Skip to end of metadata
Go to start of metadata


Introduction

This document describes a set of use cases associated to the International Patient Summary case, as a way to illuminate GDPR impact and available solutions available to aid with the GDPR impact.
Use cases selected do not pretend either to provide a complete description of the whole IPS lifecycle (creation, share and usage); or to exhaustively describe all the possible alternatives that may occur in real life for each of the IPS lifecycle steps.
For each of these minimal and non-exhaustive cases it will be provided:

  • a brief description of the use case diagram;
  • a description of one possible implementation scenario (dynamic view)
  • For each main step / use case, a description of the
    • associated requirements;
    • GDPR impact reported as references to the "FHIR - GDPR White paper"
    • the possible FHIR assets that may be used to fulfil some of these requirements
    • notes
  • a list of examples

The intent of this work is to incrementally create a library of cases and examples to be used as inputs for the GDPR on FHIR whitepaper and support for the IPS implementers.
Use cases provided are intended to be used to highlight new GDPR impact (need). Thus, each additional case intends to not overlap the previous one and in any case they will not duplicate impacts/solutions that were already explained with the previous cases.
Please note that the scenario described is in general one of the many possible, as far as alternative solutions could be in principle considered as well.

List of Cases

  1. Multiple sources, human validated and published on repository
  2. IPS translated during the transport [not yet developed]

  3. IPS obtained as transformation of a local Patient Summary [not _yet developed]

Multiple sources, human validated and published on repository

Overview



Health data are collected by multiple sources by a system (it might be the Clinician EHR-System or a dedicated National service) [IPS Creator System] that may propose a candidate IPS content to a Clinician [IPS Human Curator]; the clinician may further select the information to be included and validate the content. The validated content is used to generate the IPS that is then published for consultation in a repository [Repository] (it might be for example a National EHR-S; there are no assumptions on the kind of repository).

Scenario description

There are many possible different ways to realize the above mentioned use cases; one possible example is hereafter described :

  1. Preconditions
    1. It is a European Patient subject to the GDPR regulation.
    2. The patient has given his/her consent to share his/her data through the National EHR system.
    3. This consent is on the file and stored in the IPS creator system
    4. Some sources have other (more detailed) consents associated to the disclosed data
  2. Data collected from multiple sources
    1. The requestor (IPS creator system) asks the provider (data source) for data for the purpose of building an IPS document. The requestor sends the consent to the data provider(s). [Query for data]

    2. The data source returns, or not, the requested data based on the known consent(s), the purpose of use/processing . A more detailed consent associated to some disclosed data is known and sent back to the requestor, overriding (integrating ?) the "opt in/opt out" consent. [Data returned/not returned]
    3. The requestor stores locally the received data for the IPS processing. [Import data]

  3. Data selected for creating the IPS
    1. The IPS creator system processes the received data in order to propose a candidate IPS to the human curator. This process may imply data extraction; data transformation and/or translation and so on. This event is recorded in the IPS and potentially in the system log. [Imported data processed]

    2. The IPS human curator may further refine the content that eventually should go in the IPS. [Human content curation]

  4. The IPS is validated by a human being
    1. The IPS human curator validates the content of the IPS. [IPS Validation]

  5. The IPS is published
    1. The IPS creator system creates an instance of the IPS. [Creation of the IPS instance]

    2. The IPS creator system publishes the created IPS in the repository. [IPS Publication]

    3. The repository stores the received IPS instance together with the associated consent(s). [IPS storage]

  6. Postconditions
    1. The Patient has the right to access his/her IPS
    2. The IPS is consumed for the purposes specified in the consent(s)
    3. The Patient may change his/her consents


For each main step / use case (see sub-paragraphs) it is provided a description of:

  • the associated requirements;
  • the GDPR impact reported as references to the "FHIR - GDPR White paper"
  • possible FHIR assets that may be used to fulfil some of these requirements

together with associated notes and examples.

Collect data from multiple sources


Activity

Requirements

GDPR Impact

(FHIR) Assets involved

Notes

Query for data


The requestor has to indicate :

  1. who is asking for the data
  2. the purpose for which is requesting this data
  • Security labels
  • SMART-on-FHIR
  • Identification, authentication and authorization needs are not GDPR specific.
  • Common vocabularies to describe the purpose of use / processing have to be specified.

Before disclosing data the data provider should be aware about existing consents for this purpose for each data that could be potentially disclosed.

See above

  • Consent

Data returned/not returned




The provider extracts data from its sources and applies minimization principles as needed.

Art 5 "Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'). See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-GDPRBasics-morethantechnology


  • some FHIR resources
  • Provenance
  • For future consideration: provenance resource indicating the source record and the algorithm applied for data extraction (if any).

If the data source is not the primary source of the returned data it should provide information about data origin and possible processing applied

The data subject has the right to have transparent information about where personal data are collected from the data subject have been collected or have not obtained from the data subject (Art 14 and 15 ) . See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Transparencyaboutprocessingpersonaldata
  • some FHIR resources
  • Provenance

If known, the data source should provide information about the data usage conditions that the receiver shall apply

Processing personal data or sensitive personal data is prohibited unless for very specific reasons defined in article 6 and article 9. See {+}https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Rightforprocessingpersonaldata/explicitconsent+

  • Consent

The data source documents what data have been disclosed (or not); to whom and why.

The data subject has the right to have transparent information about where personal data are collected from the data subject have been collected or have not obtained from the data subject (Art 14 and 15 ) . See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Transparencyaboutprocessingpersonaldata
  • AuditEvent
  • For future consideration: Create an example of AuditEvent

Import data

The requestor documents which data have been imported; the source and why.

