Technical Requirements: requirements for one health record system to send data to another health record system and for the receiving system to acknowledge receipt of the data payload.
The following table provides a summary view of the technical interoperability and solution requirements. Additional details of each requirement can be found by clicking on the Business Rule ID.
BR ID | Description | Type | Subcategory |
---|---|---|---|
BR3-09 | A Patient Summary-CA Solution should adhere to the minimum industry standards for role-based access control and security mechanisms for the Patient Summary, including defining the security level and authorization profile of all authorized actors and mapping each user to one or more roles and each role to one or more system functions, dictated by jurisdictional standards and system requirements. Note: For example, jurisdictional standards for role-based access control should consider the following standards such as ISO 22600-1:2014, which describes the scenarios and the critical parameters in information exchange across policy domains. Another example of a standard is ISO 22600-2:2014, which describes and explains, in a more detailed manner, the architectures and underlying models for privilege management and access control which are necessary for secure information sharing including the formal representation of policies. |
Recommended | Solution |
BR3-01 | A Patient Summary-CA Solution shall provide the ability to capture and communicate the identity of the PS subject of care. |
Mandatory | Interoperability |
BR3-02 | A Patient Summary-CA Solution shall provide the ability to capture and communicate the identity of the authorized PS-CA Author. |
Mandatory | Interoperability |
BR3-04 | A Patient Summary-CA Solution shall provide the ability to view the versions of Patient Summaries and render a previous version based on a request in accordance to jurisdictional policies. |
Mandatory | Interoperability |
BR3-05 | A Patient Summary-CA Solution may be able to produce a PS-CA in a portable format (e.g., PDF) that is broadly accessible to patients/subjects of care. |
Optional | Interoperability |
BR3-06 | A Patient Summary-CA Solution should adhere to minimum local/jurisdictional industry standards for authentication (e.g., multi-factor authentication) of authorized users. |
Recommended | Solution |
BR3-07 | A Patient Summary-CA solution should, where feasible, segregate duties and areas of responsibility to reduce opportunities for unauthorized modification or misuse of PHI based on jurisdictional standards. Note: For example, appropriate access-controls should be put in place to segregate duties for authorized actors who have access and/or can view hosted components of the Patient Summary in order to reduce opportunities for unauthorized modification or misuse of PHI and security-critical system data according to jurisdictional standards. |
Recommended | Solution |
BR3-08 | A Patient Summary-CA Solution shall protect health information in transit, adhering to jurisdictional standards for encryption. Note: For example, jurisdictional standards for encryption should cover concepts of cryptographic algorithms and protocols, management of encryption keys during the transmission of PHI to maintain the confidentiality and integrity of the Patient Summary. |
Mandatory | Interoperability |
BR3-10 | A Patient Summary-CA Solution should adhere to jurisdictional standards for creation of secure audit logs that capture access to, modification or disclosure of Patient Summary-CA information. This includes the activities of PS-CA Producers, Consumers and Requesters. Note: For example, jurisdictional standards for appropriate secure-audit records should log PHI-related events, such as Patient Summary access (including access to confidential data), Patient Summary creation, Patient Summary amendments and changes, traceability of consent, consent directive overrides and more for the Patient Summary. |
Recommended | Solution |
BR3-11 | The Patient Summary-CA Solution should have the ability to capture secure audit log content as dictated by jurisdictional standards and/or system requirements. Note: For example, jurisdictional standards and/or system requirements for secure audit logs should consider Patient Summary schema and log content such as the user ID of authorized actors, the role the user is exercising, the organization of the accessing user (at least in those cases where an individual accesses information on behalf of more than one organization), the patient ID of the data subject (patient/person), the function performed by the accessing user, a timestamp, in the case of access override to blocked or masked records or portions of records, a reason for the override, and in the case of changes to consent directives made by a substitute decision-maker, the identity of the decision-maker. |
Recommended | Solution |
BR3-12 | A Patient Summary-CA Solution may provide the capability for a PS-CA to be de-identified, according to local/jurisdictional requirements. |
Optional | Solution |
BR3-13 | A Patient Summary-CA Solution shall provide the ability to uniquely identify a Patient Summary-CA with a unique identifier. |
Mandatory | Interoperability |
BR3-14 | A Patient Summary-CA Solution should retrieve data elements for the PS-CA from the PS-CA Author's local data source. |
Recommended | Solution |
BR3-15 | A Patient Summary-CA Solution may provide the ability to convert structured documents (e.g. FHIR-based) to unstructured documents (e.g PDF), and make transformations between structured document formats (e.g. CDA). |
Optional | Solution |
BR3-16 | A Patient Summary-CA Solution shall create the PS-CA in a structured format using FHIR R4 (v4.0.1) + JSON and XML. |
Mandatory | Interoperability |
BR3-17 | A Patient Summary-CA Solution should protect health information at rest, adhering to jurisdictional standards for encryption Note: For example, jurisdictional standards for encryption should cover concepts of cryptographic algorithms and protocols, and management of encryption keys to maintain the confidentiality and integrity of the Patient Summary. |
Recommended | Solution |
BR3-19 | PS-CA Solution shall ensure the shared content accessed times out on the screen after a reasonable amount of time to minimize unauthorized consumption |
Mandatory | Interoperability |
BR3-18 | PS-CA Solution shall have a default expiry date for the SHLink if not changed by the Patient (or designated caregiver) |
Mandatory | Interoperability |
BR3-20 | PS-CA Solution shall provide safeguards for the PS-CA Producer to minimize SHLink being accessed by the wrong party |
Mandatory | Interoperability |