SanteSuite Help Portal
  • SanteSuite Help Portal
    • Disclaimer
  • Product Overview
    • SanteSuite Products
      • Introducing SanteDB CDR
        • SanteDB Solutions
      • Master Patient Index - SanteMPI
      • Immunization Management System - SanteIMS
      • Privacy & Security - SanteGuard
    • SanteDB Versions
  • Architecture
    • SanteDB Architecture
      • SanteDB History
    • Solution Architecture
    • Software Architecture
      • Publish / Subscribe Architecture
      • New ADO (nuado)
      • Roadmap
    • Data & Information Architecture
      • Conceptual Information Model
        • Concept Dictionary
          • Data Dictionary
        • Acts
          • State Machine
          • Act Relationships
          • Mood Concepts
          • Class Concepts
          • Data Dictionary
        • Entities
          • State Machine
          • Entity Relationships
          • Determiner Codes
          • Class Codes
          • Data Dictionary
        • Null Reasons
        • Extended Data
      • Physical Model
        • Act Data Dictionary
        • Entity Data Dictionary
        • Concept Dictionary Data Dictionary
      • Data Storage Patterns
        • Master Data Storage
      • SanteDB Object Identifiers (OIDs)
    • Security Architecture
    • Privacy Architecture
    • Matching Engine
    • HIE & Interoperability
  • Installation
    • Installation
    • Releases
      • 3.0 Releases
      • Queenston Release
    • Quick Start Guide
      • Seeding ONC Patient Matching Data
    • Operationalizing SanteDB
      • Information Gathering & Analysis
      • Planning & Preparation Work
        • Pre-flight Checklist
        • Develop a Business Architecture
        • Develop an Information Architecture
          • Establishing Minimum Datasets
          • Identity Environment
        • Develop Operational Technology Architecture
        • Developing Privacy Impact Assessments
        • Develop Threat / Risk Assessments
      • Deployment
        • Pre-Flight Checklist
        • Installing Software
          • SanteDB iCDR Server
            • Installation on Virtual or Physical Environments
              • Installation on Microsoft Windows
              • Installation on Linux and Unix
            • Installation using Appliances
              • Using Docker Containers
                • Adding Sample Data
                • Feature Configuration
                • SanteDB within Instant OpenHIE
              • Using Virtual Appliances
            • Installation Qualification
              • Master Patient Index / Client Registry Qualification
                • MPI/CR Test Cases for HL7v2
                  • TEST: OHIE-CR-02-HL7v2
                  • TEST: OHIE-CR-03-HL7v2
                  • TEST: OHIE-CR-04-HL7v2
                  • TEST: OHIE-CR-05-HL7v2
                  • TEST: OHIE-CR-06-HL7v2
                  • TEST: OHIE-CR-07-HL7v2
                  • TEST: OHIE-CR-08-HL7v2
                  • TEST: OHIE-CR-09-HL7v2
                  • TEST: OHIE-CR-10-HL7v2
                  • TEST: OHIE-CR-11-HL7v2
                  • TEST: OHIE-CR-12-HL7v2
                  • TEST: OHIE-CR-13-HL7v2
                  • TEST: OHIE-CR-14-HL7v2
                  • TEST: OHIE-CR-15-HL7v2
                  • TEST: OHIE-CR-16-HL7v2
                  • TEST: OHIE-CR-17-HL7v2
                  • TEST: OHIE-CR-18-HL7v2
                  • TEST: OHIE-CR-01-HL7v2
                  • HL7v2 Test Cases Instructions
                • MPI/CR Test Cases for FHIR
                  • TEST: OHIE-CR-01-FHIR
                  • TEST: OHIE-CR-02-FHIR
                  • TEST: OHIE-CR-03-FHIR
                  • TEST: OHIE-CR-04-FHIR
                  • TEST: OHIE-CR-05-FHIR
                  • TEST: OHIE-CR-06-FHIR
                  • TEST: OHIE-CR-07-FHIR
                  • TEST: OHIE-CR-08-FHIR
                  • TEST: OHIE-CR-09-FHIR
                  • FHIR Test Cases Instructions
