FHIR Chat · Policy, Consent and Permission · Security and Privacy

Stream: Security and Privacy

Topic: Policy, Consent and Permission

view this post on Zulip René Spronk (Jan 08 2021 at 10:55):

IMHO the XACML 'Policy' term encompasses (at least) the content of the FHIR Consent and Permission resources. Some policies may be fairly generic (e.g. GP/PCP is allowed to see all lab results), others (like consents) could be very specific ('Dr X is allowed to use lab result Y').
If you agree, then why don't we have a Policy resource, but two separate FHIR resources ?

view this post on Zulip John Moehrke (Jan 08 2021 at 11:50):

The way that current build looks is certainly confusing. Permission is intended to cover all policy space related to data access policy (as distinguished from dress-code-policy). Yes, Permission should end up looking much like XACML, but in FHIR form and using FHIR terms like Resource. Once that is done, then that concept will be removed from Consent, and Consent will be a resource specific to management of the patient specific policy. This would include the elements around when the consent ceremony happened, when it needs to happen again. This includes pointing at the scanned image of any paperwork that was part of the ceremony. The policy specifics would be in a Permission(s).

view this post on Zulip John Moehrke (Jan 08 2021 at 11:52):

what is holding us back... there is few interested in moving the Consent forward, and it has a business driver. Far fewer wanting to write a generic policy resource. So, please help us uncover those interested in this.

view this post on Zulip Jose Costa Teixeira (Jan 08 2021 at 11:53):

image.png

view this post on Zulip Jose Costa Teixeira (Jan 08 2021 at 11:54):

Permission is right side. Policy is top row (I think. sorry for rough schema)

view this post on Zulip Jose Costa Teixeira (Jan 08 2021 at 11:54):

Consent is bottom row

view this post on Zulip John Moehrke (Jan 08 2021 at 12:14):

@Jose Costa Teixeira actually all of those are in the scope of what we call in FHIR "Consent". I have tried very hard to separate that we call it "Consent" from a region's legal definition of the word "Consent". We need to pick words that can be broadly understandable and simple. This regional legal definition of a word is not what we are covering in FHIR (a global standard)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -