FHIR Data Segmentation for Privacy, published by HL7 Security Working Group. This is not an authorized publication; it is the continuous build for version 1.0.0). This version is based on the current content of https://github.com/HL7/fhir-security-label-ds4p/ and changes regularly. See the Directory of published versions
Note that the details of capability statements, audit profiles, and the ability to programmatically verify security labeling capabilities based on the capability statement are roadmap items for this IG and have not been fully addressed in this version.
Sender: an entity or system in custody of health information, such as an EHR or Personal Health Record (PHR) system, that initiates or responds to a request to share health information with a Receiver.
Receiver: an entity or system, such as an EHR or PHR that initiates a request to receive, health information, or is the intended recipient of health information.
Sender has implemented Security Labeling Service, including:
sec-label-basis
extension.display
, sec-label-classifier
, and sec-label-related-artifact
extensions, andSender determines applicable security labels to convey applicable policy.
Sender is able to audit Receiver enforcement of disclosed labeled Resource.
Sender is able to determine whether the Receiver reclassified disclosed labeled Resource upon further disclosure by monitoring Resource Provenance chain.
Sender receives Receiver Client Registration request, which includes Receiver Capability Statement.
Sender inspects Receiver’s Security Labeling Capability Statements to determine whether Receiver Capabilities exceed, match, or are less than Sender Security Labeling Capabilities.
Happy Path:
Receiver’s Security Labeling Capabilities match Sender Security Labeling Capabilities.
Sender returns requested Resources with applicable security labels.
Unhappy Path:
Receiver has implemented Security Labeling and Privacy-Preserving Authorization Services, including:
sec-label-basis
extension.display
, sec-label-classifier
, and sec-label-related-artifact
extensions.Receiver determines applicable security labels to convey applicable policy.
Receiver manages and monitors its adherence to Sender Resource security labels.
Receiver is able to audit downstream Recipient enforcement of disclosed Resource security labels.
Receiver is able to determine whether a downstream Recipient reclassified disclosed Resource security labels by monitoring Resource Provenance chain.
Receiver discovers and retrieves prospective Sender Security Labeling Capability Statement.
Happy Path:
Receiver compares Sender Security Labeling Capability Statements with its own and determines that it is able to support security labels for applicable policies.
Receiver requests Client Registration, thereby agreeing to the Sender Security Labeling Capability Statement.
Receiver requests Resource with security labels.
Sender sends Receiver the labeled Resource.
Receiver consumes labeled Resource and persists associated security labels.
Unhappy Path:
The EHR determines the jurisdiction/context applicable to the resource/bundle.
Resource/bundle, labeled by the SLS, is incorporated back in the EHR workflow.