              • Security Administration Testing
                • Administrative Panel Validation
                  • User Management Tests
                    • TEST: SECURITY-UM-01
                    • TEST: SECURITY-UM-02
                    • TEST: SECURITY-UM-03
                    • TEST: SECURITY-UM-04
                    • TEST: SECURITY-UM-05
                    • TEST: SECURITY-UM-06
                    • TEST: SECURITY-UM-07
                    • TEST: SECURITY-UM-08
                    • TEST: SECURITY-UM-09
                    • TEST: SECURITY-UM-10
                    • TEST: SECURITY-UM-11
                    • TEST: SECURITY-UM-12
                    • TEST: SECURITY-UM-13
                    • TEST: SECURITY-UM-14
                    • TEST: SECURITY-UM-15
                    • TEST: SECURITY-UM-16
                    • TEST: SECURITY-UM-17
                    • TEST: SECURITY-UM-18
                    • TEST: SECURITY-UM-19
                    • TEST: SECURITY-UM-20
                    • TEST: SECURITY-UM-21
                    • TEST: SECURITY-UM-22
                    • TEST: SECURITY-UM-23
                    • TEST: SECURITY-UM-24
                    • TEST: SECURITY-UM-25
                    • TEST: SECURITY-UM-26
                    • TEST: SECURITY-UM-27
                    • TEST: SECURITY-UM-28
                    • TEST: SECURITY-UM-29
                    • TEST: SECURITY-UM-30
                    • TEST: SECURITY-UM-31
                    • TEST: SECURITY-UM-32
                    • TEST: SECURITY-UM-33
                    • TEST: SECURITY-UM-34
                    • TEST: SECURITY-UM-35
                    • TEST: SECURITY-UM-36
                    • TEST: SECURITY-UM-37
                  • Group/Role Management Tests
                    • TEST: SECURITY-GRM-01
                    • TEST: SECURITY-GRM-02
                    • TEST: SECURITY-GRM-03
                    • TEST: SECURITY-GRM-04
                    • TEST: SECURITY-GRM-05
                    • TEST: SECURITY-GRM-06
                    • TEST: SECURITY-GRM-07
                    • TEST: SECURITY-GRM-08
                    • TEST: SECURITY-GRM-09
                    • TEST: SECURITY-GRM-10
                    • TEST: SECURITY-GRM-11
                    • TEST: SECURITY-GRM-12
                    • TEST: SECURITY-GRM-13
                    • TEST: SECURITY-GRM-14
                    • TEST: SECURITY-GRM-15
                  • Security Policy Management Tests
                    • TEST: SECURITY-PM-01
                    • TEST: SECURITY-PM-02
                    • TEST: SECURITY-PM-03
                    • TEST: SECURITY-PM-04
                  • Device Management Tests
                    • TEST: SECURITY-DM-01
                    • TEST: SECURITY-DM-02
                    • TEST: SECURITY-DM-03
                    • TEST: SECURITY-DM-04
                    • TEST: SECURITY-DM-05
                    • TEST: SECURITY-DM-06
                    • TEST: SECURITY-DM-07
                    • TEST: SECURITY-DM-08
                    • TEST: SECURITY-DM-09
                  • Application Management Tests
                    • TEST: SECURITY-AM-01
                    • TEST: SECURITY-AM-02
                    • TEST: SECURITY-AM-03
                    • TEST: SECURITY-AM-04
                    • TEST: SECURITY-AM-05
                    • TEST: SECURITY-AM-06
                    • TEST: SECURITY-AM-07
                    • TEST: SECURITY-AM-08
          • SanteDB dCDR Instances
            • Installing Web Access Gateway
            • Installing Disconnected Gateway
            • Installing Disconnected Windows Application
            • Installing the dCDR SDK
            • User Interface App Settings
        • Configuring Privacy Controls
        • Post Deployment Tuning
        • Securing SanteDB Configuration
        • Securing SanteDB Databases
        • Securing SanteDB APIs
      • Rollout
    • Demonstration Environments
  • Operations
