New Zealand Rheumatic Fever FHIR Implementation Guide
0.4.8 - draft

New Zealand Rheumatic Fever FHIR Implementation Guide - Local Development build (v0.4.8) built by the FHIR (HL7® FHIR® Standard) Build Tools. See the Directory of published versions

Consent Based Access Control

Business requirements overview

When registering rheumatic fever patients to coordinate care/treatment, Rheumatic Fever Secondary Prevention Service organisations (aka "Lead Providers") seek each patient's consent to:

  1. Receive treatment for the rheumatic fever condition, and
  2. Collection and sharing of data to coordinate treatment and associated health services.

Each Secondary Prevention Service organisation seeks consent from patients it registers.

As consent is obtained in writing (form) it is typically deferred for practical reasons until the patient's first secondary prophylaxis encounter.

To handle these scenarios, when consent is officially established after the patient is registered (personal data to be entered into RFCCS), the FHIR API allows for a provisional arrangement in which Consent instances are created in a #proposed status, upgraded to #active when the consent is officially recorded.

Opting out / withdrawing consent

A patient cay choose NOT to receive secondary prophylaxis treatment.

A patient can also DECLINE consent to data sharing (outside of Rheumatic Fever Prevention Services).

When patients opt out of treatment and data sharing, Rheumatic Fever Secondary Prevention services retain patient information for service analysis and in case a patient subsequently resumes treatment.

Custodianship of patient health data

The custodian of a rheumatic fever patient's data is the Rheumatic Fever Secondary Prevention Service organisation that registers that patient in RFCCS.

If a patient transfers to another district and so a different Secondary Prevention Service, data custodianship moves accordingly.

Custodian organisations are granted sufficient privilege (OAUTH scope) by HNZ to create and maintain RF records in the FHIR API.

FHIR Consent instances for confirmed patient consentRepresentation of consent when confirmed by patient's signed formPatient data covered by data access provision2Consent to treatment:CONSENTstatus:#ACTIVEscope:#treatmentpolicy: reference to regs/leg.treatment provisiontype:#PERMITperiod:2023-01-21to2026-01-20Consent to collect/share data:CONSENTstatus:#ACTIVEscope:#patient-privacypolicy: reference to regs/leg.data access provisiontype:#PERMITperiod:2023-01-21to2026-01-20«logical reference»NHI patient:PATIENTlogical id: NHI«logical reference»Rheumatic fever prevention service(custodian org):ORGANIZATIONHPI Org Id:GnXnnnplanned appointments, etc.:CAREPLAN meta.tag:#rf-nzcondition severity and specifics:CONDITION meta.tag:#rf-nzappointments:ENCOUNTER                                meta.tag:#rf-nzpreferences, health assessments:QUESTIONNAIRERESPONSE meta.tag:#rf-nzdiagnosis detail:OBSERVATION                          meta.tag:#rf-nz.provision.data.reference2.patient3.organizationHPI org. ref1.patient.provision.organizationHPI org. ref1Notes1. Consent instances identify the data subject in.patientreferences2.Consent.organizationidentifies which org is custodian of the patient data3. All RF instances containing patient data tagged #rf-nz inmeta.tagHealth NZ/Te Whatu Ora. FHIR data model generated on 13/08/2024


