Protecting the patient PII data:
- Possible solution 1: Create an anonymized patient that is linked to the research subject and the patient. The patient resource has patient.link (0...*) which could link to the anonymized patient. This anonymized patient could have an identifier for the research subject
- Possible solution 2: Ensure the patient.identifier associated with the results is meaningless (nothing embedded in the identifier that could disclose PII / identity)
- Possible solution 3: Extend observation.subject to include a link to research subject. This was discussed in R4 and was rejected by O+O. We could try again.
- Possible solution 4: Observation.subject would point to the source system's internal patient identifier (which should be MEANINGLESS - no embedded metadata). the data provider would prevent the sponsor from getting access to the patient attributes (anything other than the identifier).
Note on patient.identifier: this should have a 'type'.
Idea for creating an Anonymized Patient:
Patient → Patient.link → links to another Patient to represent the Anonymized Patient → Anonymized Patient.identifier = subject ID/ patient.identifier.use = secondary / patient.identifier.type = sponsor-defined / patient.identifier.assigner (Organization) = sponsor's organization ID
Patient → Patient.link → anonymized patient ← link to this FROM research subject ID
NOTE: We need to check other resources to see if they could expose any PII / identity information. For example, Observation has a link to the practitioner. Would knowing the practitioner identify the patient?
Example linkage between research subject → patient → observation
Example of data linkage
Example of creating an anonymized patient as intermediate