Skip to end of metadata
Go to start of metadata

The Security Control Label Tags for Purpose of Use, Obligations, Prohibitions (Refrains), and Privacy Marks may be used to stipulate limitations, obligations, and prohibitions on the privacy actions and security operations that are permitted to be performed.

In addition, there are v3 codes for permissible actions, which could be values in a Security Control Tag Label, TBD.

This may be an additional set of codes to add to Security Category Label Tags:

However, these were developed prior to HCS, and pre-coordinate concepts, which could be better conveyed in more discrete sets of tags in a security label.

We may want to create a small set of privacy action codes, which map to one or more security operations (aka v3 Data Operations code system), which can be combined with any applicable policy and purpose of use.

Recommend listing all 4 of the following Privacy Actions, which impact Consumer Privacy (see attached diagram for details on interrelationships):
  • Access – Retrieve Externally Sourced or Internally Created Data.
  • Usage Note: Access is a precondition of Collection, Use, and Disclosure.  Access may be simultaneous with CREATE (security operation), but not necessarily.  Access is the result of a successful GET or SEARCH FHIR Operation, or the RESPONSE to a REQUEST. 
  • Collection – Store Externally Sourced or Internally Created Data.
  • Usage Note: Collect is a precondition to Use, but it is possible to Collect without Use.
  • Use – Execute program on Externally Sourced or Internally Created Data.
  • Usage Note: Use is simultaneous with USE (security operation). The type of USE may be specified with 1...* EXECUTE operations. Use is the result of a successful POST.....FHIR Operation.
  • Use is a precondition of DELETE security operations. The type of DELETE may be specified with 1..1 EXECUTE operations ABORT, CANCEL, and OBSOLETE. DELETE is the result of a successful Delete profiles, tags, and security labels for a resource
  • Disclose – Forward Externally Sourced or Internally Created Data to external entity/system.
  • Usage Note: Disclose is subsequent to Collection.  
These map to Security Operations aka DataOperations code system - see below.  Also included in the Security and Privacy DAM.

ISTPA Privacy Operation Definitions from International Privacy Frameworks Mapped to v3 Concept Domain Codes and v3 DataOperations code system

Operations

Collect

Access

Use

Disclose

Access and Correction

Privacy

Constraints exercised by the data collector and user to limit information collected to the minimum necessary to achieve a stated purpose and when required demonstrably collected by fair and lawful means. ISTPA

Accessibility by authorized users [derived from HIPAA]

Controls exercised by the data collector or data user to ensure that personal information will not be used for purposes other than those specified and accepted by the data subject or provided by law, and not maintained longer than necessary for the stated purposes. ISTPA

The release, transfer, provision of access to, use for new purposes, or divulging in any manner, of information by the entity holding the information only with notice and consent of the data subject. The data collector’s policies must be made known to and observed by their parties receiving the information.  Sensitive information disclosures must be managed. ISTPA

Capability allowing individuals having adequate proof of identity to find out from an entity, or find out and/or correct, their personal information. ISTPA

Security

Data collector creates, retrieves, and stores information


Collection might occur without any further operations occurring.


FROM


CONCEPT DOMAIN: ActDataCollectionOperationType

 

Description: Types of operations that may accomplish collection or related management of information. Here, objects are broadly understood as information system-related entities (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information.

Examples:

  • Create
  • Store
  • Archive

Flow of info about object to a subject/ READ [Requester]  


FROM


HL7 DataOperation Code System OID: 2.16.840.1.113883.5.1123

LEAF CONCEPT: READ (read)


Description: Fundamental operation in an Information System (IS) that results only in the flow of information about an object to a subject.


HL7 ActCode Concept Domain

ActDataAccessOperationType

Description: Types of operations that may accomplish access of information. Here, objects are broadly understood as information system-related entities (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information.

Examples:

  • Query
  • Search
  • Transport
  • Send
  • Receive

Types of operations that may accomplish usage of information. 


FROM


HL7 ActCode CONCEPT DOMAIN: ActDataUseOperationType


Description: Types of operations that may accomplish usage of information.