FHIR Consent instance data - on-behalf consentRepresentation of patient consent when given on behalf by a related personPatient data covered by data access provision2Consent to treatment:CONSENTstatus:#ACTIVEscope:#treatmentpolicy: reference to regs/leg.treatment provisiontype:#PERMITperiod:2023-01-21to2026-01-20Consent to collect/share data:CONSENTstatus:#ACTIVEscope:#patient-privacypolicy: reference to regs/leg.data access provisiontype:#PERMITperiod:2023-01-21to2026-01-20«contained»person giving consent:RELATEDPERSON4name.given:Berylname.family:Hackettrelationship:#PRN«contained»person giving consent:RELATEDPERSON4name.given:Berylname.family:Hackettrelationship:#PRN«logical reference»NHI patient:PATIENTlogical id: NHI«logical reference»RF Secondary Prevention Service(custodian org):ORGANIZATIONHPI Org Id:GnXnnnplanned appointments, etc.:CAREPLAN meta.tag:#rf-nzcondition severity and specifics:CONDITION meta.tag:#rf-nzappointments:ENCOUNTER                                meta.tag:#rf-nzpreferences, health assessments:QUESTIONNAIRERESPONSE meta.tag:#rf-nzdiagnosis detail:OBSERVATION                          meta.tag:#rf-nz.provision.data.reference2.patient3.organizationHPI org. ref1.performer4.patient.provision.organizationHPI org. ref1.performer4Notes1. Consent instances identify the data subject in.patientreferences2.Consent.organizationidentifies a specificRF Secondary Prevention Servicewhich:    a. Coordinates treatment for patients in that district/region, and    b. Operates the consent process (forms etc.), and    c. Is the custodian of data collected from these patients.3. All RF instances containing patient data tagged #rf-nz inmeta.tag4. Note thatRelatedPersoninstance is contained by AND linked from (via .performer) the Consent instance.Health NZ/Te Whatu Ora. FHIR data model generated on 13/08/2024


Patient opted out from data sharing

FHIR Consent instances for patient opted-out (of treatment / data sharing)Representation of consent denied (or withdrawn) by patientPatient data covered by data access provision2Consent to treatment:CONSENTstatus:#ACTIVEscope:#treatmentpolicy: reference to regs/leg.treatment provisiontype:#PERMITperiod:2023-01-21to2026-01-20Consent to collect/share data:CONSENTstatus:#ACTIVEscope:#patient-privacypolicy: reference to regs/leg.data access permit provisiontype:#DENYperiod:2023-06-23to..«logical reference»NHI patient:PATIENTlogical id: NHI«logical reference»RF Secondary Prevention Service(custodian org):ORGANIZATIONHPI Org Id:GnXnnnplanned appointments, etc.:CAREPLAN meta.tag:#rf-nzcondition severity and specifics:CONDITION meta.tag:#rf-nzappointments:ENCOUNTER                                meta.tag:#rf-nzpreferences, health assessments:QUESTIONNAIRERESPONSE meta.tag:#rf-nzdiagnosis detail:OBSERVATION                          meta.tag:#rf-nz.provision.data.reference2.patient3.organizationHPI org. ref1.patient.provision.organizationHPI org. ref1Notes1. Consent instances identify the data subject in.patientreferences.2.Consent.organizationidentifies which org is custodian of the patient data.3. All RF instances containing patient data tagged #rf-nz inmeta.tag4. FHIR API access rules for instances covered by anopt-outconsents will becontrolled by OAUTH scopes TBDHealth NZ/Te Whatu Ora. FHIR data model generated on 13/08/2024


FHIR Consent instances when patient consent is pendingRepresentation of limited provisional consent when patient's signed form pending but not receivedPatient data covered by temporary data access provision2consent to treatment:CONSENTstatus:#PROPOSEDscope:#treatmentpolicy: reference to regs/leg.treatment provisiontype:#PERMITperiod:2023-01-21to2026-01-20Consent to collect/share data:CONSENTstatus:#PROPOSEDscope:#patient-privacypolicy: reference to regs/leg.data access provisiontype:#PERMITperiod:2023-01-21to2026-01-20«logical reference»NHI patient:PATIENTlogical id: NHI«logical reference»RF Secondary Prevention Service(custodian org):ORGANIZATIONHPI Org Id:GnXnnnplanned appointments, etc.:CAREPLAN meta.tag:#rf-nzcondition severity and specifics:CONDITION meta.tag:#rf-nzappointments:ENCOUNTER                                meta.tag:#rf-nzpreferences, health assessments:QUESTIONNAIRERESPONSE meta.tag:#rf-nzdiagnosis detail:OBSERVATION                          meta.tag:#rf-nz.provision.data.reference2.patient3.organizationHPI org. ref1.patient.provision.organizationHPI org. ref1Notes1. Consent instances identify the data subject in.patientreferences.2.Consent.organizationidentifies which org is custodian of the patient data.3. Start date is when the custodian provisionally-assumes consent to start;End date is empty (provision doesn't expire).4. All RF instances containing patient data tagged #rf-nz inmeta.tag        Health NZ/Te Whatu Ora. FHIR data model generated on 13/08/2024


