FHIR CI-Build

This is the Continuous Integration Build of FHIR (will be incorrect/inconsistent at times).
See the Directory of published versions icon

Security icon Work GroupMaturity Level: 0 Trial UseSecurity Category: Not Classified Compartments: No defined compartments

Detailed Descriptions for the elements in the Permission resource.

Permission
Element IdPermission
Definition

Permission resource holds access rules for a given data and context.

Short DisplayAccess Rules
Cardinality0..*
TypeDomainResource
Summaryfalse
Permission.status
Element IdPermission.status
Definition

Status.

Short Displayactive | entered-in-error | draft | rejected
Cardinality1..1
Terminology BindingPermission Status (Required)
Typecode
Summarytrue
Permission.asserter
Element IdPermission.asserter
Definition

The person or entity that asserts the permission.

Short DisplayThe person or entity that asserts the permission
Cardinality0..1
TypeReference(Practitioner | PractitionerRole | Organization | CareTeam | Patient | RelatedPerson | HealthcareService)
Summarytrue
Permission.date
Element IdPermission.date
Definition

The date that permission was asserted.

Short DisplayThe date that permission was asserted
Cardinality0..*
TypedateTime
Alternate Namesclass
Summarytrue
Permission.validity
Element IdPermission.validity
Definition

The period in which the permission is active.

Short DisplayThe period in which the permission is active
Cardinality0..1
TypePeriod
Alternate Namestype
Summarytrue
Permission.justification
Element IdPermission.justification
Definition

The asserted justification for using the data.

Short DisplayThe asserted justification for using the data
Cardinality0..1
Summarytrue
Permission.justification.basis
Element IdPermission.justification.basis
Definition

This would be a codeableconcept, or a coding, which can be constrained to , for example, the 6 grounds for processing in GDPR.

Short DisplayThe regulatory grounds upon which this Permission builds
Cardinality0..*
Terminology BindingConsent PolicyRule Codes (Example)
TypeCodeableConcept
Summarytrue
Permission.justification.evidence
Element IdPermission.justification.evidence
Definition

Justifing rational.

Short DisplayJustifing rational
Cardinality0..*
TypeReference(Any)
Summarytrue
Comments

While any resource may be used, DocumentReference, Consent, PlanDefinition, and Contract would be most frequent

Permission.combining
Element IdPermission.combining
Definition

Defines a procedure for arriving at an access decision given the set of rules.

Short Displaydeny-overrides | permit-overrides | ordered-deny-overrides | ordered-permit-overrides | deny-unless-permit | permit-unless-deny
Cardinality1..1
Terminology BindingPermission Rule Combining (Required)
Typecode
Is Modifiertrue (Reason: Defines how the rules are to be combined.)
Summarytrue
Comments

see XACML Combining Rules icon

Permission.rule
Element IdPermission.rule
Definition

A set of rules.

Short DisplayConstraints to the Permission
Cardinality0..*
Element Order MeaningThe order of the rules processing is defined in rule combining selected in .combining element.
Summarytrue
Comments

Each .rule is evaulated within the combining rule identified in the .combining element.

Permission.rule.type
Element IdPermission.rule.type
Definition

deny | permit.

Short Displaydeny | permit
Cardinality0..1
Terminology BindingConsent Provision Type (Required)
Typecode
Is Modifiertrue (Reason: Sets the context for the meaning of the rules.)
Summarytrue
Permission.rule.data
Element IdPermission.rule.data
Definition

A description or definition of which activities are allowed to be done on the data.

Short DisplayThe selection criteria to identify data that is within scope of this provision
Cardinality0..*
Summarytrue
Comments

Within a .rule any repititions of the .data element are in an OR relationship. That is to say that the data identified by the rule is all the data identified by all repititions of .data. Thus to identify one rule that applies to data tagged with STD and data that is tagged with HIV, one would repeat this at the .data level. Within the .data element, all elements and all repetitions of elements, are in an AND relationship. Thus to select data that has both STD and HIV one puts both into one .rule. To have different rules for STD from HIV, one would need to have two .rule elements. To have a rule that applies to both, those that have just STD and just HIV, this repitition may also be done at the data level as described above.

