FHIR support of GDPR

	A	B	C	D
1	FHIR Capability	GDPR	Notes	Comment AM
2	Provenance resource		Where signature is needed
3
4		Art 15		Article 15 "Right of access by the data subject " might fit as well
5	Audit Resouce	Art 19	AuditEvent can be used to record all access/use/disclosure (FiveWs), so can inform a notification
6		Art 15	AuditEvent can be used to record all access/use/disclosure (FiveWs), so can inform a subject of all uses and transfers
7		Art 14	AuditEvent can be used to record all access/use/disclosure (FiveWs), so can inform a subject of all uses and transfers
8	Consent resource	Art 18(2)	Consent resource holds resulting rules of an agreed restriction.
9		Art 13	Consent resource holds resulting rules of an agreed collection activity
10		Art_14	Consent resource holds resulting rules of an agreed collection activity
11		Art 20	Consent resource holds resulting rules of an agreed release of information to an identified target (controller).
12		Art 12	Consent can hold information about information given to the patient	Consent-Category: npp
13		Art 7
14
15	Security-label mechanism in all FHIR Resource definitions (.meta.security)		classification tags that can be applied to any data Resource for the purpose of informing Access Control rules and enforcement
16	Confidentiality classification vocabulary	Art 14(1)(d)	Categories of personal data confidentiality classification
17	Sensitivity classification vocabulary	Art 14(1)(d)	Categories of personal data sensitivity classification
18	PurposeOfUse vocabulary	Art 14(1)(c)	Purpose of activity
19	Compartment classification vocabulary		Activities beyond PurposeOfUse
20	Integrity classification vocabulary		Data quality indicator
21	Handling caveat vocabulary		Rules of handling
22
23	Signature datatype
24	De-Identification	Art 25
25
26	SMART-on-FHIR
27	Sync for Science	Art 20	Provides a mechanism for the patient to authorize an App. Where that App could be another 'controller'
28	IHE-IUA
29	HEART	Art 20	Provides a mechanism for the patient to authorize an App. Where that App could be another 'controller'; HEART is typically used to delegate access to a user who is someone other than the data subject
30
31
32	Open-ID-Connect profile of OAuth
33
34	https Communications security	Art. 32
35
36	ValueSet of PurposeOfUse	Art 30(2)	A valueSet would hold the vocabulary used for these activities. This would not be sufficient to express all of (2), that would likely be standalone policy document.
37	All of FHIR core	Art 20	FHIR is a good API that is proving to be usable by individuals using apps
38	All of FHIR core	Art 15(3)
39	Patient Identity resource		idenity of subject
40	RelatedPerson resource	Art 14(1)(e)	identity of
41			Consent: a term of authorization or forbidance
42	Practitioner resource	Art 14(1)(e)	identities of
43			Consent: a term of authorization or forbidance
44	PractitionerRole resource	Art 14(1)(e)	categories of recipients
45			Consent: a term of authorization or forbidance
46	Group resource
47	Organization resouce	Art 14(1)(e)	identity of
48	Organization resouce	Art 14(1)(a)
49			Consent: a term of authorization or forbidance
50	Location resource		identity of
51			Consent: a term of authorization or forbidance
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100