Secondary Use FHIR Server Implementation Guide
0.1.0 - ci-build

Publish Box goes here

Privacy Modes

Privacy Modes

Modes

The adapter has two modes:

Mode Behavior
pseudonymized Rewrites patient IDs and references, removes direct Patient fields, and shifts dates
minimized Runs pseudonymized, then keeps only a compact analytical field set per resource type

If mode is omitted, the adapter uses pseudonymized.

Any other value returns an OperationOutcome with HTTP 400.

Pseudonymization

Patient IDs are replaced with stable IDs of the form:

pat-{16 hex characters}

The value is derived from the configured salt and original local patient ID.

References to patients are rewritten consistently:

Patient/patient-001 -> Patient/pat-...

The transform covers patient references in:

  • Condition.subject
  • Observation.subject
  • MedicationRequest.subject
  • MedicationStatement.subject
  • Procedure.subject
  • AllergyIntolerance.patient
  • Provenance.target
  • Encounter.subject

Removed Patient Fields

The pseudonymized and minimized policies remove direct Patient fields:

  • identifier
  • name
  • telecom
  • address
  • contact
  • photo

The generated source may include fake BSN, names, telecom, address, GP, and managing organization details. These are intentionally removed from adapter output.

Date Shifting

Dates are shifted by a deterministic patient-specific offset between -15 and +15 days.

The offset is derived from:

  • configured salt
  • original patient ID where available
  • a global fallback for resources where no patient can be resolved

The shift applies to date-only and date-time strings beginning with YYYY-MM-DD, plus selected HAPI date fields such as recorded dates and issued dates.

The point is local repeatability with reduced direct temporal identifiability. It is not a certified anonymization method.

Minimized Field Set

The minimized policy keeps only fields needed for compact analytical exports.

Resource Kept fields
Patient id, gender, birthDate
Condition id, subject, code, clinicalStatus, verificationStatus, onsetDateTime, recordedDate
Observation id, subject, status, category, code, effectiveDateTime, issued, valueQuantity, valueCodeableConcept, interpretation
MedicationRequest id, subject, status, intent, medicationCodeableConcept, authoredOn, reasonCode, reasonReference
MedicationStatement id, subject, status, medicationCodeableConcept, effectiveDateTime, dateAsserted, reasonCode, reasonReference
Procedure id, subject, status, code, performedDateTime, reasonReference
AllergyIntolerance id, patient, clinicalStatus, verificationStatus, code, onsetDateTime, reaction
Provenance id, target, recorded, activity, agent
Encounter id, subject, status, class, type, period

Privacy Boundary

This mode is meant for prototype evaluation of a secondary-use adapter boundary.

It does not implement:

  • consent filtering
  • user authorization
  • audit trails
  • k-anonymity or differential privacy
  • formal re-identification risk scoring
  • legal or clinical certification