FHIR Chat · Patient resource category · Security and Privacy

Stream: Security and Privacy

Topic: Patient resource category

view this post on Zulip John Moehrke (Apr 07 2022 at 20:42):

Discussion topic: Given that FHIR has a generalization categorization into security categories - http://hl7.org/fhir/security.html#SecPrivConsiderations

  • Anonymous Read
  • Business Sensitive
  • Individual Sensitive
  • Patient Sensitive
  • Not Classified

Which shows up at the green bar at the top of each Resource as a "Security Category"....

Patient resource itself is classified as Patient, http://hl7.org/fhir/patient.html

which seemed logical... but I think it might be better to think of this as Individual. All the data pointing at a Patient would be Patient category.

as in the access to the Patient resource should be similarly protected to access to Practitioner, Person, RelatedPerson, etc... all the individuals... (Note Person and RelatedPerson seems improper at Patient category. )

This is not the way it is identified today, but it seems more proper use of Individual category vs Patient category.

view this post on Zulip John Moehrke (Apr 07 2022 at 20:43):

if Practitioner and PractitionerRole are the only thing in Individual, then this category seems not very helpful. They might as well be Business?

view this post on Zulip John Moehrke (Apr 07 2022 at 20:46):

I think that Individual should group all those resources that identify an individual; such that one would consider the risks to that individual regardless of functional role implied by the Resource type.

view this post on Zulip John Moehrke (Apr 07 2022 at 20:51):

This recognizes that a Patent directory (e.g. an MPI) is protecting identity, not medical sensitive topics... Yes, the Patient holds identifiers, and yes the Patient is the link into the clinical data repository. But a Patient directory is focused on identity. Well managed Patient resource content can be used to keep exposure limited. (not uncommon for a national patient directory to have limited elements populated).

view this post on Zulip David Pyke (Apr 07 2022 at 20:52):

The fact that a patient has been treated at a specific clinic can be sufficient information to cause a problem for that patient. As such, leaving the Patient resource as Patient Sensitive makes sense

view this post on Zulip John Moehrke (Apr 07 2022 at 20:54):

I mentioned that... Those that will ignore good identity management, will allow derogatory comments to be in the notes fields that indicate that the patient is a jerk.

view this post on Zulip John Moehrke (Apr 07 2022 at 20:55):

im just struggling with why Patient, Person, and RelatedPerson are in the Patient category. Seems a disconnect. (Now we did indicate these were tendency and that any tendency means nothing when you use the data differently, such as synthentic data is clearly not patient data)

view this post on Zulip Lloyd McKenzie (Apr 07 2022 at 20:58):

RelatedPerson is tied to a single patient record. Person could be used in a manner that's not patient-specific but typically will be patient-specific. It'd be reasonable to tie it to both Patient and Individual categories if that were supported. However, if you have to pick one, Patient subsumes Individual.

view this post on Zulip John Moehrke (Apr 07 2022 at 20:59):

right, that is how we got here. but being here is not helping those on the outside understand the set of rule differences between identity resoruces and clinical resources

view this post on Zulip John Moehrke (Apr 07 2022 at 21:01):

the goal of the category was to be helpful. The inital problem was directory resources vs clinical resources... so identity resources were not as fully fleshed out. I am now recognizing that identity resources --may-- need a new perspective.

view this post on Zulip Brian Postlethwaite (Apr 10 2022 at 23:48):

Or permit multiple categories?

view this post on Zulip John Moehrke (Apr 11 2022 at 12:02):

Multiple categories... might as well go back to no categories. There is nothing preventing someone from putting patient data into a CapabilityStatement, and nothing preventing purely anonymous data from being in an Observation. So, permitting multiple categories is to say that all resources can be in all categories... which we already say.

view this post on Zulip John Moehrke (Apr 11 2022 at 12:05):

if the resource is really indeterminant, than categorize it as "Not Classified"

view this post on Zulip John Moehrke (Apr 11 2022 at 12:05):

My current approach is to make sure each category are clear, and that is why I am unclear about Individual, and thus why I am wondering why Patient, Person, and RelatedPerson are not in Individual.

view this post on Zulip Josh Mandel (Apr 11 2022 at 13:29):

I don't think the multiple categories suggestion is so catastrophic. Multiple categories would not be used to describe "anything that could possibly appear in a resource"; rather they would be used to describe the things that are likely and expected to occur in a resource when used within its intended scope.

In this circumstance for Related Person: when used as intended, the whole point of related person is to store a bit of information about the related individual, which is identifiable information about that individual like a name and phone number and street address... As well as an indication of their relationship to the patient which is to say this is the aunt or the chauffeur or the guardian or the ex-husband .. which is of course also information about the individual patient because it leaks the fact that they have an ex-husband or a guardian or whatever.

view this post on Zulip John Moehrke (Apr 11 2022 at 14:05):

which I think is why it is Patient category now. So, what then is the use in keeping the Individual category, as today it has exactly one resource in it, Practitioner. Thus, the alternative is to eliminate the Individual category. It clearly is not being found useful.

view this post on Zulip Josh Mandel (Apr 11 2022 at 14:17):

Yeah I guess I have not followed the history on this. What is the party line on why practitioner role is not listed as Individual as well? http://hl7.org/fhir/practitionerrole.html suggests it is... I'm really not clear on Person.

view this post on Zulip John Moehrke (Apr 11 2022 at 14:25):

I think the reason is.... well, that Individual is not well defined... :-)

view this post on Zulip John Moehrke (Apr 11 2022 at 14:26):

I could see the argument that PractitionerRole is more closely aligned with business knowledge, where as Practitioner is reusable among many relationships to many organizations.

view this post on Zulip John Moehrke (Apr 11 2022 at 14:28):

my latest use-case is around purely a patient registry. This registry has no clinical data, so __that__ patient registry can treat the patient resources purely as Identity category.

view this post on Zulip John Moehrke (Apr 11 2022 at 14:28):

not to say that Identity is not sensitive, but rather to say that Identity is different sensitive than clinical data.

view this post on Zulip John Moehrke (Apr 11 2022 at 14:29):

purely "different", not higher or lower or bigger or smaller.. just different.

view this post on Zulip John Moehrke (Apr 11 2022 at 14:30):

I think I made a mistake when I didn't originally put Patient, RelatedPerson, and Person into Identity category.

view this post on Zulip Josh Mandel (Apr 11 2022 at 15:29):

That's fair, and I think it'd make sense to have those all under Identity. (And also putting Patient and Person in the patient category makes sense to me).

Generally I find these classifications quite useful, imperfect as they may be.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -