Sensitive Data
Introduction
Sensitive records relate directly to data that is considered as highly confidential in nature. In NHS Wales systems, sensitive records (e.g. test results, clinical documents, medications) are flagged, requiring the user to 'break glass' in order to view that record.
This page describes how the Data Standards Wales profiles can support flagging FHIR resources as having sensitive data via the information in the resource metadata tag.
This implementation guide references the following profiles that may contain sensitive data (this list is not exhaustive):
- DataStandardsWales-DiagnosticReport
- DataStandardsWales-Medication
- DataStandardsWales-Observation
- DataStandardsWales-ServiceRequest
Security Labels
A security label is a concept attached to a resource or bundle that provides specific security metadata about the information it is fixed. The intent of a security label is that the recipient of resources or bundles with security-tags is obligated to enforce the handling caveats of the tags and carry the security labels forward as appropriate.
Implementation Guidance
This page sets out guidance for the use of security labels with DataStandardsWales profiles. It describes how the security labels connect to the relevant resources and what limitations are in place with WRRS data:
Security Labels used
DataStandardsWales resources as described above will return one of the following codes from v3-Confidentiality Codesystem. This is mapped from underlying NHS Wales system data:
- N - Normal
- R - Restricted
Unrecognised security label
In the case a Security label is not returned with the resource the confidentiality should be regarded as Normal
Obligations around security labels
There is an obligation on the consuming system for Diagnostic data received from DataStandardsWales resources to appropriately handle results based on the Security Label attached to that resource.
Meta Content
The following are examples of a Diagnostic Report that contains normal and thensensitive data:
- Normal
- Restricted/Sensitive
- Examples
<DiagnosticReport
xmlns="http://hl7.org/fhir">
<id value="1000012" />
<meta>
<versionId value="1" />
<profile value="https://fhir.nhs.wales/StructureDefinition/DataStandardsWales-DiagnosticReport" />
<security>
<system value="http://terminology.hl7.org/CodeSystem/v3-Confidentiality" />
<code value="N" />
<display value="Normal" />
</security>
</meta>
... [snip] ...
</DiagnosticReport>
<DiagnosticReport
xmlns="http://hl7.org/fhir">
<id value="1000012" />
<meta>
<versionId value="1" />
<profile value="https://fhir.nhs.wales/StructureDefinition/DataStandardsWales-DiagnosticReport" />
<security>
<system value="http://terminology.hl7.org/CodeSystem/v3-Confidentiality" />
<code value="R" />
<display value="Restricted" />
</security>
</meta>
... [snip] ...
</DiagnosticReport>
Searches
It SHOULD be possible to limit search results based on their confidentiality by using the querystring _tag={CodeSystem|Code}. Some examples include:
Sensitive/Restricted
A client interested in all sensitive data by Patient and Code can use the following query:
GET [base]/[resource]?patient=[id]&code=[code]&_tag=http://terminology.hl7.org/CodeSystem/v3-Confidentiality|R
Non-Sensitive/Not Restricted
A client requesting non-sensitive Diagnostic data can either, not include the Tag as per the example below:
GET [base]/[resource]?patient=[id]&code=[code]
or may decide to include the _tag with a confidentiality of N
GET [base]/[resource]?patient=[id]&code=[code]&_tag=http://terminology.hl7.org/CodeSystem/v3-Confidentiality|N
UK Core Access
Please also refer to UK Core Access for further details on standardising clinical data queries.