Stream: implementers
Topic: Attaching Patient Identifiers to Security Labels
Ken Sinn (Nov 16 2018 at 19:47):
Hi folks,
I'm trying to understand how Security Labels might work with Attribute-Based Access Control. Is there a way to encode/include Patient Identifier information in a resource's meta tag? We're looking at ways to apply Access Control to FHIR resources using the Security Labels, but also trying not to pry into the resource content itself to identify who the resource is about (e.g. reading the resource's subject element). That way, consent blocks and access control can be applied without messing with the data itself, and can generally be content-agnostic. How have other live implementations done this?
Thanks for any feedback!
Lloyd McKenzie (Nov 16 2018 at 19:51):
@John Moehrke ?
Grahame Grieve (Nov 17 2018 at 05:05):
Is there a way to encode/include Patient Identifier information in a resource's meta tag?
no. I think you need to provide more context
John Moehrke (Nov 17 2018 at 20:44):
in order to apply patient specific rules, you must look at the .patient and/or .subject. Putting this same information in a different location would be simply duplicative and thus an opportunity to be out-of-sync.
Mohammad Jafari (Nov 19 2018 at 02:10):
We reported this as one of the issues in Consent enforcement. Determining the identity of the patient whose Consent policy applies to a given resource is a challenge we have reported in our previous demos (see Section 1.8 here).
We dealt with this by a very simple graph traversal algorithm which starts from the given resource until it reaches a Patient resource which was sufficient for the purpose of the demo but arguably not a complete solution in all possible cases.
Last updated: Apr 12 2022 at 19:14 UTC
