You focus on your application and be sure you are complying with EU regulations
As of 4 May 2016, the new General Data Protection Regulation (GDPR) has been published by the European Parliament, which will apply from 25 May 2018 updating and modernizing the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights.
While the reform strengthens citizens’ rights by gaining control of one's personal data and ensuring its protection, it introduces a significant extension of liability and compliance obligations to any organization that processes, holds, or owns personal data of European citizens. By May 25th, 2018, organizations that handle personal data in the EU need to have fully implemented the security and privacy principles set in the new GDPR, or face heavy penalties up to 4% of their global annual turnover. The regulation enforces new obligations not only to the data controllers (i.e. who determine why and how personal data are processed) but also to the data processors (who process personal data on behalf of a data controller) unlike the 1995 Data Protection Directive.
OnFHIR addresses the requirements of the new GDPR both as a data processor (as in the case of cloud service), and also as a technology enabler of a data processor (as in the case of on-premise deployment) as follows:
By its design OnFHIR already puts in place the following measures to implement the data protection principles set in Article 5:
OnFHIR already supports:
OnFHIR Consent based Authorization mechanism allows the Data Controller (on behalf of the data subject) to register informed consents of data subjects, which are then implemented as a set of directly enforceable authorization rules. Similarly, it is possible to withdraw/suspend data subject consent which will be operationalized immediately. All activities, including consent management, are audited, and it is possible to provide respective proofs of consent for each operation automatically in a standard manner.
OnFHIR fully conforms to HL7 FHIR® specifications (STU3 & DSTU2) and it is readily possible to transfer the personal data as FHIR Resources in a machine-readable format.
OnFHIR by default audits each operation on personal data to a FHIR based Audit Server (can be configured to a local or a remote Server)
Any “covered entity” (including health plans, health care clearinghouses, and health care providers that transmit health care data in a way that is regulated by HIPAA) must comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of “electronic protected health information” (ePHI) that they create, receive, maintain, or transmit. The Security Rule operationalizes the protections contained in the HIPAA Privacy Rule by addressing the technical and nontechnical safeguards that “covered entities” must put in place to secure individuals’ ePHI.
OnFHIR assists your organization as a covered entity to meet the requirements of HIPAA Security Rule by already implementing the following technical safeguard standards set by HIPAA:
OnFHIR implements OpenID Connect on top of the OAuth 2.0 protocol to authenticate users accessing to the repository in cooperation with the Identity Manager operationalized by your organization. Our authentication mechanism is configurable to accept and optionally reinforce the use of selected authentication methods such as password, PIN, security token, smart card or biometric keys as supported by your organization.
OnFHIR already provides support for a role based access control mechanism configured by a set of access control policy rules to enable authorized users to access the minimum necessary information needed based on their roles, and usage context. It is possible to define Emergency Access Policies (as required by § 164.312(a)(2)(ii)) to enable obtaining necessary ePHI during an emergency.
To support access control mechanisms, OpenID Connect standard is implemented to verify the unique identity of the user (as required by § 164.312(a)(2)(i)) in cooperation with the Identity Manager operationalized by your organization in a standard manner. Authorization server is implemented supporting OAuth2.0 (including Smart onFHIR Authorization Profile) & UMA Authorization Service specifications.
Automatic logoff (as required by § 164.312(a)(2)(iii)) is already configured as the default behavior of the repository to terminate the user session after a predetermined time of inactivity.
To increase the resilience of the repository, encryption at rest is already implemented that can be optionally employed in order to protect data from being accessed and viewed by unauthorized users in case of breaches.
Encryption at transit is the default mode of operation while ePHI is exchanged with external systems (as requested by § 164.312(a)(2)(iv) and 164.312(e)(1)). Integrity controls via digital signatures are implemented to ensure that electronically transmitted ePHI is not improperly modified at transit (as requested by § 164.312(e)(2)(i)).
Though the strict authentication and authorization mechanisms supported (as described above), OnFHIR ensures that ePHI managed within the repository has not been altered or destroyed in an unauthorized manner (as requested by § 164.312(c)(2)). Automatic integrity controls have been implemented through digital signatures.
OnFHIR by default audits each operation on ePHI to a FHIR based Audit Server (can be configured to a local or a remote Server).
Through its customizable Authentication, Authorization, access Control and Audit mechanisms, OnFHIR enables you to address additional obligations and liabilities introduced by national Laws, and implement custom organizational security and privacy policies easily.