- See Sync for Science and Sync for Genes for more details about the research project use case that pertains to this interoperability need.
- To learn more about how APIs can help patients participate in research, see the Patient Engagement Playbook.
- The Kantara Initiative's UMA (User Managed Access) Work Group project's use case is designed to develop specifications that allow individual control of authorized data sharing and service access to promote interoperability in support of this interoperability need.
- Current Procedural Terminology (CPT) Consumer Friendly Descriptors (CFDs) may be used when data is being exchanged between patients and providers.
- The SMART® on FHIR Project is working in this area, and may have additional implementation guidance, as well as a list of applications supporting this interoperability need.
- When using the SMART on FHIR model, the authentication model is OAuth2. The other security patterns listed do not apply.
- The IHE Basic Patient Privacy Consents (BPPC) profile provides a means for recording the ceremony of patient consenting to a policy. The BPPC profile will use terms consistent with ISO 22600 - Privilege Management and Access Control (PMAC), but is not restricted to systems that implement PMAC. See the IHE white paper Enabling Document Sharing Health Information Exchange Using IHE Profiles (http://profiles.ihe.net/ITI/HIE-Whitepaper/index.html.
- The IHE Advanced Patient Privacy Consents (APPC) profile is used when additions or deviations from a "Basic" consent policy are needed. The APPC mechanism provides for deeper coded consents beyond what BPPC supports. BPPC continues to be used to capture the ceremony and overall policy, where APPC provides the specific additions or deviations.
- System Authentication – The information and process necessary to authenticate the systems involved.
- User Details – Identifies the end user who is accessing the data.
- User Role – Identifies the role asserted by the individual initiating the transaction.
- Patient Consent Information – Identifies the patient consent information that may be required before data can be accessed.
- May be required to authorize any exchange of patient information
- May be required to authorized access and use of patient information
- May be required to be sent along with disclosed patient information to advise the receiver about policies to which end users must comply
- Purpose of Use - Identifies the purpose for the transaction.
- Security Labeling – The health information is labeled with security metadata necessary for access control by the end user.