Netherlands - Generic Functions for data exchange Implementation Guide
0.3.0 - ci-build
Netherlands - Generic Functions for data exchange Implementation Guide
0.3.0 - ci-build
Netherlands - Generic Functions for data exchange Implementation Guide, published by Stichting Nuts. This guide is not an authorized publication; it is the continuous build for version 0.3.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/nuts-foundation/nl-generic-functions-ig/ and changes regularly. See the Directory of published versions
The HealthcareProfessionalDelegationCredential proves that a healthcare professional delegates authority to a healthcare provider.
It is the Verifiable Credential counterpart of the AORTA SAML mandate token (mandaattoken).
The healthcare professional signs the credential with the signing key of their UZI healthcare professional pass.
Purpose: Assert that a healthcare professional has delegated a defined set of authorized actions to a healthcare provider, within the scope of an authorization rule from the applicable agreement framework (afspraakstelsel).
Issuer: did:x509 of the healthcare professional that signs the credential. The certificate MUST be a UZI healthcare professional pass (pastype Z).
Subject: did:web of the healthcare provider within which the mandate is valid.
Status: draft
VC type: ["VerifiableCredential", "HealthcareProfessionalDelegationCredential"]
Trust anchors: PKIoverheid intermediate CAs for UZI healthcare professional passes, or future GIS-VN intermediate CAs.
This credential replaces the AORTA SAML mandate token used to delegate authority from a healthcare professional to a healthcare provider.
The credential names the healthcare provider the mandate is issued to (hasDelegation.issuedTo) by its URA number. The binding between that URA number and the subject did:web of the healthcare provider must still be established through an additional credential presented in the same Verifiable Presentation.
By signing the credential with their UZI Z-pas, the healthcare professional makes a personal claim about the scope of the delegation: the authorization rule and the set of authorized actions.
All fields below are scoped to credentialSubject.
| Path | IRI | Card. | Description / validation |
|---|---|---|---|
id |
- | 1 | did:web of the healthcare provider |
@type |
gis:HealthcareProvider |
1 | Always HealthcareProvider |
hasDelegation.@type |
gis:Delegation |
1 | Always Delegation |
hasDelegation.issuedTo.@type |
gis:HealthcareProvider |
1 | Always HealthcareProvider |
hasDelegation.issuedTo.identifier.@type |
schema:PropertyValue |
1 | Always Identifier |
hasDelegation.issuedTo.identifier.system |
schema:propertyID |
1 | Always http://fhir.nl/fhir/NamingSystem/ura |
hasDelegation.issuedTo.identifier.value |
schema:value |
1 | URA number of the healthcare provider within which the mandate is valid |
hasDelegation.delegatedBy.@type |
gis:HealthcareProfessional |
1 | Always HealthcareProfessional |
hasDelegation.delegatedBy.identifier.@type |
schema:PropertyValue |
1 | Always Identifier |
hasDelegation.delegatedBy.identifier.system |
schema:propertyID |
1 | Always http://fhir.nl/fhir/NamingSystem/uzi-nr-pers |
hasDelegation.delegatedBy.identifier.value |
schema:value |
1 | UZI number of the healthcare professional; MUST correspond to the UZI number in the issuer DID |
hasDelegation.delegatedBy.roleCode |
gis:roleCode |
1 | UZI role code of the healthcare professional; MUST correspond to the role code in the issuer DID |
hasDelegation.scope.@type |
gis:DelegationScope |
1 | Always DelegationScope |
hasDelegation.scope.authorizationRule |
gis:authorizationRule |
1 | URI of the authorization rule under which the mandate is issued |
hasDelegation.scope.authorizedActions |
gis:authorizedActions |
1..* | Authorized actions within the authorization rule |
The set of valid values for authorizationRule and authorizedActions is determined by the applicable agreement framework (afspraakstelsel).
Editorial note: The definitive value sets for authorizationRule and authorizedActions are still to be determined.