    • SanteDB Operations
    • Server Administration
      • Configuration Tool
        • Messaging Settings
          • HL7 Version 2 Service
          • FHIR R4 Service
          • GS1 BMS XML Service
          • Health Data Services Interface
          • Administrative Management Interface
        • Diagnostics Settings
        • Persistence Settings
          • Retention Policies
          • Resource Manager Settings
          • Database Connections
        • System Settings
        • Performance Settings
        • Security Settings
          • Data Privacy Filtering
          • Auditing Configuration
        • Operating System Settings
      • Server Configuration File
        • Service API Configuration
          • REST Service Configuration
        • Connection Strings
        • Application Service Context Configuration
        • Applet Configuration
        • Diagnostics Configuration
        • Data Quality Services
      • SanteDB iCDR Host Command
      • Backup Procedures
      • Log File Management
    • CDR Administration
      • SanteDB Administration Portal
        • Logging In
        • Managing Your Profile
        • System Administration
          • Jobs
          • Logs
          • Pub/Sub Manager
          • Server Status
          • Dispatcher Queue
          • Probes
        • Reference Data Administration
          • Place Administration
          • Facility Administration
          • Materials
          • Identity Domain Management
        • Concept Dictionary Administration
          • Concept Sets
          • Concepts
          • Code Systems
        • CDR Administration
          • Importing Data
          • Data Quality Rules
          • Extensions
          • Decision Support Library
            • View CDSS Library
            • Edit CDSS Library
          • Matching Configuration
            • Creating / Viewing Configurations
            • General Configuration
            • Blocking Configuration
            • Scoring Configuration
            • Classification Configuration
            • Testing Match Configuration
            • Match Configuration XML Definition
        • Data Warehouse
        • Reports Centre
        • Security Administration
          • Managing User Accounts
          • Managing Groups
          • Managing Policies
          • Managing Devices
          • Managing Applications
          • Reviewing Audits
      • SanteDB Administration Console
        • User Administration
        • Group / Role Administration
        • Policy Administration
        • Device Administration
        • Application Administration
    • Standard Operating Procedures
      • User Management SOPs
        • SOP: Onboarding Users
        • SOP: User Lockout
        • SOP: Deactivating Users
      • Role Management SOPs
        • SOP: Role Policy Assignment
        • SOP: Assigning Users to Roles
        • SOP: Creating New Roles
      • Device Management SOPs
        • SOP: Onboarding new HL7v2 Device
        • SOP: Onboarding new dCDR Device
      • Application Management SOPs
      • Standard Operating Procedure Template
  • User Guides & Training
    • SanteDB User Guides
    • Common User Interface Elements
    • SanteMPI
      • Getting Started with the MPI
      • SanteMPI Matches
      • SanteMPI Searching
      • SanteMPI Power Search
      • SanteMPI Patient Detail
        • Demographics Tab
          • Demographic Information Panel
          • Identifiers Panel
          • Related Persons Panel
          • Entity Relationships Panel
        • Master Data Management Tab
          • Records of Truth
        • Data Quality Tab
      • SanteMPI Dashboard
    • SanteEMR
      • EMR Administration
        • Care Pathways
        • Visit Types & Flows
        • Clinical Templates
    • SanteGuard
  • Developers
    • Extending & Customizing SanteDB
    • Getting Started
    • SanteDB XML Schemas
    • Applets
      • Applet Use and Lifecycle
      • Applet SDK Components
