DHIN 2025Connectathon FHIR IG
0.1.0 - draft

DHIN 2025Connectathon FHIR IG, published by DHIN. This guide is not an authorized publication; it is the continuous build for version 0.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/Nigeria-FHIR-Community/2025Connectathon/ and changes regularly. See the Directory of published versions

Privacy and Security

Security and Access Control for Bundle Operations [work in progress]

To ensure the integrity, privacy, and appropriate use of health data, all operations on the NgBundle resource must comply with Nigeria’s national health data governance principles and security standards.

Authentication & Authorization

  • Authentication: All clients MUST be authenticated using OAuth2.0 with client credentials or SMART-on-FHIR tokens.
  • Authorization: Role-based access control (RBAC) MUST be enforced by the FHIR server based on user claims or scopes:
    • bundle.submit
    • bundle.read
    • bundle.write
    • bundle.sync
    • bundle.admin

Data Privacy & Filtering

  • Bundles are scoped to organization units (facility, LGA, state) using associated Organization.identifier.
  • Systems MUST not return bundles beyond the requestor’s scope (e.g., a facility user must not see state-wide data).
  • Sensitive elements such as deceasedDateTime, HIV status, or sibling records must follow data minimization principles when returned to mobile apps or public dashboards.

Operation-Specific Safeguards

  • $submit-ng-bundle: MUST validate using $validate-ng-bundle before committing to the server.
  • $remove-obsolete-bundles: REQUIRES elevated privileges (admin role) to execute.
  • $resolve-conflicts: SHOULD trigger a manual review workflow or return a conflict report before automated resolution.
  • $export-ng-bundle: SHOULD support export logging, throttling, and encryption of large payloads.

These access rules aim to balance data utility with privacy and compliance, in line with the Nigeria Data Protection Act (NDPA) and WHO SMART Guidelines.