The credential expresses the following entity model:
graph TD
VC[HealthcareProfessionalDelegationCredential]
VC -->|issuer| ISSUER["did:x509 (UZI Z-pas)"]
VC -->|credentialSubject| HP["HealthcareProvider"]
HP -->|id| HPID["did:web:huisarts-delinden.nl"]
HP -->|hasDelegation| DEL["Delegation"]
DEL -->|issuedTo| ITO["HealthcareProvider"]
ITO -->|identifier| ITOID["Identifier"]
ITOID -->|system| ITOSYS["http://fhir.nl/fhir/NamingSystem/ura"]
ITOID -->|value| ITOVAL["12345678 (URA)"]
DEL -->|delegatedBy| HCP["HealthcareProfessional"]
HCP -->|identifier| HCPID["Identifier"]
HCPID -->|system| HCPSYS["http://fhir.nl/fhir/NamingSystem/uzi-nr-pers"]
HCPID -->|value| HCPVAL["90001234 (UZI-nr-pers)"]
HCP -->|roleCode| HCPROLE["01.015 (UZI rolcode)"]
DEL -->|scope| SCOPE["DelegationScope"]
SCOPE -->|authorizationRule| RULE["http://gis-nl.example/authorizationRule/example"]
SCOPE -->|authorizedActions| ACTIONS["[read, write]"]
The credential uses the GIS JSON-LD context.
The following is a non-normative example of a HealthcareProfessionalDelegationCredential using the W3C Verifiable Credentials Data Model 1.1 JWT encoding. It asserts that the healthcare professional with UZI 90001234 (role code 01.015) has delegated the actions read and write to the healthcare provider identified by did:web:huisarts-delinden.nl.
The values used for authorizationRule and authorizedActions are placeholders; actual values are governed by the applicable agreement framework.
JWT Header:
{
"alg": "PS256",
"typ": "JWT",
"kid": "did:x509:0:sha256:YmFzZTY0...dHJ1c3Q=::san:otherName:2.16.528.1.1007.99.2110-1-12345678-Z-90001234-01.015-12345678#0",
"x5c": [
"MIIFjDCCA3SgAwIBAgIUe8Y...kortLeafCert...==",
"MIIFcDCCA1igAwIBAgIUa5B...kortIntermediateCert...==",
"MIIFZDCCAxygAwIBAgIUbGp...kortRootCert...=="
],
"x5t#S256": "dGhpcyBpcyBhIGV4YW1wbGUgdGh1bWJwcmludA"
}
JWT Payload:
{
"iss": "did:x509:0:sha256:YmFzZTY0...dHJ1c3Q=::san:otherName:2.16.528.1.1007.99.2110-1-12345678-Z-90001234-01.015-12345678",
"sub": "did:web:huisarts-delinden.nl",
"jti": "urn:uuid:b2c3d4e5-f6a7-8901-bcde-f23456789012",
"nbf": 1740000000,
"exp": 1786320000,
"vc": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"http://gis-nl.example/"
],
"type": [
"VerifiableCredential",
"HealthcareProfessionalDelegationCredential"
],
"issuanceDate": "2025-02-20T00:00:00Z",
"expirationDate": "2026-08-08T00:00:00Z",
"credentialSubject": {
"id": "did:web:huisarts-delinden.nl",
"@type": "HealthcareProvider",
"hasDelegation": {
"@type": "Delegation",
"issuedTo": {
"@type": "HealthcareProvider",
"identifier": {
"@type": "Identifier",
"system": "http://fhir.nl/fhir/NamingSystem/ura",
"value": "12345678"
}
},
"delegatedBy": {
"@type": "HealthcareProfessional",
"identifier": {
"@type": "Identifier",
"system": "http://fhir.nl/fhir/NamingSystem/uzi-nr-pers",
"value": "90001234"
},
"roleCode": "01.015"
},
"scope": {
"@type": "DelegationScope",
"authorizationRule": "http://gis-nl.example/authorizationRule/example",
"authorizedActions": ["read", "write"]
}
}
}
}
}
In addition to the generic validation steps from the Credential Catalog, verifiers MUST perform the following checks:
did:x509 DID anchored in a trusted PKIoverheid intermediate CA for UZI healthcare professional passes (or a future GIS-VN intermediate CA), see "Trust Anchors" section.did:x509 MUST be Z (healthcare professional pass). Other pastypes (e.g. N for named employee passes) MUST be rejected.credentialSubject.hasDelegation.delegatedBy.identifier.value MUST correspond to the UZI number encoded in the issuer did:x509.credentialSubject.hasDelegation.delegatedBy.roleCode MUST correspond to the role code encoded in the issuer did:x509.expirationDate MUST be on or before the notAfter date of the signing key's certificate.authorizationRule and authorizedActions MUST be valid within the applicable agreement framework.The following trust chains are used for validating the credential:
Refer to https://cert.pkioverheid.nl/ for the certificates.