Can we apply a confidentiality code on a flow?


We encountered a use case where we need to apply a confidentiality code on a flow. For example, to say not only this resource that I’m sending you is “very restricted” but also the audit of this access must be “very restricted”.
Can we use the Category header, like for the Break the glass, to apply a confidentiality level on a flow?
Thanks a lot!


I think what you would do is tag the Bundle. Often a Bundle will be tagged with the high-water mark, that is the most restrictive marks of all that the Bundle contains. This would allow the container (the Bundle) to indicate the overall sensitivity.

This kind of Bundle use, of high-water mark, is common today with CDA, and has been used in FHIR REST Query response Bundles. It would certainly work for FHIR Documents, or FHIR Messages.

Beyond that, can you explain what more you are expecting to need? I am not sure what you are trying to express with the term “on a flow”. I am not sure why you would use a Category header like is described in the break the lass. Can you explain what problem these are trying to solve, and what they actually are?



Thank you John for this response.

The main use case is the following:
A teenage girl goes to a gynecology department for an abortion. She does not want her parents, legal representatives, to see that her medical record has been accessed by a gynecologist.
In general, the patient, or his legal representative, can access (and must be able to access) to the audit trail of his medical record. In our case, we want to indicate what level of confidentiality to apply to the traces of this access. In a context of protection of minors, the girl’s parents should not see the document filed by the gynecologist and should not even see that a gynecologist accessed their daughter’s medical record.



That is a very classic use for confidentiality code of Restricted vs Normal. Each Resource needs to be individually tagged as Restricted. It is not uncommon that only GP or direct treating clinicians can see Restricticted data. Thus all other clinicians, and parents would just see normal data.

As I indicated a Bundle that carries ANY data that is Restricted should have the Bundle.meta marked Restricted. Presumably the Bundle is properly authorized.

Thus you don’t need to do anything with any http headers… unless I have missed something about the interaction that I missed.



Thank you again John,
I may not have been precise enough in the description of the problem.
The confidentiality code must apply to traces generated by this access. Typically it will be carried by of the AuditEvent resource that will log this access. But, to do this, it must be specified somewhere in the request when it is sent.
In addition, we want to make this possible for the logs of any type of query: the AuditEvent that logs, for instance, a search made by the gynecologist, should not be seen by the parents of the girl.
That’s why I thought about HTTP headers …