Stream: Security and Privacy
Topic: Purpose of Use Labeling for request questions
Eric Haas (Oct 20 2021 at 19:34):
From http://build.fhir.org/security-labels.html#core
The Security Label vocabulary has three patterns of use: (1) Bundle: Security/Privacy considerations of a data set, (2) Context: Describe security/privacy context of a request for data, and (3) Meta Data: to indicate security/privacy meta about that data.
...
Context: Requests (e.g. Read, Query, message triggers) - would describe the context of the request using purposeOfUse and compartment/clearance. The request might declare the highest confidentiality desired. It is unlikely to see in a request a declaration of sensitivity or integrity. It is also unlikely to see Obligations within a Request. (See Bundle for Response, where these are appropriate)
...
Purpose of Use These Purpose of Use (system = http://terminology.hl7.org/CodeSystem/v3-PurposeOfUse) is an indication of a reason for performing one or more operations on information. which may be permitted by source system's security policy in accordance with one or more privacy policies and consent directives. Such as collecting personal health information for research or public health purposes.
Notes may be used as:
The rationale or purpose for a request for data
The use limitation on a data Bundle
See discussion on HCS below
However it is unclear how to implement POU with requests. So for CDEX we are proposing the following for Task-based requests for data:
-
The intent and meaning when using the
Task.meta.securityelement to "describe the context of the request using purposeOfUse" codes was unclear. Instead we elected to use purposeOfUse codes in aTask.inputparameter to indicate the context of the request. -
It is unclear whether the The Purpose of Use Codes (system = http://terminology.hl7.org/CodeSystem/v3-PurposeOfUse) can be used to Describe the context of a request for data or are they limited to Security/Privacy considerations of a data set or about that data. For example, can CLMATTCH be used to indicate that a data request is for a claims-audit?
Eric Haas (Oct 20 2021 at 19:36):
see this Example
John Moehrke (Oct 20 2021 at 20:29):
@Eric Haas I am not clear on what you are asking. Mostly because there is context that I am unaware of. I think it would be best to have a discussion rather than hope that this can be resolved on zulip.
John Moehrke (Oct 20 2021 at 20:36):
in a Query, the PurposeOfUse(s) would tend to be passed in as part of the security context. This is why it was added to SMART-on-FHIR and why it is fundamental to IHE IUA implementation guides. It might be implied by the security context, part of the trust-framework (all entities authorized within a given CA have agreed to policy that is stated as limited to a set of PurposeOfUse). Thus it is not always needed in every transaction. It is used as part of the authorization decision and enforcement. Any data returned in a response is expected to be usable for those PurposeOfUse that were in the request, and thus the data is not given for PurposeOfUse outside that request.
John Moehrke (Oct 20 2021 at 20:38):
on the vocabulary... If you have a concept that is not represented, then please use the vocabulary process to have your purposeOfUse added. If you don't think it is legitimate to add to HL7 vocabulary (THO), then you are free to create your own PurposeOfUse vocabulary, such as within your IG. Just like with any codesystem.
Eric Haas (Oct 20 2021 at 21:01):
Thanks John .... I think you answered my the questions in part.
John Moehrke (Oct 20 2021 at 21:02):
that is scary
Eric Haas (Oct 20 2021 at 21:06):
in a Query, the PurposeOfUse(s) would tend to be passed in as part of the security context. This is why it was added to SMART-on-FHIR
@John Moehrke I just did a search of the Smart spec and did not find any mention of PurposeofUse. Can you point out the salient section?
Eric Haas (Oct 20 2021 at 21:08):
remind me when are the Security calls?
John Moehrke (Oct 20 2021 at 21:51):
that would be in the version 2. -- http://build.fhir.org/ig/HL7/smart-app-launch/
John Moehrke (Oct 20 2021 at 21:55):
seems they have downplayed the capability I saw in the ballot . @Josh Mandel ?
John Moehrke (Oct 20 2021 at 21:56):
It still seems to be in the UDAP spec - https://build.fhir.org/ig/HL7/fhir-udap-security-ig/branches/main/b2b.html
John Moehrke (Oct 20 2021 at 21:58):
It is in the IHE spec https://profiles.ihe.net/ITI/IUA/index.html - look for purpose_of_use
John Moehrke (Oct 20 2021 at 21:59):
FHIR Security calls are Mondays at 12 eastern
Eric Haas (Oct 21 2021 at 20:32):
After reviewing the 3 references spec above, I see three distinct "standard" ways to do Purpose of Use for Direct Queries using Authorization Layer. - see my analysis here
am I mistaken?
Lloyd McKenzie (Oct 22 2021 at 03:25):
Do we have a requirement for "purpose of use" for direct queries? I thought our only requirement was for the asynchonous Task-based requests - and for those, we need to pass it as a parameter to the Task. The various header mechanisms are all about the "purpose of use for the current action" - which is posting a Task. They wouldn't deal with the purpose of use of the action the Task is soliciting.
John Moehrke (Oct 22 2021 at 12:19):
I had not understood the distinction Lloyd is making. So the Task itself is the embodyment of a set of actions that are ALL under a set of PurposeOfUse? I could see how this would be useful element of the Task instance. It then might drive that all accesses to the Task must agree with that PurposeOfUse, right?
Lloyd McKenzie (Oct 22 2021 at 18:16):
The Task is saying "please go find this data/execute this query/filter as appropriate/package it up for my consumption - and return it to me". We also want to say "and by the way, the way I intend to use this information (which might affect what you choose to give me/how you choose to filter), is the following".
Lloyd McKenzie (Oct 22 2021 at 18:17):
So, there's no real "purpose of use" for the posting of the Task. The purpose of use is for "what will happen to the data you give me assuming you execute the Task".
Eric Haas (Oct 23 2021 at 01:55):
@Lloyd McKenzie , @John Moehrke my question aboveis not related to Task based requests. I think my questions about Task and the reuse of POU terminololy have been sufficiently answered. But in CDEX we also cover direct queries and obliquely reference the aforementioned standards the the IG notes. I am trying to get my head around the current state for the request authorization layer. Doing some extra credit reading....Gotta keep up! :-)
Eric Haas (Oct 23 2021 at 02:04):
Lloyd McKenzie said:
So, there's no real "purpose of use" for the posting of the Task. The purpose of use is for "what will happen to the data you give me assuming you execute the Task".
the distinction between those two things is easily conflatable and why I keep questioning why they are not the same. I give up for now on arguing that they are, and I imagine by not using Task.meta.security it will be avoided. Reluctantly agreeing with Lloyd. ;-)
Grahame Grieve (Oct 25 2021 at 04:40):
I think that purpose of use shouldn't be associated with the OAuth content. I don't want to have to re-login when I decide to look up some information for treatment as opposed to research.
Grahame Grieve (Oct 25 2021 at 04:41):
and the spec defines how to associate security labels with requests, if that's appropriate: https://hl7.org/fhir/security-labels.html#break-the-glass
John Moehrke (Oct 25 2021 at 11:57):
the purposeOfUse should be declared in the security context. The fact that the v2 of SMART does not have this is due to implementer pushback on how hard it is, I don't disagree. Security is hard, doing it right is very hard. The break-the-glass hack is outside the security context, and hence why it is dragon warning.
Last updated: Apr 12 2022 at 19:14 UTC
