This wiki has undergone a migration to Confluence found Here

201805 GDPR

From HL7Wiki
Jump to navigation Jump to search

Track Name


Submitting WG/Project/Implementer Group

Security WG

Track Orientation Presentation -- TBD


The justification for this track is to explore how the FHIR specification and Implementation Guides enable and support compliance with GDPR.

This is a collaborative effort, please sign up to help

Relevant background

Prior Connectathon track 201709 Consumer Centered Data Exchange and 201801 Consumer Centered Data Exchange

Proposed Track Leads

  • John Moehrke -Security WG co-chair - -- skype JohnMoehrke
  • Alex Mense - Security WG co-chair
  • Rene Spronk

Expected participants


  • Agent-Systems -- any system participating in the creation, use, or disclosure of identifiable data
  • etc...

FHIR Capabilities

Expect to produce a cross-reference between the existing FHIR Security & Privacy capabilities and how they aid with GDPR compliance.

  • Provenance resource
  • AuditEvent resource
  • Consent resource
  • Identity
    • Patient resource
    • RelatedPerson
    • Practitioner, PractitionerRole
    • Group
    • Organization
    • Location
    • etc.
  • Security-label mechanism in all FHIR Resource definitions (
    • Confidentiality classification
    • Sensitivity classification
    • Compartment classification
    • Integrity classification
    • Handling caveat
  • Security-label vocabulary (aka HCS)
  • Signature datatype
  • De-Identification
  • Authorization mechanisms
    • SMART-on-FHIR
    • IHE-IUA
    • HEART
    • etc...
  • User/system Authentication
    • Open-ID-Connect profile of OAuth
      • by way of SMART-on-FHIR
  • Communications security
    • HTTPS

Testing Scenarios