        • Applet Development Environment
        • SanteDB Brain Bug
        • Package Manager
        • BRE Debugger
      • Applet Structure
      • JavaScript API
      • Business Intelligence Assets
        • BI Asset Definitions
          • Data Sources
          • Parameters
          • Queries
          • Reference Data
          • Views
          • Data Marts
          • Reports
          • Indicators
        • BI Render Controls
      • Localization
      • Customization & Branding
      • Assets
        • HTML Assets
        • HTML Widgets
        • Virtual Assets
      • AngularJS
      • Clinical Decision-Support
        • CDSS Definitions
        • Legacy CDSS
      • Business Rules
      • Dataset Files
      • External Data Maps
      • Applet Solution Packages
      • JavaScript API Reference
      • Recipes
        • Adding Security Policy based on Occupation
        • Assigning a Home Facility
        • Codified Address
        • Generating ID on Registration
    • .NET Plugins
      • Plugin Libraries
      • Host Context & Lifecycle
      • Business Model Objects
      • Services & Configuration
        • Configuration
          • Configuration Panels
          • Custom Docker Feature Configuration
        • Passive Services
        • Daemon Services
        • Service Definitions
          • Ad-Hoc Cache Provider
          • Application Identity Provider
          • Audit Dispatch Service
          • Barcode Generator Provider
          • Business Rules Service
          • Care Plan Generation Service
          • CDSS Clinical Protocol Repository
          • Concept/Terminology Provider
          • Configuration Manager Service
          • Daemon Service
          • Data Archiving Service
          • Data Privacy Enforcement Provider
          • Data Signing Service
          • dCDR Subscription Definition Provider
          • dCDR Subscription Execution Provider
          • Device Identity Provider
          • Exec-Once Message Persistence
          • Freetext Search Provider
          • IDataPersistenceService{TData}
          • IDataPersistenceServiceEx{TModel}
          • IDataQualityConfigurationProviderService
          • Identity Domain Provider
          • IDispatcherQueueManagerService
          • IElevatableIdentityProviderService
          • IExtensionTypeRepository
          • IFastQueryDataPersistenceService{TEntity}
          • IFastQueryRepositoryService{TEntity}
          • IPersistableQueryRepositoryService{TEntity}
          • IPubSubManagerService
          • IRecordMergingService{T}
          • IRepositoryService
          • ISecurityRepositoryService
          • ISqlDataPersistenceService
          • IStoredQueryDataPersistenceService{TEntity}
          • ITagPersistenceService
          • ITemplateDefinitionRepositoryService
          • IThreadPoolService
          • IUnionQueryDataPersistenceService{TEntity}
          • IValidatingRepositoryService{TModel}
          • Job Management Service
          • Localization Provider
          • Mail Repository Provider
          • Name Alias Provider
          • Network Metadata Provider
          • Password Hashing Service
          • Password Validation Service
          • Policy Decision Provider (PDP)
          • Policy Enforcement Provider (PEP)
          • Policy Information Provider (PIP)
          • Primary Data Caching Provider
          • Query Result Scoring Provider
          • Record Matching Configuration Provider
          • Record Matching Provider
          • Record Merging Provider
          • Repository Service
          • Repository Service with Cancellation Support
          • Repository Service with Extended Functions
          • Repository Service with Notification Support
          • Resource Checkout/Locking Provider
          • Resource Patching Provider
          • Resource Pointer Service
          • Role Provider
          • Security Challenge Authentication Provider
