FHIR as a means of moving data from one system to another is commonplace in clinical care but as yet is uncommon in clinical research. Confidentiality of patient data is a fundamental issue in all systems, but in clinical research blinding adds an additional complexity. A further dimension is the reuse of EHR data for clinical research where the coding and definition of data items can be different.

This paper seeks to identify some issues that have to be addressed and proposes an architecture that enables proper separation of the concerns and appropriate allocation of responsibilities.

Conceptual Architecture

Issues to Consider


Within the EHR each patient will be individually and exactly identified but within the clinical trial each patient is a subject where the amount of personal data is very limited and it must not possible to specifically identify an individual patient based on the trial data.

In specific and highly controlled circumstances a process of unblinding must be available to allow a specific patient to be identified from their subject identity

Masking (Selective Data Access)

Some elements of a patient EHR may be visible only to specific individuals or groups of individuals. This may be by allocating permission to view to a given group, or by denying permission to a group. It may also be that the data is existence of data is visible but the content is hidden, or it may be that even the existence of the data is hidden.

This is further complicated when the EHR data is used for a purpose that was not envisaged when the permissions were set up. For example a trial may wish to exclude individuals that have had psychiatric treatment but an individual has stated that release of such information requires their explicit consent.

This limited access may also apply within a speciality - following the same example a patient is happy for their medication record to be accessible but not their psychiatric record - where does this leave the psychiatric medication? It may also be that they are happy for their normal family doctor to view all their records, but not for that to extend to a locum for the family doctor

FHIR Server

The starting assumption for FHIR implementation is that there is a FHIR server "in the cloud" and the availability of publicly available servers for test purposes has been a huge advantage when considering using FHIR as a solution.

How much access control is there in public servers?

However in practice such a solution must have access control for both writing and reading data.

The question now is how granular that control must be and who takes responsibility for the effectiveness of that control. For example a hospital has a patient's consent that parts of their records can be released to the investigator on a trial. How does the hospital ensure that within the CRO running the trial only the investigator has access and not the trial monitors? Who is liable?

Who manages identity for access?