Stream: implementers
Topic: SSN (/National ID) masking
Cooper Thompson (Jan 09 2017 at 20:56):
Do we have any guidance on how to handle masking of sensitive data in a resource. The primary example I'm focused on is the SSN in the US. Sending a masked SSN as patient identifier seems like the best option, but the flaw with that approach is that the value "*3333" is not actually a real value in the http://hl7.org/fhir/sid/us-ssn code system (the real value being "111223333". The alternative is sending unmasked data and relying on the client to apply masking, but then the problem becomes communicating what mask to apply (i.e. how many digits are shown, and how many should be masked).
The problem I'd like to avoid is an end-user seeing a masked SSN in the EHR, and then launching a SMART-on-FHIR app and seeing the unmasked SSN there.
Grahame Grieve (Jan 09 2017 at 21:02):
@Michelle (Moseman) Miller do I remember you asking about this before?
Lloyd McKenzie (Jan 09 2017 at 23:01):
I thought we'd defined an extension for that purpose (last example was postal code I think). I can't find it though
Cooper Thompson (Jan 09 2017 at 23:05):
Was that extension for the purposes of communicating how to mask a value, or for the purpose of indicating that the value is already masked? I think (as a server implementer) I'd prefer the latter, since the consequence of ignoring the extension is safer.
Lloyd McKenzie (Jan 09 2017 at 23:30):
It's for communicating a value where part of the value has been withheld
Michelle (Moseman) Miller (Jan 10 2017 at 01:49):
@Grahame Grieve and @Lloyd McKenzie -- good memory, it was GF#8665, which resulted in the extension-rendered-value.
Michelle (Moseman) Miller (Jan 10 2017 at 01:51):
http://build.fhir.org/extension-rendered-value.xml.html
Grahame Grieve (Jan 10 2017 at 01:53):
thx
Last updated: Apr 12 2022 at 19:14 UTC