Examples:

  • Activate
  • Release
  • Execute Read
  • Display
  • Update
  • Append
  • Amend

See Data Operations codes for definitions of these security operations

Types of operations that may accomplish disclosure of information.


FROM


HL7 ActCode CONCEPT DOMAIN: ActDataDisclosureOperationType


Description: Types of operations that may accomplish disclosure of information. Here, objects are broadly understood as information system-related entities (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information.


Operations that enable an authorized user/data subject to


    • READ
    • Perform/request an UPDATE/DELETE [may be “entered in error” – not necessarily eradication of the data from the store as in the EU directive “right to be forgotten.”

DS4P CDA IG ActionOperation Vocabulary

HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1


The Office of the National Coordinator DS4P Implementation Guide (IG) will provide the core input into the HL7 DS4P IG project. The project scope is the publication of a U.S. realm DS4P normative specification as an exemplar for an IG that could be used by other realms. This IG entails :

  • A CDA R2 content profile specifying constraints consistent with the DS4P requirements
  • Two  US-specific  transport profiles of  for NwHIN Direct and Exchange constrained based on the DS4P requirements

The DS4P  IG identifies the normative standards that it constrains, and a description of how the IG is compliant with its base normative standards. The IG includes  implementation guidance to developers to ensure semantic interoperability.

From <http://www.hl7.org/implement/standards/product_brief.cfm?product_id=354

Action Operation Flow Diagram

The following is a diagram of the interrelationship of Privacy Actions with some pointers to related Security Operations.

Privacy Actions - Security Operations.pdf


v3 DataOperation Codes

Summary

Defining URL:http://terminology.hl7.org/CodeSystem/v3-DataOperation
Version:2.0.0
Name:DataOperation
Title:DataOperation
Status:Active
Content:All the concepts defined by the code system are included in the code system resource
Publisher:HL7
OID:2.16.840.1.113883.5.1123 (for OID based terminology systems)
Content Mode:Complete
Source Resource:XML / JSON / Turtle

This Code system is referenced in the content logical definition of the following value sets:

DataOperation

Properties

CodeURLDescriptionType
Specializes
The child code is a more narrow version of the concept represented by the parent code. I.e. Every child concept is also a valid parent concept. Used to allow determination of subsumption. Must be transitive, irreflexive, antisymmetric.Coding
Generalizes
Inverse of Specializes. Only included as a derived relationship.Coding
internalIdhttp://terminology.hl7.org/CodeSystem/utg-concept-properties#v3-internal-idThe internal identifier for the concept in the HL7 Access database repository.code
statushttp://hl7.org/fhir/concept-properties#statusDesignation of a concept's state. Normally is not populated unless the state is retired.code

This code system http://terminology.hl7.org/CodeSystem/v3-DataOperation defines the following codes:

