Ontario eReferral HL7® FHIR® Implementation Guide

Implementation Guidance > Consumer Responsibility

Consumer Responsibility

Privacy and Security

Prior to implementing the integrations in this implemenation guide, an organization shall complete security and privacy risk assessments and implement the recommendations of those assessments. Care should be taken to ensure that the confidentiality and integrity of Personal Health Information in transit and at rest can be maintained at a level that is appropriate.

The information which adopters receive when submitting/receiving referrals is considered Personal Information (PI) and Personal Health Information (PHI). As a result, access to the health patient information must be restricted to only appropriately authorized users and used on a need-to-know basis as specified in data-sharing agreements and corresponding legislation.

User Credentials

To support privacy inquiries into the disclosure of patient PHI, user name or ID mnemonic SHALL be included in the referral messages to identify the user who initiated the request, when that request was initiated by an actual user (as opposed to when performed by a system with no PHI disclosure to an individual user). Refer to the Connectivity section for further details.

System Responsibility for User Authorization, Authentication

A “system” level integration is when a RMS Source representing many users registers with an RMS Target, instead of registering individual users. In this case, the RMS Target grants and restricts access to the RMS Source, and it is not able to identify, authorize or authenticate individual users according to its regular processes. The RMS Target has to trust the identity information provided by the RMS Source.

For this reason, it is the responsibility of the RMS Source to authorize and authenticate its users, and place appropriate user level access controls to ensure it's users access only the appropriate information that the client system has access to.

Furthermore, when submitting a referral from the RMS Source to the RMS Target, the RMS source is responsible for ensuring the accuracy of the identity of the requester specified in the ServiceRequest. Requester identities should be tied to authenticated & authorized user accounts, and never be entered ad-hoc via free text by the user.

Logging

Both the RMS Source and RMS Target MUST log all activity performed via the API. The only exception to this is that PHI from FHIR Utility Servers MUST be cleared shortly after use.

With a “system” level integration, when a client system submits a new service request the client MUST include the requester information in the ServiceRequest resource.

With a “system” level integration, for GET calls to the eReferral server, the client system must log the user initiating each GET call (this information is invisible to the eReferral server).

Message Conformance

The consumer shall implement request messages that are well-formed and conform to this specification.