See above

  • AuditEvent
  • For future consideration: Create an example of AuditEvent


​3.2.2​ Select data for IPS


Activity

Requirements

GDPR Impact

Assets

Notes

Process imported data.


IPS consumers are made aware about the fact that the IPS creator system data processing applied.
In this case this information is recorded with the shared document.

The data subject has the right to have transparent information about where personal data are collected from the data subject have been collected or have not obtained from the data subject (Art 14 and 15 ) . See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Transparencyaboutprocessingpersonaldata
  • FHIR resources
  • (Composition.author)
  • Provenance

The system logs that the data processing applied.

  • AuditEvent
  • For future consideration: Create an example of AuditEvent

Human content selection

Information about the human curator of the IPS is recorded.

  • FHIR resources
  • Composition.author
  • (Provenance)


​3.2.3​ Validate the IPS

Activity

Requirements

GDPR Impact

Assets

Notes

IPS Validation

Information about the attester of the IPS is recorded.

  • Composition.attester
  • referred FHIR resources
  • (Provenance)



3.2.4​ Publish the IPS

Activity

Requirements

GDPR Impact

Assets

Notes

Creation of the IPS instance

The IPS creator system creates an instance of the IPS
The system logs this event

  • FHIR IPS
  • AuditEvent

IPS Publication


The IPS creator has to check that this IPS can be published.

Processing personal data or sensitive personal data is prohibited unless for very specific reasons defined in article 6 and article 9. See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Rightforprocessingpersonaldata/explicitconsent
  • FHIR IPS
  • Consent

Questions:

  • Should the condition of uses of the IPS data provided to the repository ? In case how?

The IPS creator system logs the export of the IPS.

  • AuditEvent
  • For future consideration: Create an example of AuditEvent

IPS storage


The repository stores the received IPS together with consent information for future usage

Processing personal data or sensitive personal data is prohibited unless for very specific reasons defined in article 6 and article 9. See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Rightforprocessingpersonaldata/explicitconsent
  • FHIR IPS
  • Consent

Question

  • Should the patient be aware that his/her IPS is now available for consultation ? Is this part out of scope ?
    <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="92bbf35d-4fe4-45f6-b4ba-54e299d0eb96"><ac:plain-text-body><![CDATA[* [call end of feb no..]

]]></ac:plain-text-body></ac:structured-macro>

The system logs the import of the IPS.

  • AuditEvent
  • For future consideration: Create an example of AuditEvent


3.2.5​ Postconditions


Activity

Requirements

GDPR Impact

Assets

Notes

Patient Access

The Patient has the right to access his/her IPS

  • Art. 16 Right to rectification
  • Art. 15 Right of access by the data subject
  • FHIR API
  • FHIR IPS


Consent update

The Patient may change his/her consents

Processing personal data or sensitive personal data is prohibited unless for very specific reasons defined in article 6 and article 9. See

https://confluence.hl7.org/pages/viewpage.action?pageId=6003035#FHIR-GDPR-Rightforprocessingpersonaldata/explicitconsent
  • Consent


IPS consumed

The IPS is consumed for the purposes specified in the consent(s).

Several control and logging actions are expected when data are disclosed.

  • FHIR IPS
  • Consent
  • AuditEvent

This part has to be developed in separate use cases


Examples

Provenance: IPS assembled by a device from multiple sources

Description: IPS composition pre-assembled by the device National IPS creation system using as source the National ePrescription System; National vaccination Registry and the Laboratory Information System XYZ.
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-example-Provenance-Composition-01.xml

Provenance: IPS curated by a human being

Description: IPS curated (authored and verified) by Dr Beetje Van Hulp using as source the information pre-assembled by the National IPS system.
Link{+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-example-Provenance-Composition-02.xml

Provenance: Observation obtained from a Lab report

Description: The Blood Typing is derived from the report ID 1234567, done on 2015-10-10 by the Nice Lab Organization
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-example-Provenance-BldGrp-01.xml

Consent: Regional / National EHR opt-in

Description: The patient gave the permission to activate the national / regional EHR and have his/her data in it.
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-consent-01-optin.xml

Consent: permission to use specific lab data for research purposes (compartment; OR condition) 

Description: The patient gave the permission to use his/her data included in a specific Lab report either for clinical research purposes or for research project XYZ.
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-consent-02-a.xml

Consent: permission to use specific lab data for research purposes (compartment; AND condition)

Description: The patient gave the permission to use his/her data included in a specific Lab report for clinical research purposes and for research project XYZ.
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-consent-02-b.xml

Consent: permission to use specific lab data for treatment or for the research project XYZ 

Description: The patient gave the permission to use his/her data included in a specific Lab report for treatment or for research project XYZ.
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-consent-02-c.xml

Observation: Lab observation example with security labels 

Description: Lab observation results that was subject to a syntactical transformation and patient gave the permission to use his/her data included in a specific Lab report for clinical research purposes and for research project XYZ.
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/Observation-w-sec-label.xml

Bundle: IPS bundles including provenance and consent resources

Description: IPS bundle including the above provenance and consent resources
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-bundle-01-w-prov-01.xml

Bundle: IPS bundles including provenance and security labels

Description: IPS bundle including the above provenance and security labels
Link : {+}https://github.com/gcangioli/sandbox/blob/master/gdpr/IPS-bundle-01-w-prov-02.xml

IPS translated during the transport

[to be developed]

IPS obtained as transformation of a local Patient Summary

[to be developed]

  • No labels