@prefix fhir: . @prefix owl: . @prefix rdf: . @prefix rdfs: . @prefix xsd: . # - resource ------------------------------------------------------------------- a fhir:Permission ; fhir:resourceDefinition http://hl7.org/fhir/StructureDefinition/Permission|1.0.0-current ; fhir:nodeRole fhir:treeRoot ; fhir:id [ fhir:v "example-exclude"] ; # fhir:meta [ fhir:security ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "HTEST" ] ] ) ] ; # fhir:language [ fhir:v "en"] ; # fhir:text [ fhir:status [ fhir:v "generated" ] ; fhir:div [ fhir:v "

Generated Narrative: Permission example-exclude

Language: en

Security Label: test health data (Details: ActReason code HTEST = 'test health data')

status: Active

asserter: Organization nowhere

date: 2023-11-22

combining: Deny-unless-permit

rule

type: Permit

activity

action: Create, Read, Update, Delete, Execute

purpose: directory, health system administration

rule

type: Permit

activity

action: Read, Execute

purpose: treatment, healthcare payment, healthcare operations

Limits

-Tag
*ActCode: LOCIS (location information sensitivity)

rule

type: Permit

data

Expressions

-DescriptionLanguageExpression
*select all Practitioner resources where the Practitioner has a PractitionerRole with code of doctorapplication/x-fhir-queryPractitioner?_has:PractitionerRole:practitioner:role=http://terminology.hl7.org/CodeSystem/practitioner-role|doctor

activity

action: Read, Execute

purpose: patient requested

Limits

-Tag
*ActCode: LOCIS (location information sensitivity)
"^^rdf:XMLLiteral ] ] ; # fhir:status [ fhir:v "active"] ; # fhir:asserter [ fhir:l ; fhir:reference [ fhir:v "Organization/ex-organization" ] ] ; # fhir:date ( [ fhir:v "2023-11-22"^^xsd:date] ) ; # fhir:combining [ fhir:v "deny-unless-permit"] ; # combining rule is deny-unless-permit, ANY permit authorizes access, so rules do not need to be exhaustively processed, but if no permit is found then access is denied. fhir:rule ( [ fhir:type [ fhir:v "permit" ] ; # rule is #permit for administrative actions on the directory. This enables maintenance by those with directory admin authorization fhir:activity ( [ fhir:action ( [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "C" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "R" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "U" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "D" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "E" ] ] ) ] ) ; fhir:purpose ( [ fhir:coding ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "HDIRECT" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "HSYSADMIN" ] ] ) ] ) ] ) ] [ fhir:type [ fhir:v "permit" ] ; # When anyone that has TPO authority accesses the directory, they get access to all entries in the directory, but any data marked as Location Sensitive is excluded. Presumes Practitioner resources are tagged at the element level following DS4P Inline Security Labels that indicate the sensitive location elements using the LOCIS tag fhir:activity ( [ fhir:action ( [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "R" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "E" ] ] ) ] ) ; fhir:purpose ( [ fhir:coding ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "TREAT" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "HPAYMT" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "HOPERAT" ] ] ) ] ) ] ) ; fhir:limit ( [ fhir:tag ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActCode"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "LOCIS" ] ] ) ] ) ] [ fhir:type [ fhir:v "permit" ] ; # When a Patient accesses the directory, it will be with PurposeOfUse of PATRQT. They only get access to Doctors, and only non-sensitive data. So not access to kitchen staff, janitor, nurses, etc. fhir:data ( [ fhir:expression [ fhir:description [ fhir:v "select all Practitioner resources where the Practitioner has a PractitionerRole with code of doctor" ] ; fhir:language [ fhir:v "application/x-fhir-query" ] ; fhir:expression [ fhir:v "Practitioner?_has:PractitionerRole:practitioner:role=http://terminology.hl7.org/CodeSystem/practitioner-role|doctor" ] ] ] ) ; fhir:activity ( [ fhir:action ( [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "R" ] ] ) ] [ fhir:coding ( [ fhir:system [ fhir:v "http://hl7.org/fhir/audit-event-action"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "E" ] ] ) ] ) ; fhir:purpose ( [ fhir:coding ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActReason"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "PATRQT" ] ] ) ] ) ] ) ; fhir:limit ( [ fhir:tag ( [ fhir:system [ fhir:v "http://terminology.hl7.org/CodeSystem/v3-ActCode"^^xsd:anyURI ; fhir:l ] ; fhir:code [ fhir:v "LOCIS" ] ] ) ] ) ] ) . # a fhir:Uv . # -------------------------------------------------------------------------------------