Data is synchronised between RFCCS and FHIR by integration logic.

In the course of this synchronisation, patient-specific Consent instances are formed in the FHIR API.

  1. Each patient's expressed consent is represented as a pair of FHIR Consent instances
    • scope #patient-privacy (consent to collect/share data)
    • scope #treatment (consent to receive treatment).
  2. Each Consent instance has a provision of type #permit which identifies the patient (by NHI) and defines the period of their consent as a date range.
  3. The data collection/sharing Consent has in its provision a list of FHIR references which identify all the other FHIR resource instances this consent 'covers' (applies to).
  4. The status of the Consent instances can vary:
    • If patient consent has been obtained, the status of the instances is #active
    • If consent is anticipated but not yet obtained, the status of the instances is #proposed (a provisional arrangement)
    • When consent is denied / withdrawn, the status is #active BUT all #permit-type provisions are replaced with #deny-type provisions.
  5. Every consent identifies a performer as the party that is primarily responsible for upholding the policies consented-to. This will identify the Rheumatic Fever Secondary Prevention Service organisation (by HPI org ID).
  6. When consent is provisional, a special extra actor provision is added to the data FHIR Consent instance. This actor identifies a CareTeam whose members are all the Secondary Prevention Service organisations that will have provisional access to data (before consent is officially obtained from the patient).

The API performs consent-based data access control to instances of the following FHIR resources types (includes instances using profiles):

  • Appointment
  • CarePlan
  • Condition
  • Encounter
  • ServiceRequest
  • QuestionnaireResponse
  • Observation
  • Patient
  • Person / RelatedPerson

Every time an API-consuming application interacts with a FHIR resource instance of one of the above types, the API searches to find any Consent instances that refer to that instance:

  • If a valid Consent exists, the FHIR interaction can proceed,
  • If no valid Consent exists, the interaction does not proceed and a 403 Forbidden error is returned,
  • If the resource instance being surfaced is the result of a FHIR Search interaction, it will be redacted from the FHIR search results Bundle unless it is covered by a valid Consent.

When a Consent instance meets the following five criteria, the API allows to the resources it protects:

  1. Has scope Consent.scope = #patient-privacy

  2. Has a #permit provision (not #deny),

  3. Is current (current date must fall within Consent.provision.period start and end dates,

  4. Identifies a Secondary Prevention Service as the custodian of the patient data in Consent.performer,

  5. Identifies a patient as subject (Consent.patient is a logical reference by NHI identifier).

In the case of a provisional consent (Consent status = #proposed) there are two further criteria:

  1. The proposed consent MUST include a provision referencing a CareTeam which identifies the Rheumatic Fever Secondary Prevention Services (as HPI organisation ids) which are custodians of patient data, AND
  2. The health application accessing the FHIR API MUST be using client credentials associated with one of the HPI organisations in the CareTeam (6).

The API returns HTTP 401 Unauthorized or 403 Forbidden errors, depending on the operation being requested.

In FHIR search operations, instances in search results which are not properly covered by consents are REDACTED (are counted as matches, but not included in the results Bundle).

Sometimes patient consent has to be given by a person related to the patient (eg. children).

These scenarios are handled in FHIR using:

  1. A RelatedPerson resource identifying the related party (by name is sufficient) and their relationship to the patient. The RelatedPerson instance can be contained inside the Consent instance, and
  2. An additional Consent.performer[] entry which refers to the RelatedPerson instance.