EHR Interop - CDA R3 - Access Control
Submitted by: HL7 EHR Interoperability WG - Gary Dickinson Revision date: 1 October 2009
Submitted date: 1 October 2009 Change request ID: <<Change Request ID>>
Allow Access Permissions/Authorizations in CDA R3 Instances
Embed access controls specific to: individuals or roles
Embed access controls to: entire document content, section content, template content, discrete attribute content
Possibly the best way to establish and persist permissions/authorizations is to embed access control notations in each document instance (when applicable). Access control parameters are included at request of document subject (e.g., patient), author or source organization and are carried out (honored) by each downstream document recipient.
Recommended Action Items
April 13, 2010 SDWG: Agree with the need for a dynamic access control process. Since it can be dynamic (i.e. can change after document legal authentication), the committee feels this should be managed external to the CDA document, where it references into the CDA document, at the appropriate level of granularity (e.g. document level, section level). "Hooks" for access control may include clinicalDocument.confidentialityCode, etc. We resolve to change clinicalDocument.confidentialityCode, bodyChoice.confidentialityCode, and section.confidentialityCode to be a set. We recommend further discussion with CBCC and Security WGs. Opposed: 0; Abstain: 0; In favor: 8.