          • Security Challenge Storage Provider
          • Session Authentication Provider
          • Session Storage Provider
          • Stateful Query Provider
          • Stock Management Provider
          • Symmetric Encryption Provider
          • TFA/MFA Secret Generator
          • User Identity Provider
          • User Notification Relay Provider
          • User Notification Template Filler
          • User Notification Template Repository
      • Plugin Metadata
      • Database Patching
      • Custom Match Algorithms
      • Unit Testing Framework
      • Digital Signing Requirements
      • .NET API Reference
    • Service APIs
      • OpenID Connect
        • Consent & Privacy
      • Business Intelligence Service (BIS)
      • Administration Management Interface (AMI)
      • Health Data Service Interface (HDSI)
        • HTTP Request Verbs
        • HDSI Query Syntax
          • Filter Functions
        • API Responses
        • Patching
        • MDM Extensions for HDSI
        • Synchronization API
        • Visual Resource Pointer API
      • HL7v2
        • Enabling HL7v2 Interfaces
        • HL7 Authentication
        • SanteDB HL7v2 Implementation
      • HL7 FHIR
        • Enabling FHIR Interfaces
        • SanteDB FHIR Implementation
          • FHIR Subscriptions
          • Related Persons
        • Extending FHIR Functionality
      • GS1 BMS XML
      • Examples
        • Connecting to the FHIR API
        • Obtaining A Session
    • SanteDB Software Publishers
  • Knowledgebase
    • Knowledgebase
      • SanteDB 2.1.161+ on PostgreSQL 10 returns "websearch_to_tsquery" error
      • Upgrading SanteDB iCDR with large databases
      • Upgrading Gateway to SanteDB Langley (v2.0.30+) from SanteDB Kelowna and earlier
      • When sending a National Scoped ID in PID-19 (SSN) you receive "AuthorityUuid" missing error
      • After Installing dCDR you receive an error on SecurityUser
      • When logging into the dCDR you are immediately logged back out
      • PostgreSQL connections fail with block message
      • Backing up HDSI server database
      • You receive an "out of disk space" error on the IMS server
      • Setting up the "sherlock" service
      • Diagnosing service port issues
      • You receive a certificate expired or certificate not found error on startup
      • After updating a database field the values are not reflected in the application layer
      • Diagnosing Submission Errors From Mobile Device
      • Migrating A SanteDB Server
      • Pruning and Cleaning the Database
      • Improving Download Speeds on Slow Connections
      • You receive a client already running error message
      • Resetting the configuration of the Windows & Linux Applications
      • After setting up the application data appears to be missing
      • Disconnected Client Window is Scaled Improperly
      • Fatal Error on Startup
      • Synchronization Issues on Mobile
      • Installation on Mono 4.x does not permit joining of realm
      • Creating A Public Backup
      • Installing the SanteDB Disconnected Server
    • Fixes & Patches
      • 20170721-01
      • 20170725-01
      • 20170803-01
      • 20170804-01
      • 20170913-01
      • 20171003-01
      • 20171011-01
      • 20171016-01
      • 20171023-01
      • 20171030-01
      • 20171108-01
      • 20171124-01
      • 20180126-01
      • 20180131-01
      • 20180211-01
      • 20181112-01
      • 20181113-01
      • 20190322-01
      • 20190522-01
      • 20190625-01
      • 20200105-01
  • OpenIZ
    • About OpenIZ
      • Upgrading from OpenIZ to SanteDB
    • FAQ
    • OpenIZ Demonstration Servers
Powered by GitBook
On this page
  • Accountability
  • Identify Purpose, Limiting Collection, Disclosure and Retention of Data
  • Limiting Data Collection
  • Limiting Concept Sets
  • Limiting Data Disclosure
  • Limiting Data Retention
  • Safeguarding Personal Information
  • Ensuring Data Accuracy
  • Individual Access

