HL7 FHIR Implementation Guide: Data Access Policies
1.0.0-current - International flag

HL7 FHIR Implementation Guide: Data Access Policies, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 1.0.0-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/data-access-policies/ and changes regularly. See the Directory of published versions

Plain Language Summary goes here

Index

Official URL: http://hl7.org/fhir/uv/dap/ImplementationGuide/hl7.fhir.uv.dap Version: 1.0.0-current
IG Standards status: Trial-use Active as of 2025-11-07 Maturity Level: 1 Computable Name: DataAccessPolicies

This is the Security WG, FHIR data-access-policy incubator Implementation Guide. This guide is the formal location for the FHIR R6 Permission "Additional" Resource.

This documentation and set of artifacts are still undergoing development. This content is only for informative purposes.

Due to SUSHI not yet supporting profiling of an Additional Resource, all profiles and examples have been commented out.

The top menu allows quick navigation to the different sections, and a Table of Contents is provided with the entire content of this Implementation Guide. (Be aware that some pages have multiple tabs).

Use-Case analysis

This IG purpose is to include use-case analysis to enable the FHIR Permission resource to mature. These use-cases will confirm where the Permission resource is properly constructed, where updates are needed, and where core extensions and vocabulary are needed.

The use-cases and analysis are found on these pages:

Permission

Permission is a portion of an Access Control environment. It is provided in FHIR form to enable Access Control rules to more naturally utilize the FHIR model.

Using Permission for Access ControlFHIR: RulesAccess Control ImplementationRequest Contextuser identityorganizationpurposeOfUseactivity (CRUDE)patient / subjectconsentdata request parametersdata categoriesPermissionsConsentDataBaseMetadatadata sensitivitypatient / subjectorganizationauthorencounterpurposes of Use allowedtimeframedataAccess DecisionAccess EnforcementFHIR ResourcesPermit/DenyLimits
Figure Using Rules


Intellectual Property Considerations

While this implementation guide and the underlying FHIR are licensed as public domain, this guide includes examples making use of terminologies such as LOINC, SNOMED CT and others which have more restrictive licensing requirements. Implementers should make themselves familiar with licensing and any other constraints of terminologies, questionnaires, and other components used as part of their implementation process. In some cases, licensing requirements may limit the systems that data captured using certain questionnaires may be shared with.