The implementation of security tagging is a systems design requirement on the Consent Enforcement Point.
Pre-conditions:
The controlling Organization has identified various roles and purposes of use in which those roles are authorized to participate.
The Controlling Organization defines the default policy to be used when no consent is found, possibly choosing from the Implicit Consent option policies.
The Controlling Organization defines the policy to be used with the Explicit Basic option, the policy that will be enforced when the patient has agreed to a consent.
The controlling Organization provides for the patient to choose from the intermediate parameters that the controlling organization is willing to enforce, recognizing that some parameters may not be appropriate or allowed.
The Consent Recorder is responsible for assuring that the recorded Consent is enforceable and appropriate.
Main Flow:
Post-conditions:
Content:
The Advanced Consent content utilizes sensitivity codes and confidentiality codes. The Consent would include parameters that would indicate for a given sensitivity/confidentiality code the conditions on Permit or Deny.
The typical use case would be where the patient will allow normal confidentiality data to be used for some purpose such as Treatment, but indicates that data tagged as restricted confidentiality not be used.
At a minimum the following stigmatizing Sensitivity classifications shall be implemented as parameters:
ETH
– Substance Abuse including Alcohol
ETHUD
– Alcohol substance abuseOPIOIDUD
– Opioid drug abusePSY
– Psychiatry DisorderSDV
– Sexual Assault, Abuse, or Domestic ViolenceHIV
– HIV/AIDSAt a minimum the following ConfidentialityCodes shall be implemented as parameters:
N
Normal andR
RestrictedThe ConfidentialityCode may be assigned to data by various ways. Where data have a stigmatizing sensitivity classification, the ConfidentialityCode shall be Restricted, otherwise the data are Normal. Other methods of determining the ConfidentialityCode for data are allowed.
See ITI TF-2x: Appendix Z.8 “Mobile Security Considerations”.
A change to any policy needs to be carefully managed, especially the Domain Privacy Policy / Overarching Policy. A change to Overarching Policy may have no impact on the Consent, or may invalidate all Consents. The Overarching Policy identification is a foundational element of a Consent, and thus when the Overarching policy terms change, one can identify all Consents that were based on the prior Patient Privacy Policy Identifier. In some cases, such as jurisdictional rules backed by laws, the Overarching Policy may change, effectively changing the effect of the rules of a Consent based on that Overarching Policy.
The Basic Audit Log Patterns defines the audit log patterns, these audit log patterns can be recorded using the ATNA ATX:TLS Syslog, ATX: UDP Syslog, or ATX: FHIR Feed.
Security and Privacy office should use the BALP profiled AuditEvent to track changes and uses of the Consent resources. The AuditEvent is required of PCF when grouped with ATNA. The Provenance resource recording is not required of PCF as the use case need would be satisfied by the AuditEvent record. However an implementation may choose to use Provenance on Create/Update/Delete in addition to AuditEvent. Examples of a Provenance of create and a Provenance of update are provided. The use of Provenance is discussed in Appendix P.4.3.
Security office should monitor the audit log for uses of break-glass, and follow up to confirm it was a legitimate use of break-glass per policy.
Security office should monitor audit logs for access denied, and follow up to confirm that it was a legitimate denial of an access request. Possibly further investigating why the request was initiated.
Technical failures (failure-modes) where some technical or infrastructure is not performing nominally should be handled carefully. There are healthcare treatment cases where these failure-modes should result in allowing access to prefer patient and operator safety over privacy, where other less life-critical use cases should prefer preserving privacy and denying access.
This implementation guide is expected to be used in conjunction with other implementation guides (Profiles) that provide access to Patient-specific data such as Mobile Health Document Sharing (MHDS) or the PCC Query for Existing Data for Mobile (QEDm). These other implementation guides would have their appropriate actors grouped as shown in Figure 1:53.1-1 as “Grouped Client” and “Grouped Server”.