Compliance with the Standards
EU Data Protection Laws
EU Data Protection Laws
Stronger data protection rules for Europe: the EU adopts the data protection reform package
As of 4 May 2016, the new General Data Protection Regulation (GDPR) has been published by the European Parliament, which will apply from 25 May 2018 updating and modernizing the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights.
While the reform strengthens citizens’ rights by gaining control of one's personal data and ensuring its protection, it introduces a significant extension of liability and compliance obligations to any organization that processes, holds, or owns personal data of European citizens. By May 25th, 2018, organizations that handle personal data in the EU need to have fully implemented the security and privacy principles set in the new GDPR, or face heavy penalties up to 4% of their global annual turnover. The regulation enforces new obligations not only to the data controllers (i.e. who determine why and how personal data are processed) but also to the data processors (who process personal data on behalf of a data controller) unlike the 1995 Data Protection Directive.
How OnFHIR assists you as Data Controllers and Data Processors to meet the requirements of GDPR
OnFHIR addresses the requirements of the new GDPR both as a data processor (as in the case of cloud service), and also as a technology enabler of a data processor (as in the case of on-premise deployment) as follows:
Data protection by design and by default (Article 25)
By its design OnFHIR already puts in place the following measures to implement the data protection principles set in Article 5:
- Data Minimization: OnFHIR supports pseudonymization of patient data to ensure that the data processed is limited to what is necessary in relation to the purposes for which they are processed
- Integrity and Confidentiality: OnFHIR implements the following specific technical
measures to guarantee that the data is processed in a manner that ensures security of
the personal data, including protection against unauthorised or unlawful processing
- Encryption at Rest (optional) & Encryption at transit
- Authentication and Authorization: OpenIDConnect, OAuth (including Smart onFHIR
- Authorization Profile) & UMA Authorization Service
- Accountability: OnFHIR by default audits each operation on personal data to a FHIR based Audit Server (can be configured to a local or a remote Server)
- Though its Authorization and Authentication mechanisms OnFHIR ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
Security of processing (Article 32)
OnFHIR already supports:
- The pseudonymisation of personal data
- Encryption at Rest (optional)
- Encryption at Transit
- Standard based mechanisms for Authentication of users and Authorization of data access to ensure confidentiality
- System Availability through its dynamically scalable architecture
- Availability of data through its data replication mechanisms
Lawfulness of Processing, Consent Management & Right to restriction of processing (Article 6, Article 7, Article 18)
OnFHIR Consent based Authorization mechanism allows the Data Controller (on behalf of the data subject) to register informed consents of data subjects, which are then implemented as a set of directly enforceable authorization rules. Similarly, it is possible to withdraw/suspend data subject consent which will be operationalized immediately. All activities, including consent management, are audited, and it is possible to provide respective proofs of consent for each operation automatically in a standard manner.
Right to data portability (Article 20)
OnFHIR fully conforms to HL7 FHIR® specifications (STU3 & DSTU2) and it is readily possible to transfer the personal data as FHIR Resources in a machine-readable format.
Records of processing activities (Article 30)
OnFHIR by default audits each operation on personal data to a FHIR based Audit Server (can be configured to a local or a remote Server)
HIPAA Security&Privacy Rules
HIPAA Security&Privacy Rules
OnFHIR is here to support you to meet the HIPAA Privacy and Security Requirements
Any “covered entity” (including health plans, health care clearinghouses, and health care providers that transmit health care data in a way that is regulated by HIPAA) must comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of “electronic protected health information” (ePHI) that they create, receive, maintain, or transmit. The Security Rule operationalizes the protections contained in the HIPAA Privacy Rule by addressing the technical and nontechnical safeguards that “covered entities” must put in place to secure individuals’ ePHI.
OnFHIR assists your organization as a covered entity to meet the requirements of HIPAA Security Rule by already implementing the following technical safeguard standards set by HIPAA:
Person or Entity Authentication (as requested by § 164.312(d))
OnFHIR implements OpenID Connect on top of the OAuth 2.0 protocol to authenticate users accessing to the repository in cooperation with the Identity Manager operationalized by your organization. Our authentication mechanism is configurable to accept and optionally reinforce the use of selected authentication methods such as password, PIN, security token, smart card or biometric keys as supported by your organization.
Access Control (as requested by § 164.312(a)(1))
OnFHIR already provides support for a role based access control mechanism configured by a set of access control policy rules to enable authorized users to access the minimum necessary information needed based on their roles, and usage context. It is possible to define Emergency Access Policies (as required by § 164.312(a)(2)(ii)) to enable obtaining necessary ePHI during an emergency.
To support access control mechanisms, OpenID Connect standard is implemented to verify the unique identity of the user (as required by § 164.312(a)(2)(i)) in cooperation with the Identity Manager operationalized by your organization in a standard manner. Authorization server is implemented supporting OAuth2.0 (including Smart onFHIR Authorization Profile) & UMA Authorization Service specifications.
Automatic logoff (as required by § 164.312(a)(2)(iii)) is already configured as the default behavior of the repository to terminate the user session after a predetermined time of inactivity.
To increase the resilience of the repository, encryption at rest is already implemented that can be optionally employed in order to protect data from being accessed and viewed by unauthorized users in case of breaches.
Transmission Security§ 164.312(e)(1)
Encryption at transit is the default mode of operation while ePHI is exchanged with external systems (as requested by § 164.312(a)(2)(iv) and 164.312(e)(1)). Integrity controls via digital signatures are implemented to ensure that electronically transmitted ePHI is not improperly modified at transit (as requested by § 164.312(e)(2)(i)).
Integrity (as requested by 164.312(c)(1))
Though the strict authentication and authorization mechanisms supported (as described above), OnFHIR ensures that ePHI managed within the repository has not been altered or destroyed in an unauthorized manner (as requested by § 164.312(c)(2)). Automatic integrity controls have been implemented through digital signatures.
Audit Controls (as requested by § 164.312(b))
OnFHIR by default audits each operation on ePHI to a FHIR based Audit Server (can be configured to a local or a remote Server).
National Laws & Organizational Security & Privacy Policies
National Laws & Organizational Security & Privacy Policies
Through its customizable Authentication, Authorization, access Control and Audit mechanisms, OnFHIR enables you to address additional obligations and liabilities introduced by national Laws, and implement custom organizational security and privacy policies easily.