0.2.0 - DSTU 1 Informative Ballot Switzerland flag

CH EPR PPQm (R4), published by eHealth Suisse. This is not an authorized publication; it is the continuous build for version 0.2.0). This version is based on the current content of and changes regularly. See the Directory of published versions


Official URL: Version: 0.2.0
Active as of 2022-04-13 Computable Name: ch_epr_ppqm

Copyright/Legal: CC-BY-SA-4.0

This implementation guide is under informative ballot by HL7 Switzerland until the end of September 2022. Please add your feedback via the ‘Propose a change’-link in the footer on the page where you have comments.


This Implementation Guide is a part of the Swiss EPR specifications and contains definitions necessary for the Swiss national integration profile “Privacy Policy Query for Mobile” (CH:PPQm). The goal of this profile is to provide a possibility to manage privacy policies using a lightweight technology stack suitable for mobile devices — as opposed to the classic CH:PPQ which is based on XACML 2.0 and SAML 2.0.

The CH:PPQm specification is based on:


You can download the whole Implementation Guide as a NPM package.

Version history is documented in the change log.

Actors and Transactions

In CH:PPQm, EPR privacy policies are represented as PpqmConsent resources, whose structure resembles the EPR flavor of XACML 2.0 Policy Set and obeys the same logical constraints.

The CH:PPQm profile defines the following actors and transactions:

Thereby, the Policy Repository is a component of an EPR reference community’s central IT infrastructure. The Policy Source and Policy Consumer are the actors to be implemented in mobile clients.

To create, update, or delete single policies (PpqmConsent resources) in the Policy Repository, a mobile client may use the Mobile Privacy Policy Feed transaction (PPQ-3):

Policy SourcePolicy SourcePolicy RepositoryPolicy RepositoryAdd Policy SetHTTPPOST[baseUrl]/ConsentPayload: ConsentHTTP responsePayload: none / OperationOutcome / ConsentConditionally Add/Update Policy SetHTTPPUT[baseUrl]/Consent?identifier=[uuid]Payload: ConsentHTTP responsePayload: none / OperationOutcome / ConsentDelete Policy SetHTTPDELETE[baseUrl]/Consent?identifier=[uuid]Payload: noneHTTP responsePayload: none / OperationOutcome

To manipulate policies groupwise, the Mobile Privacy Policy Bundle Feed transaction (PPQ-4) can be used:

Policy SourcePolicy SourcePolicy RepositoryPolicy RepositoryHTTPPOST[baseUrl]Payload: Bundle of type "transaction"HTTP responsePayload: Bundle of type "transaction-outcome" / OperationOutcome

The request is a PpqmRequestBundle resource containing one or more PpqmConsent resources (for add and update operations) or references to them (for the delete operation).

Read access to the Policy Repository is provided by the Mobile Privacy Policy Retrieve transaction (PPQ-5):

Policy ConsumerPolicy ConsumerPolicy RepositoryPolicy RepositoryQuery by Patient IDHTTPGET[baseUrl]/Consent?patient:identifier=urn:oid:2.16.756.|[epr-spid]HTTP responsePayload: Bundle / OperationOutcomeQuery by Policy Set IDHTTPGET[baseUrl]/Consent?identifier=[uuid]HTTP responsePayload: Bundle / OperationOutcome

The response is a PpqmResponseBundle resource containing zero or more PpqmConsent resources.

Further Aspects

In order to provide interoperability between CH:PPQ and CH:PPQm, the CH:PPQm integration profile defines transformation rules between XACML 2.0 Policy Sets and PpqmConsent resources.