Release 4 4B

This page is part of the FHIR Specification (v4.0.1: R4 (v4.3.0: R4B - Mixed Normative and STU ) in it's permanent home (it will always be available at this URL). ). The current version which supercedes this version is 5.0.0 . For a full list of available versions, see the Directory of published versions . Page versions: R4B R4 R4B R4

4.4.1.3 Value Set http://hl7.org/fhir/ValueSet/resource-security-category

FHIR Infrastructure Work Group   Maturity Level : 0 Informative Use Context : Any

This is a value set defined by the FHIR project.

Summary

Defining URL: http://hl7.org/fhir/ValueSet/resource-security-category
Version: 4.0.1 4.3.0
Name: ResourceSecurityCategory
Title: ResourceSecurityCategory Resource security category value set
Definition:

Provides general guidance around the kind of access Control to Read, Search, Create, Update, or Delete Codes indicating how resources behave from a resource. security perspective

Committee: FHIR Infrastructure Work Group
OID: 2.16.840.1.113883.4.642.3.1403 (for OID based terminology systems)
Source Resource XML / JSON

This value set is used in the following places:

4.4.1.3.1 Content Logical Definition

This value set includes codes from the following code systems:

 

4.4.1.3.2 Expansion

This expansion generated 01 Nov 2019 28 May 2022

This value set contains 5 concepts

Expansion based on http://terminology.hl7.org/CodeSystem/resource-security-category version 4.0.1 Resource Security Category code system v4.3.0 (CodeSystem)

All codes in this table are from the system http://terminology.hl7.org/CodeSystem/resource-security-category http://hl7.org/fhir/resource-security-category

Code Display Definition
   anonymous Anonymous READ Access Resource These resources tend to not contain any individual data, or business sensitive data. Most often these Resources will be available for anonymous access, meaning there is no access control based on the user or system requesting. However these Resources do tend to contain important information that must be authenticated back to the source publishing them, and protected from integrity failures in communication. For this reason server authenticated https (TLS) is recommended to provide authentication of the server and integrity protection in transit. This is normal web-server use of https.
   business Business Sensitive Resource These Resources tend to not contain any individual data, but do have data that describe business or service sensitive data. The use of the term Business is not intended to only mean an incorporated business, but rather the more broad concept of an organization, location, or other group that is not identifable as individuals. Often these resources will require some for of client authentication to assure that only authorized access is given. The client access control may be to individuals, or may be to system identity. For this purpose possible client authentication methods such as: mutual-authenticated-TLS, APIKey, App signed JWT, or App OAuth client-id JWT For example: a App that uses a Business protected Provider Directory to determine other business endpoint details.
   individual Individual Sensitive Resource These Resources do NOT contain Patient data, but do contain individual information about other participants. These other individuals are Practitioners, PractionerRole, PractitionerRole, CareTeam, or other users. These identities are needed to enable the practice of healthcare. These identities are identities under general privacy regulations, and thus must consider Privacy risk. Often access to these other identities are covered by business relationships. For this purpose access to these Resources will tend to be Role specific using methods such as RBAC or ABAC.
   patient Patient Sensitive These Resources make up the bulk of FHIR and therefore are the most commonly understood. These Resources contain highly sesitive health information, or are closely linked to highly sensitive health information. These Resources will often use the security labels to differentiate various confidentiality levels within this broad group of Patient Sensitive data. Access to these Resources often requires a declared Purpose Of Use. Access to these Resources is often controlled by a Privacy Consent.
   not-classified Not classified Some Resources can be used for a wide scope of use-cases that span very sensitive to very non-sensitive. These Resources do not fall into any of the above classifications, as their sensitivity is highly variable. These Resources will need special handling. These Resources often contain metadata that describes the content in a way that can be used for Access Control decisions.

 

See the full registry of value sets defined as part of FHIR.

Explanation of the columns that may appear on this page:

Lvl A few code lists that FHIR defines are hierarchical - each code is assigned a level. For value sets, levels are mostly used to organize codes for user convenience, but may follow code system hierarchy - see Code System for further information
Source The source of the definition of the code (when the value set draws in codes defined elsewhere)
Code The code (used as the code in the resource instance). If the code is in italics, this indicates that the code is not selectable ('Abstract')
Display The display (used in the display element of a Coding ). If there is no display, implementers should not simply display the code, but map the concept into their application
Definition An explanation of the meaning of the concept
Comments Additional notes about how to use the code