Secondary Use FHIR Server Implementation Guide
0.1.0 - ci-build
Publish Box goes here
The adapter has two modes:
| Mode | Behavior |
|---|---|
pseudonymized |
Rewrites patient IDs and references, removes direct Patient fields, and shifts dates |
minimized |
Runs pseudonymized, then keeps only a compact analytical field set per resource type |
If mode is omitted, the adapter uses pseudonymized.
Any other value returns an OperationOutcome with HTTP 400.
Patient IDs are replaced with stable IDs of the form:
pat-{16 hex characters}
The value is derived from the configured salt and original local patient ID.
References to patients are rewritten consistently:
Patient/patient-001 -> Patient/pat-...
The transform covers patient references in:
Condition.subjectObservation.subjectMedicationRequest.subjectMedicationStatement.subjectProcedure.subjectAllergyIntolerance.patientProvenance.targetEncounter.subjectThe pseudonymized and minimized policies remove direct Patient fields:
identifiernametelecomaddresscontactphotoThe generated source may include fake BSN, names, telecom, address, GP, and managing organization details. These are intentionally removed from adapter output.
Dates are shifted by a deterministic patient-specific offset between -15 and +15 days.
The offset is derived from:
The shift applies to date-only and date-time strings beginning with YYYY-MM-DD, plus selected HAPI date fields such as recorded dates and issued dates.
The point is local repeatability with reduced direct temporal identifiability. It is not a certified anonymization method.
The minimized policy keeps only fields needed for compact analytical exports.
| Resource | Kept fields |
|---|---|
Patient |
id, gender, birthDate |
Condition |
id, subject, code, clinicalStatus, verificationStatus, onsetDateTime, recordedDate |
Observation |
id, subject, status, category, code, effectiveDateTime, issued, valueQuantity, valueCodeableConcept, interpretation |
MedicationRequest |
id, subject, status, intent, medicationCodeableConcept, authoredOn, reasonCode, reasonReference |
MedicationStatement |
id, subject, status, medicationCodeableConcept, effectiveDateTime, dateAsserted, reasonCode, reasonReference |
Procedure |
id, subject, status, code, performedDateTime, reasonReference |
AllergyIntolerance |
id, patient, clinicalStatus, verificationStatus, code, onsetDateTime, reaction |
Provenance |
id, target, recorded, activity, agent |
Encounter |
id, subject, status, class, type, period |
This mode is meant for prototype evaluation of a secondary-use adapter boundary.
It does not implement: