An authorized organization in the trust framework that manages and distributes PKI material—such as public key certificates and revocation lists—to participants in the network. It ensures that this material is trustworthy and available, enabling VHL Sharers and VHL Receivers to verify digital signatures and authenticate the origin of shared data.

An individual—typically the patient or their delegate—who possesses a Verified Health Link (VHL), a signed data artifact that enables a VHL Receiver to verify its authenticity and access one or more health documents made available by a VHL Sharer.

A system or organization that receives a Verified Health Link (VHL) from a VHL Holder and uses it to retrieve health documents from a VHL Sharer, after verifying the authenticity and integrity of the VHL.

The VHL Sharer generates a VHL, provides the VHL to a VHL Holder, and responds to requests from a VHL Sharer to utilize the VHL.

Purpose:
Ensure that the VHL Sharer records audit events when health documents are accessed or retrieved using a Verified Health Link (VHL).

Description:
The VHL Sharer MAY record audit events for critical events involving document access. These MAY include:

• A request from a VHL Holder to generate a VHL
• A request from a VHL Receiver to retrieve one or more health documents using a valid VHL
• Any access to protected health content triggered by the use of a VHL

Purpose:
Ensure that the VHL Receiver generates audit records when receiving and using a Verified Health Link (VHL) to retrieve health information, in support of accountability and traceability.

Description:
The VHL Receiver MAY record audit events for critical events during its handling of a VHL. These MAY include:

• Receipt of a VHL from a VHL Holder
• Verification of the VHL's digital signature and trust chain
• Use of the VHL to retrieve referenced health documents from a VHL Sharer
• Access, rendering, or internal processing of the retrieved documents

The VHL Sharer and VHL Receiver SHALL jointly establish a secure connection prior to executing any Verified Health Link (VHL) transactions involving the exchange of sensitive data.

This requirement is satisfied by implementing secure channel establishment as defined in the Audit Trail and Node Authentication (ATNA) Profile, specifically through the Authenticate Node [ITI-19] transaction.

This requirement entails:

• The VHL Receiver initiating a secure connection as the client and presenting valid credentials
• The VHL Sharer responding as the server, presenting its own credentials and validating the client's credentials against a trusted Certificate Authority or Trust Anchor

Establishing this secure channel ensures confidentiality, integrity, and bilateral authentication of all subsequent communications, and fulfills the trust obligations defined in the Establish Trust requirement.

Before participating in any Verified Health Link (VHL) transactions, the VHL Sharer and VHL Receiver SHALL establish a trust relationship based on shared acceptance of a designated Trust Anchor.

​Trust is established by referencing and accepting public key material published and distributed in accordance with this specification ( via Retrieve Trust List Response).

All participants MUST validate digital signatures using keys that are anchored in the agreed trust framework.

The VHL Sharer SHALL generate a Verified Health Link (VHL) to be issued to a VHL Holder.

The Sharer SHALL conduct all necessary tasks to prepare the content referenced by the VHL. These tasks MAY be further defined by applicable content profiles or implementation guides, and MAY include:

• Generation of new documents in real time;
• Querying for existing documents (e.g., IPS, CDA, FHIR Bundles) associated with the VHL Holder; or
• Creation of digital signatures on one or more documents.

Once content preparation is complete, the Sharer SHALL construct the VHL payload and sign it to produce a cryptographically verifiable authorization mechanism.

Optional behaviors:

• The Sharer MAY record consent in accordance with the Record Consent requirement.
• The Sharer MAY log an audit event describing the VHL issuance, in accordance with the Audit Event – Accessed Health Data requirement.

A VHL Sharer or VHL Receiver, as a participant in the trust network, SHALL be capable of retrieving public key infrastructure (PKI) material from a designated Trust Anchor.

The retrieved material MAY include:

• Public key certificates and associated trust lists
• Certificate revocation data (e.g., CRLs, OCSP responses)
• Metadata used to:
  • Validate digital signatures on VHLs and related resources
  • Establish secure connections
  • Decrypt content protected via asymmetric encryption

Participants SHOULD cache the received trust list to reduce network and server load.

Preconditions:

• The requesting participant knows in advance the endpoint from which to retrieve PKI material, as published or distributed by the Trust Anchor.

When a VHL Sharer or VHL Receiver generates a new public-private key pair for use within the VHL trust network, they SHALL submit the corresponding public key material to the Trust Anchor for validation and inclusion in the trust list.

The submission MAY include metadata to support categorization of key usage (e.g., digital signatures, encryption, secure channels) and business or operational context.

The Provide VHL transaction enables a VHL Holder to transmit a Verified Health Link (VHL) to a VHL Receiver. The VHL serves as a signed authorization mechanism that allows the Receiver to subsequently retrieve one or more health documents from a VHL Sharer.

Depending on the use case, the VHL MAY be rendered or transmitted using formats such as QR code or deep link (HTTPS URL).

