Stream: Security and Privacy
Topic: What does a purpose of use label on a request resource mean?
Eric Haas (Aug 06 2021 at 02:38):
What does a purpose of use label on a request resource mean? For example I have Task to fetch some data. If it had a meta.security of COVERAGE. What does that mean exactly?
- The Task POU is COVERAGE ?
- The completed Task including the references to
Task.outputPOU is COVERAGE ? ( breaking the rule on prohibiting context conduction) - Does is at least communicate that the Task.output POU should be COVERAGE?
- Do you have to label all the output resources with POU = Coverage?
- What if they are contained?
John Moehrke (Aug 06 2021 at 13:34):
I am not clear what you mean by "request resource".
John Moehrke (Aug 06 2021 at 13:36):
A tag on data, should be 'meta' about that data. Thus if one sees a purposeOfUse vocabulary tag on a FHIR Resource (.meta.security), I would understand that as the purpose of use for which that data was captured. (This following privacy principles that data are captured for given purposes and are only allowed to be used for the purposes for which the data were captured. Where secondary use beyond those initial purposes must be explicitly authorized (Consent).)
John Moehrke (Aug 06 2021 at 13:39):
In an EHR, the data is implicitly known to have TPO (TREAT + HPAYMT + HOPERAT). The data could be explicitly labeled this way, but often is not due to it being obvious.
John Moehrke (Aug 06 2021 at 13:41):
I have proposed that transaction outputs are an appropriate place to tag the transaction Bundle with context of the authorized communication. Thus a Query Response Bundle may be tagged with the PurposeOfUse(s) for which the data are authorized to be used by the recipient. This would be at the Bundle level, as it is a condition of release. The resources in the bundle would not have this decoration as the meta of the data is possibly different than the meta of the bundle.
John Moehrke (Aug 06 2021 at 13:42):
This all said.. you are asking about Task resource. and I am unclear what you are looking for with these questions on Task. I would expect Task to be no different than any data. It is just another FHIR resource.
John Moehrke (Aug 06 2021 at 13:44):
If the question is around the use of the word "authorization" used in the description meaning of the Task resource, this authorization is a business authorization; not a security/privacy. The business authorization (this process can happen because the business is happy it should happen) should be informed and supported by security and privacy; but is a different level of decision. Thus this is simply yet-another-meaning of the word "authorization" (contextual meaning).
Lloyd McKenzie (Aug 06 2021 at 17:10):
Request resource is anything that implements (or is supposed to implement) the Request pattern. I think Eric's question is whether the purposeOfUse on a Request refers to the purpose of the request being shared, or of the purpose of the results of the request.
Eric Haas (Aug 06 2021 at 17:16):
by request resources, I mean resources like servicerequest, task, communicationrequest. I am not talking about authorization, I am talking about the POU for the request.
I would understand that as the purpose of use for which that data was captured.
would this mean that if I requested resource X using a request resource with POU of COVERAGE then the resource X ( Bundle or some other resource) that is returned to me would implicitedly have a POU of COVERAGE- would that need to be explicit and spelled out by tagging the returned data too?
Eric Haas (Aug 06 2021 at 17:17):
the purposeOfUse on a Request refers to the purpose of the request being shared, or of the purpose of the results of the request.
These are the same to me
Last updated: Apr 12 2022 at 19:14 UTC
