clair054

Provenance and Audit seem to be recording the same thing, therefore why do they both exist and further why are they different? Much of my response is focused on FHIR, but the concept is broader too. Theory In HL7 we are trying to harmonize the historic healthcare use of Provenance and Audit, with a model of Provenance that is put forth by W3C. We must understand there is a theoretical Provenance concept that is primarily what W3C is focused on. Yes it has implementation models, I am not saying it isn't complete, however it doesn't have a HTTP REST model. So we need to build one. And we have. Provenance is a record that describes entities and processes involved in producing, updating, delivering, or otherwise influencing resources. Provenance provides critical foundation for assessing authenticity, trustability, and traceability. Who authored and why, who updated and why, where were these changes, when were these changes, and what influenced these changes. When data is moved, P...

Rene asked for an outline of Security topics for FHIR for an upcoming tutorial he is giving. The easy answer is go read all my blog articles under the #FHIR topic The second easy answer is to point at the FHIR security pages. I find it interesting is that I answered this same question back in January 2013.. I didn't notice this until after I completed the list below and was confirming I hit all my blog articles. Not much has changed in 3 years.  http://healthcaresecprivacy.blogspot.com/2013/01/security-considerations-healthcare.html The outline of the main topics to be covered: With HTTP REST interaction model for FHIR, it is designed to leverage any security model that HTTP includes. That is to say that HTTP interaction model has a set of security models that are transparent to the data-model contained in the HTTP transaction. With messaging, you should be able to use http security, it is just not as obvious. We encourage use of HTTPS. Servers should enforce this as appropriate t...

There are three efforts going on right now to develop a Privacy Consent systems. It might seem that three efforts are two too many, but I don’t think so. It might seem that three efforts are thus in competition, but that is also not the case. These three efforts are focused on different parts of the Privacy Consent space, the proverbial ‘elephant’. Let me explain why all three exist, and why that is not a problem. The efforts are: IHE – Privacy Consent for Document Sharing that supports patient specific exceptions, an advancement over their Basic Patient Privacy Consent (BPPC) HL7 FHIR – Privacy Consent Directive Implementation Guide that supports capturing a Privacy Consent using FHIR friendly mechanisms and leveraging the FHIR model HEART – Cross functional effort of the communities from OpenID/OAuth/UMA and Healthcare to leverage the User Managed Access (UMA) infrastructure to put the controls at the Patient’s finger tips. Patient Privacy Consent Domains of Influence The main di...