Sensitive Data
Introduction
Sensitive records relate directly to data that is considered as highly confidential in nature. In NHS Wales systems, sensitive records (e.g. test results, clinical documents, medications) are flagged, requiring the user to 'break glass' in order to view that record.
This page describes how the Data Standards Wales profiles can support flagging FHIR resources as having sensitive data via the information in the resource metadata tag.
This implementation guide references the following profiles that may contain sensitive data (this list is not exhaustive):
- DataStandardsWales-DiagnosticReport
- DataStandardsWales-Medication*
- DataStandardsWales-Observation
- DataStandardsWales-ServiceRequest
*all associated medication resources may contain sensitive data
Profile metadata
Profiles can have metadata associated with them that are not listed in the core specification. An overview of associated profile metadata can be found on the HL7 FHIR R4 Resoure Definitions page.
Meta.security and Meta.Tags
The metadata elements Meta.security and Meta.Tag may contain additional coding that can be used to drive security specific data retrieval.
Security Labels
A security label is a concept attached to a resource or bundle that provides specific security metadata about the information it is fixed. The intent of a security label is that the recipient of resources or bundles with security labels is obligated to enforce any handling caveats and carry security restrictions forward as appropriate.
Implementation Guidance
This page sets out guidance for the use of security labels with DataStandardsWales profiles. It describes how the security labels connect to the relevant resources.
Security Labels used
DataStandardsWales resources as described above will return one of the following codes from v3-Confidentiality Codesystem. This is mapped from underlying NHS Wales system data:
- N - Normal
- R - Restricted
Unrecognised security label
In the case a Security label is not returned with the resource the confidentiality should be regarded as Normal.
Obligations around security labels
There is an obligation on the consuming system for data received from DataStandardsWales resources to appropriately handle results based on the Security Label attached to that resource.
Meta Content
The following are examples of a Diagnostic Report that contains normal and sensitive data:
- Normal
- Restricted/Sensitive
<DiagnosticReport
xmlns="http://hl7.org/fhir">
<id value="1000012" />
<meta>
<versionId value="1" />
<profile value="https://fhir.nhs.wales/StructureDefinition/DataStandardsWales-DiagnosticReport" />
<security>
<system value="http://terminology.hl7.org/CodeSystem/v3-Confidentiality" />
<code value="N" />
<display value="Normal" />
</security>
</meta>
... [snip] ...
</DiagnosticReport>
<DiagnosticReport
xmlns="http://hl7.org/fhir">
<id value="1000012" />
<meta>
<versionId value="1" />
<profile value="https://fhir.nhs.wales/StructureDefinition/DataStandardsWales-DiagnosticReport" />
<security>
<system value="http://terminology.hl7.org/CodeSystem/v3-Confidentiality" />
<code value="R" />
<display value="Restricted" />
</security>
</meta>
... [snip] ...
</DiagnosticReport>
Searches
It SHOULD be possible to limit search results based on their confidentiality by using the querystring _tag={CodeSystem|Code}. Some examples include:
Sensitive/Restricted
A client interested in all sensitive data by Patient and Code can use the following query:
GET [base]/[resource]?patient=[id]&code=[code]&_tag=http://terminology.hl7.org/CodeSystem/v3-Confidentiality|R
Non-Sensitive/Not Restricted
A client requesting non-sensitive data can either, not include the Tag as per the example below:
GET [base]/[resource]?patient=[id]&code=[code]
or may decide to include the _tag with a confidentiality of N
GET [base]/[resource]?patient=[id]&code=[code]&_tag=http://terminology.hl7.org/CodeSystem/v3-Confidentiality|N
UK Core Access
Please also refer to UK Core Access for further details on standardising clinical data queries.