LvlCodeDisplayDefinitioninternalIdstatus
1OPERATEoperate**Description:**Act on an object or objects.22873active
2  CREATEcreate**Description:**Fundamental operation in an Information System (IS) that results only in the act of bringing an object into existence. Note: The preceding definition is taken from the HL7 RBAC specification. There is no restriction on how the operation is invoked, e.g., via a user interface. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22874active
2  DELETEdelete**Description:**Fundamental operation in an Information System (IS) that results only in the removal of information about an object from memory or storage. Note: The preceding definition is taken from the HL7 RBAC specification. There is no restriction on how the operation is invoked, e.g., via a user interface.22891active
2  EXECUTEexecute**Description:**Fundamental operation in an IS that results only in initiating performance of a single or set of programs (i.e., software objects). Note: The preceding definition is taken from the HL7 RBAC specification. There is no restriction on how the operation is invoked, e.g., via a user interface.22892active
2  READread**Description:**Fundamental operation in an Information System (IS) that results only in the flow of information about an object to a subject. Note: The preceding definition is taken from the HL7 RBAC specification. There is no restriction on how the operation is invoked, e.g., via a user interface.22875active
2  UPDATErevise**Definition:**Fundamental operation in an Information System (IS) that results only in the revision or alteration of an object. Note: The preceding definition is taken from the HL7 RBAC specification. There is no restriction on how the operation is invoked, e.g., via a user interface.22876active
3    APPENDappend**Description:**Fundamental operation in an Information System (IS) that results only in the addition of information to an object already in existence. Note: The preceding definition is taken from the HL7 RBAC specification. There is no restriction on how the operation is invoked, e.g., via a user interface.22877active
3    MODIFYSTATUSmodify status**Description:**Change the status of an object representing an Act.22878active
4      ABORTabort**Description:**Change the status of an object representing an Act to "aborted", i.e., terminated prior to the originally intended completion. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22879active
4      ACTIVATEactivate**Description:**Change the status of an object representing an Act to "active", i.e., so it can be performed or is being performed, for the first time. (Contrast with REACTIVATE.) For an HL7 Act, the state transitions per the HL7 Reference Information Model.22880active
4      CANCELcancel**Description:**Change the status of an object representing an Act to "cancelled", i.e., abandoned before activation. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22881active
4      COMPLETEcomplete**Description:**Change the status of an object representing an Act to "completed", i.e., terminated normally after all of its constituents have been performed. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22882active
4      HOLDhold**Description:**Change the status of an object representing an Act to "held", i.e., put aside an Act that is still in preparatory stages. No action can occur until the Act is released. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22883active
4      JUMPjump**Description:**Change the status of an object representing an Act to a normal state. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22884active
4      NULLIFYnullify**Description:**Change the status of an object representing an Act to "nullified", i.e., treat as though it never existed. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22885active
4      OBSOLETEobsolete**Description:**Change the status of an object representing an Act to "obsolete" when it has been replaced by a new instance. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22886active
4      REACTIVATEreactivate**Description:**Change the status of a formerly active object representing an Act to "active", i.e., so it can again be performed or is being performed. (Contrast with ACTIVATE.) For an HL7 Act, the state transitions per the HL7 Reference Information Model.22887active
4      RELEASErelease**Description:**Change the status of an object representing an Act so it is no longer "held", i.e., allow action to occur. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22888active
4      RESUMEresume**Description:**Change the status of a suspended object representing an Act to "active", i.e., so it can be performed or is being performed. For an HL7 Act, the state transitions per the HL7 Reference Information Model.22889active
4      SUSPENDsuspend**Definition:**Change the status of an object representing an Act to **suspended**, i.e., so it is temporarily not in service.22890activ

DataOperation

Properties

CodeURLDescriptionType
Specializes
The child code is a more narrow version of the concept represented by the parent code. I.e. Every child concept is also a valid parent concept. Used to allow determination of subsumption. Must be transitive, irreflexive, antisymmetric.Coding
Generalizes
Inverse of Specializes. Only included as a derived relationship.Coding
internalIdhttp://terminology.hl7.org/CodeSystem/utg-concept-properties#v3-internal-idThe internal identifier for the concept in the HL7 Access database repository.code
statushttp://hl7.org/fhir/concept-properties#statusDesignation of a concept's state. Normally is not populated unless the state is retired.code

This code system http://terminology.hl7.org/CodeSystem/v3-DataOperation defines the following codes:

The RESTful API defines a set of common interactions (read, update, search, etc.) performed on a repository of typed resources. For further information concerning how operations are defined and invoked, see Extended Operations on the RESTful API.

This is a full list of the operations defined by this specification:

