clair054

During the GDPR discussions at the HL7 workgroup meeting in Cologne , we uncovered a potential 'nice to have' in the general information technology space, an 'Erasure Receipt'. The idea is that GDPR includes Article 17 the Right to Erasure ( Recital 65 - Right of rectification and erasure ), which is similar to the 'Right to be Forgotten' ( Recital 66 - Right to be forgotten ). In GPDR there are requirements that the data controller must pass on the Erasure request to other downstream Controllers that they have disclosed the data to; AND they must inform the Individual of each of these downstream Controllers ( Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing ). The Erasure Receipt would focus on making statements about the act of Erasure.  I think this would be good to get as domain independent, not something that Healthcare does alone. Like a Consent Receipt Much like the "Consent Receip...

I just finished a very long week in Cologne at the HL7 workgroup meeting and FHIR Connectathon. I had the idea that I could host a discussion of how to use FHIR in a GDPR compliant organization. So I created a FHIR Connectathon track. This track was hopeful that we could do testing with various parts of the FHIR specification. We ended up talking more about generally how to use the various capabilities that exist in FHIR to meet the various Articles in GDPR. FHIR is GDPR enabled The Security Workgroup and the Privacy (CBCC or CBCP) are global workgroups, so we have been aware of GDPR for many years. As concrete needs came up we would add that capability. Thus FHIR includes many capabilities that can be leveraged to meet GDPR needs. From a purely geek perspective the GDPR is not technically unusual, it simply places some higher emphasis on Privacy and Security capabilities. Thus overall the GDPR is a good thing to me, as it validates and will leverage the work I have spent 20 years deve...