Stream: implementers
Topic: Legal Implications Operating a FHIR Server Test Instance
Alexander Kiel (Sep 03 2019 at 14:09):
Hi,
I currently work on a FHIR Server called Blaze. In order to execute conformance tests, for ease of availability for colleagues and for showcasing special functionality, I run a public available test instance. There are other well known public available test instances. Now my question:
What happens if someone uploads real, identifiable patient data to my server? I (or my organization) will automatically share this GDPR relevant data. My server sits in Germany, so GDPR is relevant to me.
Firely has a public endpoint under https://vonk.fire.ly. There they ship a HTML page saying:
This is an open FHIR endpoint for testing and educational purposes only. Uploading real personal data is strictly prohibited.
Is that sufficient?
http://test.fhir.org/r4 doesn't say anything regarding uploading real data.
http://hapi.fhir.org says:
This is not a production server! Do not store any information here that contains personal health information or any other confidential information. This server will be regularly purged and reloaded with fixed test data.
Lloyd McKenzie (Sep 03 2019 at 14:41):
If all you've got is a RESTful API (no HTML), it's hard to provide any guidance - though sticking something in your ConformanceStatement could work if a human bothers to look at it.
Lloyd McKenzie (Sep 03 2019 at 14:44):
In practice it's fine to post real data. We have several people who have posted their own data. The issue is that you should only post data if you have a right to do so. (In practice, there could be licensing restrictions that would prevent you from posting purely synthetic data.) So long as it's clear to a reasonable person that the server is open and public, the only reasonable responsibility you might have is to allow deletion of data that was posted inappropriately. This would probably need to be a full purge rather than just a normal 'delete' which would retain history. That said, I'm not a lawyer...
Jose Costa Teixeira (Sep 03 2019 at 14:47):
from what i recall in medical device regulations, saying "you cannot use this for storing personal data" is good but does not fully exempt you from misuse (in other words, you have some responsibility to prevent misuse, not just a disclaimer".
Jose Costa Teixeira (Sep 03 2019 at 14:54):
for GDPR, my reading is (and i am also not a lawyer):
if I am storing my health data there (even if I shouldn't), I should be informed of what is happening with that data.
Some ideas for you to discuss with any "privacy group" you may have there
1. you should state the obvious - "any data posted here is available publicly from anywhere in the world to do any processing they want".
2. if you do any processing of any data (e.g. counting patients named Smith), you should say so and for what purpose
3. If you do regular deletion or anonymisation, you should also state that, as safeguards. The initial notice "please do not store personal data here" also counts as a safeguard IMO
Grahame Grieve (Sep 03 2019 at 19:03):
I intend to make test.fhir.org GDPR compliant by supporting the ability to find out who accessed your data (AuditEvent) and allowing people to purge their data (as yet undefined operation, waiting on security) but they run into each other: on an open FHIR API you cannot do both.... GDPR divides the world into good and bad entities, where as open ecosystems are full of actors who may be either
Grahame Grieve (Sep 03 2019 at 19:04):
it's true that I haven't got GDPR mentioned on the web page, but there is a policy statement in the http headers....
Last updated: Apr 12 2022 at 19:14 UTC
