Track Name

GDPR

Submitting WG/Project/Implementer Group

Security WG

Track Orientation Presentation -- TBD

Justification

The justification for this track is to explore how the FHIR specification and Implementation Guides enable and support compliance with GDPR.

This is a collaborative effort, please sign up to help

Relevant background

Prior Connectathon track 201709 Consumer Centered Data Exchange and 201801 Consumer Centered Data Exchange

• HIMSS presentation on GDPR

Proposed Track Leads

• John Moehrke -Security WG co-chair - JohnMoehrke@gmail.com -- skype JohnMoehrke
• Alex Mense - Security WG co-chair
• Rene Spronk

Expected participants

• John Moehrke (HL7 Security co-chair) SME on FHIR Consent
• http://test.fhir.org/r3

Actors

• Agent-Systems -- any system participating in the creation, use, or disclosure of identifiable data
• etc...

FHIR Capabilities

Expect to produce a cross-reference between the existing FHIR Security & Privacy capabilities and how they aid with GDPR compliance.

• Provenance resource
• AuditEvent resource
• Consent resource
• Identity
  • Patient resource
  • RelatedPerson
  • Practitioner, PractitionerRole
  • Group
  • Organization
  • Location
  • etc.
• Security-label mechanism in all FHIR Resource definitions (.meta.security)
  • Confidentiality classification
  • Sensitivity classification
  • Compartment classification
  • Integrity classification
  • Handling caveat
• Security-label vocabulary (aka HCS)
• Signature datatype
• De-Identification
• Authorization mechanisms
  • SMART-on-FHIR
  • IHE-IUA
  • HEART
  • etc...
• User/system Authentication
  • Open-ID-Connect profile of OAuth
    • by way of SMART-on-FHIR
• Communications security
  • HTTPS

Testing Scenarios

TBD