Base Operations (All resource types)
Validate a resource[base]/[Resource]/$validate | [base]/[Resource]/[id]/$validate
Access a list of profiles, tags, and security labels[base]/$meta | [base]/[Resource]/$meta | [base]/[Resource]/[id]/$meta
Add profiles, tags, and security labels to a resource[base]/[Resource]/[id]/$meta-add
Delete profiles, tags, and security labels for a resource[base]/[Resource]/[id]/$meta-delete
Convert from one form to another[base]/$convert
Execute a graphql statement[base]/$graphql | [base]/[Resource]/[id]/$graphql
Return a graph of resources[base]/[Resource]/[id]/$graph
Operations Defined by Resource Types
Apply[base]/ActivityDefinition/$apply | [base]/ActivityDefinition/[id]/$apply
Data Requirements[base]/ActivityDefinition/[id]/$data-requirements
Fetch a subset of the CapabilityStatement resource[base]/CapabilityStatement/$subset | [base]/CapabilityStatement/[id]/$subset
Test if a server implements a client's required operations[base]/CapabilityStatement/$implements | [base]/CapabilityStatement/[id]/$implements
Test if a server implements a client's required operations[base]/CapabilityStatement/$conforms
Discover what versions a server supports[base]/$versions
Fetch a subset of the CapabilityStatement2 resource[base]/CapabilityStatement2/$subset | [base]/CapabilityStatement2/[id]/$subset
Test if a server implements a client's required operations[base]/CapabilityStatement2/$implements | [base]/CapabilityStatement2/[id]/$implements
Test if a server implements a client's required operations[base]/CapabilityStatement2/$conforms
Discover what versions a server supports[base]/$versions
Apply[base]/ChargeItemDefinition/[id]/$apply
Submit a Claim resource for adjudication[base]/Claim/$submit
Concept Look Up & Decomposition[base]/CodeSystem/$lookup
Code System based Validation[base]/CodeSystem/$validate-code | [base]/CodeSystem/[id]/$validate-code
Subsumption Testing[base]/CodeSystem/$subsumes | [base]/CodeSystem/[id]/$subsumes
Finding codes based on supplied properties[base]/CodeSystem/$find-matches | [base]/CodeSystem/[id]/$find-matches
Generate a Document[base]/Composition/$document | [base]/Composition/[id]/$document
Concept Translation[base]/ConceptMap/$translate | [base]/ConceptMap/[id]/$translate
Closure Table Maintenance[base]/$closure
Submit an EligibilityRequest resource for assessment[base]/CoverageEligibilityRequest/$submit
Generate a DocumentReference from a document[base]/DocumentReference/$generate
Fetch Encounter Record[base]/Encounter/[id]/$everything
Fetch a group of Patient Records[base]/Group/[id]/$everything
Data Requirements[base]/$data-requirements | [base]/Library/[id]/$data-requirements
Find a functional list[base]/List/$find
Evaluate Measure[base]/Measure/$evaluate-measure | [base]/Measure/[id]/$evaluate-measure
Data Requirements[base]/Measure/[id]/$data-requirements
Submit Data[base]/Measure/$submit-data | [base]/Measure/[id]/$submit-data
Collect Data[base]/Measure/$collect-data | [base]/Measure/[id]/$collect-data
Care Gaps[base]/Measure/$care-gaps
Fetch Product Record[base]/MedicinalProductDefinition/$everything | [base]/MedicinalProductDefinition/[id]/$everything
Process Message[base]/$process-message
Fetch Preferred it[base]/NamingSystem/$preferred-id
Observation Statistics[base]/Observation/$stats
Last N Observations Query[base]/Observation/$lastn
Find patient matches using MPI based logic[base]/Patient/$match
Fetch Patient Record[base]/Patient/$everything | [base]/Patient/[id]/$everything
Apply[base]/PlanDefinition/$apply | [base]/PlanDefinition/[id]/$apply
Data Requirements[base]/PlanDefinition/[id]/$data-requirements
Apply[base]/SpecimenDefinition/$apply | [base]/SpecimenDefinition/[id]/$apply
Build Questionnaire[base]/StructureDefinition/$questionnaire | [base]/StructureDefinition/[id]/$questionnaire
Generate Snapshot[base]/StructureDefinition/$snapshot | [base]/StructureDefinition/[id]/$snapshot
Model Instance Transformation[base]/StructureMap/$transform | [base]/StructureMap/[id]/$transform
Get Current Subscription Status for One or More Subscriptions[base]/Subscription/$status | [base]/Subscription/[id]/$status
Value Set Expansion[base]/ValueSet/$expand | [base]/ValueSet/[id]/$expand
Value Set based Validation[base]/ValueSet/$validate-code | [base]/ValueSet/[id]/$validate-code

Notes:

  • The special operations on the meta element also operate on previous versions of a resource (/_history/). They are the only operations that can manipulate versions other than the "current" version.
  • Implementation Guides can define additional operations
  • No labels