Permission.rule.data.resource
Element IdPermission.rule.data.resource
Definition

Explicit FHIR Resource references.

Short DisplayExplicit FHIR Resource references
Cardinality0..*
Summarytrue
Permission.rule.data.resource.meaning
Element IdPermission.rule.data.resource.meaning
Definition

How the resource reference is interpreted when testing consent restrictions.

Short Displayinstance | related | dependents | authoredby
Cardinality1..1
Terminology BindingConsent Data Meaning (Required)
Typecode
Summarytrue
Permission.rule.data.resource.reference
Element IdPermission.rule.data.resource.reference
Definition

A reference to a specific resource that defines which resources are covered by this consent.

Short DisplayThe actual data reference
Cardinality1..1
TypeReference(Any)
Summarytrue
Permission.rule.data.security
Element IdPermission.rule.data.security
Definition

The data in scope are those with the given codes present in that data .meta.security element.

Short DisplaySecurity tag code on .meta.security
Cardinality0..*
TypeCoding
Summarytrue
Comments

Note the ConfidentialityCode vocabulary indicates the highest value, thus a security label of "R" then it applies to all resources that are labeled "R" or lower. E.g. for Confidentiality, it's a high water mark. For other kinds of security labels, subsumption logic applies. When the purpose of use tag is on the data, access request purpose of use shall not conflict.

Permission.rule.data.period
Element IdPermission.rule.data.period
Definition

Clinical or Operational Relevant period of time that bounds the data controlled by this rule.

Short DisplayTimeframe encompasing data create/update
Cardinality0..1
TypePeriod
Summarytrue
Comments

This has a different sense to the .validity.

Permission.rule.data.expression
Element IdPermission.rule.data.expression
Definition

Used when other data selection elements are insufficient.

Short DisplayExpression identifying the data
Cardinality0..1
TypeExpression
Summarytrue
Permission.rule.activity
Element IdPermission.rule.activity
Definition

A description or definition of which activities are allowed to be done on the data.

Short DisplayA description or definition of which activities are allowed to be done on the data
Cardinality0..*
Summarytrue
Comments

Within a .rule any repititions of the .activity element are in an OR relationship. That is to say that the rule applies to all the repititions of .activity. Thus to identify one rule that applies to both TREAT and HOPERAT, one would have one rule with repititions at the .activity level. Within the .activity element, all elements and all repetitions of elements, are in an AND relationship. Thus to control an actity that is covering purpose of both TREAT and HOPERAT, one rule with an .activity .purpose holding both TREAT and HOPERAT can define that rule. However this will not cover activities covering only TREAT, for that repeat at the .activity with just a .purpose of TREAT.

Permission.rule.activity.actor
Element IdPermission.rule.activity.actor
Definition

The actor(s) authorized for the defined activity.

Short DisplayAuthorized actor(s)
Cardinality0..*
TypeReference(Device | Group | CareTeam | Organization | Patient | Practitioner | RelatedPerson | PractitionerRole)
Summarytrue
Permission.rule.activity.action
Element IdPermission.rule.activity.action
Definition

Actions controlled by this Rule.

Short DisplayActions controlled by this rule
Cardinality0..*
Terminology BindingConsent Action Codes (Example)
TypeCodeableConcept
Summarytrue
Comments

Note that this is the direct action (not the grounds for the action covered in the purpose element). At present, the only action in the understood and tested scope of this resource is 'read'.

Permission.rule.activity.purpose
Element IdPermission.rule.activity.purpose
Definition

The purpose for which the permission is given.

Short DisplayThe purpose for which the permission is given
Cardinality0..*
Terminology BindingPurposeOfUse icon (Preferred)
TypeCodeableConcept
Summarytrue
Permission.rule.limit
Element IdPermission.rule.limit
Definition

What limits apply to the use of the data.

Short DisplayWhat limits apply to the use of the data
Cardinality0..*
Terminology BindingExample set of Event / Bundle used Security Labels (Example)
TypeCodeableConcept
Summarytrue
Comments

Within a .rule all repititions of the .limit all apply to the rule. That is to say if there are multiple limits, and the rule permits the activity, then all the identified limits are applied to that authorized activity.