A VHL Sharer or VHL Receiver, after receiving PKI material from a Trust Anchor, SHALL validate and process the trust information for subsequent cryptographic operations.

Participants SHOULD:

• Cache the received trust list or certificate material to reduce network and server load
• Validate digital signatures or trust paths before use in VHL validation or secure channel sessions
• Monitor certificate expiration or revocation status where applicable

The VHL Receiver SHALL be capable of receiving a Verified Health Link (VHL) from a VHL Holder through a supported transport mechanism (e.g., QR code scan, direct URL, or digital message).

Upon receipt, the Receiver SHALL:

• Parse the VHL
• Validate its digital signature against a trusted key published by a recognized Trust Anchor
• Prepare to retrieve the associated health documents

Receipt of the VHL may occur through direct user interaction (e.g., scanning a QR code) or automated channels, depending on the implementation context.

The VHL Sharer MAY record audit events when health data is accessed through a Verified Health Link (VHL). These events support accountability, traceability, and compliance with applicable security and privacy regulations.

Audit records MAY include the following metadata:

• Timestamp of the access event
• Identity of the accessing actor (e.g., person or system)
• Type and identifier of the accessed resource (e.g., DocumentReference)
• Purpose of access, where available (e.g., treatment, consent verification)
• Outcome of the event (e.g., success, failure)

Audit events SHALL be represented using the FHIR AuditEvent resource, and SHOULD conform to applicable IHE profiles such as ATNA where appropriate. Implementers MAY define additional audit logging behavior to meet jurisdictional or organizational policies.

The VHL Sharer SHALL record the consent granted by a VHL Holder to authorize the sharing of their health data via a Verified Health Link (VHL). This consent confirms that the Holder agrees to the creation of a VHL and its use by authorized VHL Receivers to access specific health documents.

In this requirement, the VHL Sharer acts as a Consent Recorder, as defined in the Privacy Consent on FHIR (PCF) profile. Specifically, the Sharer SHALL initiate the Access Consent - ITI-108 transaction to formally capture the Holder's consent.

The ITI-108 transaction SHOULD be invoked as part of the actions triggered by a Generate VHL request, particularly when legal, jurisdictional, or organizational policy requires explicit, recorded consent prior to enabling document sharing.

This requirement enables lawful, transparent sharing of personal health information across organizations and trust domains.

The VHL Receiver SHALL initiate a request to retrieve a single health document from a VHL Sharer, using a previously received and validated Verified Health Link (VHL).

This transaction SHALL be conducted over a secure channel. Both the Receiver and Sharer SHALL validate each other's participation in the trust network using PKI material published by the Trust Anchor.

Optional behaviors:

• The VHL Receiver MAY verify the digital signature of the returned health document to confirm its authenticity, integrity, and provenance, as defined in the Verify Document Signature requirement.
• The VHL Sharer MAY record an audit event documenting the access request by the Receiver, in accordance with the Audit Event – Received Health Data requirement.

The VHL Receiver SHALL initiate a request to retrieve a set of health documents from a VHL Sharer, using a previously received and validated Verified Health Link (VHL).

Both the Receiver and Sharer SHALL validate each other's participation in the trust network using PKI material published by the Trust Anchor.

Optional behaviors:

• The VHL Sharer MAY record an audit event documenting the access request by the Receiver, in accordance with the Audit Event – Received Health Data requirement.
• This transaction MAY be conducted over a secure channel, as defined in the Audit Trail and Node Authentication (ATNA) Profile.

A VHL Holder initiates a request to a VHL Sharer to generate a Verified Health Link (VHL) that references one or more health documents. The resulting VHL allows the Holder to subsequently share access to those documents with a VHL Receiver. The Holder MAY include optional parameters to constrain or protect the issued VHL-such as defining an expiration period, scoping which documents are included, or requiring a passcode for retrieval. These parameters guide the Sharer's issuance of the VHL and influence the conditions under which the associated documents may be accessed.

Preconditions:

• The VHL Holder SHALL trust that the VHL Sharer has been authorized by its jurisdiction to generate VHLs and to provide access to the corresponding health documents.
• Optionally, the VHL Holder has selected consent directives or selective disclosure preferences, as permitted by the applicable content profile.

Upon receipt of public key material from a VHL Sharer or VHL Receiver, the Trust Anchor SHALL validate, organize, sign, and expose the PKI material as part of a trusted, canonical trust list.

Upon receipt of Retrieve Trust List Request from a VHL Sharer or VHL Receiver, the Trust Anchor SHALL organize, sign, and expose the PKI material as part of a trusted, canonical trust list.

This MAY include:

• Public key certificates, trust chains, or JWKS structures
• Revocation data (CRL or OCSP)
• Usage metadata (e.g., key type, scope, intended usage)

The Trust Anchor SHALL only respond with validated and trustworthy material in accordance with the governance policies of the VHL trust framework. This signed trust list enables all participants in the VHL trust network to verify digital signatures and establish secure connections in accordance with the governance policies of the Trust Anchor.

