ISO/HL7 10781 - Electronic Health Record System Functional Model, Release 2.1
2.1.0 - CI Build

Publish Box goes here

: TI.1.2 Entity Authorization (Function) - XML Representation

Active as of 2024-11-23

Raw xml | Download


<Requirements xmlns="http://hl7.org/fhir">
  <id value="EHRSFMR2.1-TI.1.2"/>
  <meta>
    <profile value="http://hl7.org/ehrs/StructureDefinition/FMFunction"/>
  </meta>
  <text>
    <status value="extensions"/>
    <div xmlns="http://www.w3.org/1999/xhtml">
    <span id="description"><b>Statement <a href="https://hl7.org/fhir/versions.html#std-process" title="Normative Content" class="normative-flag">N</a>:</b> <div><p>Manage set(s) of EHR-S access control permissions.</p>
</div></span>

    
    <span id="purpose"><b>Description <a href="https://hl7.org/fhir/versions.html#std-process" title="Informative Content" class="informative-flag">I</a>:</b> <div><p>Entities are authorized to use components of an EHR-S in accordance with their scope of practice within local policy or legal jurisdiction. Authorization rules provide a proper framework for establishing access permissions and privileges for the use of an EHR system, based on user, role or context. A combination of these authorization categories may be applied to control access to EHR-S resources (i.e., functions or data), including at the operating system level.</p>
<ul>
<li>User based authorization refers to the permissions granted to access EHR-S resources based on the identity of an entity (e.g., user or software component).</li>
<li>Role based authorization refers to the permissions granted to access EHR-S resources based on the role of an entity. Examples of roles include: an application or device (tele-monitor or robotic); or a nurse, dietician, administrator, legal guardian, and auditor.</li>
<li>Context-based Authorization refers to the permissions granted to access EHR-S resources within a context, such as when a request occurs, explicit time, location, route of access, quality of authentication, work assignment, patient consents and authorization. See ISO 10181-3 Technical Framework for Access Control Standard. For example, an EHR-S might only allow supervising providers' context authorization to attest to entries proposed by residents under their supervision.</li>
</ul>
</div></span>
    

    

    
    <span id="requirements"><b>Criteria <a href="https://hl7.org/fhir/versions.html#std-process" title="Normative Content" class="normative-flag">N</a>:</b></span>
    
    <table id="statements" class="grid dict">
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>TI.1.2#01</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                <i>dependent</i>
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>The system SHALL provide the ability to manage sets of access-control permissions granted to an entity (e.g., user, application, device) based on identity, role, and/or context according to scope of practice, organizational policy, and/or jurisdictional law.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>TI.1.2#02</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>The system SHALL conform to function [[TI.2]] (Audit) to audit authorization actions as security events.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>TI.1.2#03</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                <i>dependent</i>
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>The system SHALL provide the ability to manage roles (e.g., clinician versus administrator) and contexts (e.g., legal requirements versus emergency situations) for authorization according to scope of practice, organizational policy, and/or jurisdictional law.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>TI.1.2#04</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>The system SHALL maintain a revision history of all entity record modifications.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>TI.1.2#05</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                <i>dependent</i>
                
                
                
                <span>MAY</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>The system MAY provide the ability to manage authorizations for the use of portable media in according to scope of practice, organizational policy, and/or jurisdictional law.</p>
</div></span>
                
                
            </td>
        </tr>
        
    </table>
</div>
  </text>
  <url value="http://hl7.org/ehrs/Requirements/EHRSFMR2.1-TI.1.2"/>
  <version value="2.1.0"/>
  <name value="TI_1_2_Entity_Authorization"/>
  <title value="TI.1.2 Entity Authorization (Function)"/>
  <status value="active"/>
  <date value="2024-11-23T08:20:40+00:00"/>
  <publisher value="EHR WG"/>
  <contact>
    <telecom>
      <system value="url"/>
      <value value="http://www.hl7.org/Special/committees/ehr"/>
    </telecom>
  </contact>
  <description value="Manage set(s) of EHR-S access control permissions."/>
  <purpose
           value="Entities are authorized to use components of an EHR-S in accordance with their scope of practice within local policy or legal jurisdiction. Authorization rules provide a proper framework for establishing access permissions and privileges for the use of an EHR system, based on user, role or context. A combination of these authorization categories may be applied to control access to EHR-S resources (i.e., functions or data), including at the operating system level.
- User based authorization refers to the permissions granted to access EHR-S resources based on the identity of an entity (e.g., user or software component).
- Role based authorization refers to the permissions granted to access EHR-S resources based on the role of an entity. Examples of roles include: an application or device (tele-monitor or robotic); or a nurse, dietician, administrator, legal guardian, and auditor.
- Context-based Authorization refers to the permissions granted to access EHR-S resources within a context, such as when a request occurs, explicit time, location, route of access, quality of authentication, work assignment, patient consents and authorization. See ISO 10181-3 Technical Framework for Access Control Standard. For example, an EHR-S might only allow supervising providers' context authorization to attest to entries proposed by residents under their supervision."/>
  <statement>
    <extension
               url="http://hl7.org/ehrs/StructureDefinition/requirements-dependent">
      <valueBoolean value="true"/>
    </extension>
    <key value="EHRSFMR2.1-TI.1.2-01"/>
    <label value="TI.1.2#01"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="The system SHALL provide the ability to manage sets of access-control permissions granted to an entity (e.g., user, application, device) based on identity, role, and/or context according to scope of practice, organizational policy, and/or jurisdictional law."/>
    <derivedFrom value="EHR-S_FM_R1.1 IN.1.2#1"/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/ehrs/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="EHRSFMR2.1-TI.1.2-02"/>
    <label value="TI.1.2#02"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="The system SHALL conform to function [[TI.2]] (Audit) to audit authorization actions as security events."/>
    <derivedFrom value="EHR-S_FM_R1.1 IN.1.2#2"/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/ehrs/StructureDefinition/requirements-dependent">
      <valueBoolean value="true"/>
    </extension>
    <key value="EHRSFMR2.1-TI.1.2-03"/>
    <label value="TI.1.2#03"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="The system SHALL provide the ability to manage roles (e.g., clinician versus administrator) and contexts (e.g., legal requirements versus emergency situations) for authorization according to scope of practice, organizational policy, and/or jurisdictional law."/>
    <derivedFrom value="EHR-S_FM_R1.1 IN.1.2#3"/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/ehrs/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="EHRSFMR2.1-TI.1.2-04"/>
    <label value="TI.1.2#04"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="The system SHALL maintain a revision history of all entity record modifications."/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/ehrs/StructureDefinition/requirements-dependent">
      <valueBoolean value="true"/>
    </extension>
    <key value="EHRSFMR2.1-TI.1.2-05"/>
    <label value="TI.1.2#05"/>
    <conformance value="MAY"/>
    <conditionality value="false"/>
    <requirement
                 value="The system MAY provide the ability to manage authorizations for the use of portable media in according to scope of practice, organizational policy, and/or jurisdictional law."/>
  </statement>
</Requirements>