Submitted by: HL7 EHR Interoperability WG - Gary Dickinson Revision date: 1 October 2009

Submitted date: 1 October 2009 Change request ID: <<Change Request ID>>

Contents

Issue

Allow Access Permissions/Authorizations in CDA R3 Instances

Recommendation

Embed access controls specific to: individuals or roles

Embed access controls to: entire document content, section content, template content, discrete attribute content

Rationale

Possibly the best way to establish and persist permissions/authorizations is to embed access control notations in each document instance (when applicable). Access control parameters are included at request of document subject (e.g., patient), author or source organization and are carried out (honored) by each downstream document recipient.

Discussion

Recommended Action Items

Resolution

April 13, 2010 SDWG: Agree with the need for a dynamic access control process. Since it can be dynamic (i.e. can change after document legal authentication), the committee feels this should be managed external to the CDA document, where it references into the CDA document, at the appropriate level of granularity (e.g. document level, section level). "Hooks" for access control may include clinicalDocument.confidentialityCode, etc. We resolve to change clinicalDocument.confidentialityCode, bodyChoice.confidentialityCode, and section.confidentialityCode to be a set. We recommend further discussion with CBCC and Security WGs. Opposed: 0; Abstain: 0; In favor: 8.