Upon receipt of this response, participants SHALL process the trust list as described in Receive Trust List.

The VHL Receiver, upon receiving a digitally signed health document from a VHL Sharer, MAY verify the document's digital signature using previously retrieved PKI material.

This verification process confirms the authenticity, integrity, and provenance of the document independently of the Verified Health Link (VHL) itself.

The public key used for this verification MAY:

• Originate from a different trust network than the one used to validate the VHL
• Be unrelated to the key used to validate the VHL signature

Implementers SHOULD consult cross-profile guidance regarding interoperability with the IHE Document Digital Signature (DSG) profile, particularly in cases where additional attestation, long-term non-repudiation, or multi-party signatures are involved.

CapabilityStatement for Trust Anchor Actor in the IHE IT Infrastructure Technical Framework Supplement IHE VHL. An authorized organization in the trust framework that manages and distributes PKI material—such as public key certificates and revocation lists—to participants in the network. It ensures that this material is trustworthy and available, enabling VHL Sharers and VHL Receivers to verify digital signatures and authenticate the origin of shared data.

Capability Statement for a VHL Receiver implementing the Retrieve Manifest [ITI-YY5] transaction as a client. This client searches for List resources using VHL-authorized manifest URLs and can request inclusion of DocumentReference resources via the _include parameter.

Capability Statement for a VHL Sharer implementing the Retrieve Manifest [ITI-YY5] transaction as a server. This server supports FHIR search on List resources with _include parameter to retrieve document manifests authorized by Verified Health Links.

This operation generates a QR code containing a Verifiable Health Link (VHL) for transmission or display.

Input Parameters:

• sourceIdentifier: Patient identifier (required)
• exp: Expiration time in Epoch seconds (optional)
• flag: Single-character flags in alphabetical order - L (long-term use), P (Passcode required), U (direct file access) (optional)
• label: Short description up to 80 characters (optional)
• passcode: User-supplied passcode for passcode-protected VHLs (optional)

Output Generation:

• Returns a Binary resource containing the QR code image (PNG or SVG format) that encodes the VHL as an HCERT/CWT structure.
• The QR code embeds the full SHL payload including the manifest URL and decryption key for secure access to health documents.

Integration test plan for the QR Code Generation and Validation Flow of the IHE ITI Verifiable Health Links (VHL) profile.

Scope: validates multi-actor, cross-transaction scenarios that span ITI-YY3 (Generate VHL), ITI-YY4 (Provide VHL), and ITI-YY5 (Retrieve Manifest). Tests verify that the QR code generated in YY3 can be decoded in YY4, that the decoded SHL payload's manifest URL is used correctly in YY5, and that the full end-to-end pipeline including passcode handling, signature verification, and VHL authorization succeeds.

Actors exercised: VHL Holder, VHL Sharer, VHL Receiver.

Integration test plan for the Trust Establishment workflow of the IHE ITI Verifiable Health Links (VHL) profile.

Scope: validates multi-actor, cross-transaction scenarios that span ITI-YY1 (Submit PKI Material) and ITI-YY2 (Retrieve Trust List) and cannot be covered by unit tests. Tests verify that a DID Document submitted in YY1 is subsequently retrievable via YY2 in the same session, that both the VHL Sharer and VHL Receiver can retrieve peer keys, that a full round-trip signature verification succeeds, and that revocation propagates correctly across actors.

Actors exercised: VHL Sharer, Trust Anchor, VHL Receiver.

Unit test plan for the Trust Anchor actor of the IHE ITI Verifiable Health Links (VHL) profile.

Scope: validates all behaviour expected of a Trust Anchor as described in ITI-YY1 (responder) and ITI-YY2 (responder). Each test suite (testCase) corresponds to one transaction and exercises three atomic feature files: message semantics (shared), responder expected actions, and security considerations.

Unit test plan for the VHL Receiver actor of the IHE ITI Verifiable Health Links (VHL) profile.

Scope: validates all behaviour expected of a VHL Receiver across its four transactions: submitting its own PKI material (ITI-YY1 initiator), retrieving the trust list (ITI-YY2 initiator), decoding and validating a VHL QR code (ITI-YY4 responder), and requesting the document manifest (ITI-YY5 initiator). Each test suite exercises three atomic feature files.

Unit test plan for the VHL Sharer actor of the IHE ITI Verifiable Health Links (VHL) profile.

Scope: validates all behaviour expected of a VHL Sharer across its four transactions: submitting its own PKI material (ITI-YY1 initiator), retrieving the trust list to obtain peer keys (ITI-YY2 initiator), generating VHLs on demand (ITI-YY3 responder), and serving document manifests to authorised VHL Receivers (ITI-YY5 responder). Each test suite corresponds to one transaction and exercises three atomic feature files.