Was this helpful?

  1. Installation
  2. Operationalizing SanteDB
  3. Deployment

Configuring Privacy Controls

PreviousUser Interface App SettingsNextPost Deployment Tuning

Last updated 1 year ago

Was this helpful?

This article documents and uses features of SanteDB 3.0. The implementation of these features on previous versions of SanteDB may be partial and/or missing.

All SanteDB solutions (SanteMPI, SanteEMR, and SanteIMS) are designed to support adherence to a variety of privacy controls which can be used by implementers to conform to local privacy legislation such as:

  • (PIPEDA)

  • (GDPR)

Because SanteDB provides a platform for implementation of many different use cases in many different legislative environments, it is the responsibility of implementers to properly configure the necessary controls in the SanteDB product to match their use case. This article provides brief guidance on how such configurations are made to the underlying privacy control system using legislatively agnostic terminology.

Accountability

When deploying SanteDB and its related software, be sure to appoint a member on your team (or establish a team) which is accountable for assessing the compliance of your SanteDB implementation with the local privacy legislation. Specifically:

  • Develop and Document Personal Information Policies and Practices

  • Develop a Privacy Management Programme/Procedures

  • Complete a and identify:

    • What information is required to be collected?

    • How is the information to be collected?

    • What is the information used for?

    • How is the information secured?

    • Which users have access to the information?

    • What third parties is the information shared with?

    • What are the policies/timelines for retaining and disposing of the information?

  • Develop and document procedures for:

    • Informing Patients, Providers and other stakeholders of the use of their personal data.

    • Obtaining informed consent of the individuals whose data is used and stored in SanteDB

    • Ensuring that information collected is current and up to date.

    • Investigating breaches, fielding requests for investigations, inquiries requests for obtaining access to private information (from authorities, patients, etc.)

    • Training employees and staff members on the privacy procedures and policies being implemented.

All of these assets should be made publicly available to patients, providers and staff members who will interact with your deployment of SanteDB.

Identify Purpose, Limiting Collection, Disclosure and Retention of Data

SanteDB is a generic CDR which can store an almost infinite number of data fields related to Patients, Providers, Locations, Staff Members, etc. However, not all of this data is used for every context. For example, using SanteIMS as an EIR will have different uses and needs for collecting data than SanteMPI as a national patient index.

  • Do we need to collect this information for internal use? (for example, matching or notifications)

  • If we collect this data, what do we need to do to safeguard it? (for example, encrypting it or restricting disclosure)

  • If we collect this data, how long does it remain active?

Limiting Data Collection

The App Settings is used to change the behavior of data which is collected. These settings will:

  • Reject any message which contains the restricted data fields listed regardless of where/how the data originated into the CDR (FHIR, HL7, etc.)

  • Hide any inputs on the user interface which are used to collect this information

The Action column describes what this setting does when set to TRUE in the configuration:

  • Forbid -> The data field is permitted and stored by default, when the setting is enabled, the information is forbidden:

    • Requests to register or update the data result in a rejection of the message

    • User interface elements to collect the data disappear

  • Allow -> The data field is forbidden by default, when the setting is enabled, the information is allowed:

    • Requests to register or update the data will not result in a rejection message

    • User interface elements to collect the data will appear.

Setting
Data Field
Action

forbid.patient.name.family

Patient Family Names

Forbid

forbid.patient.name.given

Patient Given Names

Forbid

forbid.patient.name.prefix

Patient Name Prefixes (Mr, Mrs, etc.)

Forbid

forbid.patient.name.suffix

Patient Name Suffixies (Jr, Sr, etc.)

Forbid

forbid.patient.address.state

Patient Addresses with State information

Forbid

forbid.patient.address.county

Patient Addresses with County information

Forbid

forbid.patient.address.city

Patient Addresses with City information

Forbid

forbid.patient.address.precinct

Patient Addresses with Precinct information

Forbid

forbid.patient.address.street

Patient Addresses with Street information

Forbid

forbid.patient.address.postalcode

Patient Addresses with PostalCode information

Forbid

allow.patient.religion

Patient Religious Affiliation

Allow

allow.patient.ethnicity

Patient Ethnic Group

Allow

allow.patient.livingArrangement

Patient Living Arrangement (Alone, Ward of State, Orphan, etc.)

Allow

allow.patient.maritalStatus

Patient Marital Status (Single, Married, Divorced, etc.)

Allow

allow.patient.educationLevel

Patient Education Level

Allow

forbid.person.occupation

Patient, Provider, or Relative's Occupation

Forbid

forbid.person.gender

Patient, Provider or Relative's Administrative Gender

Forbid

forbid.person.vipStatus

Patient, Provider or Relative's VIP status

Forbid

forbid.person.nationality

Patient, Provider or Relatives Nationality

Forbid

Propagation to dCDR Instances

The settings listed above can be propagated to dCDR instances by populating the <publicSettings> element in the AmiConfigurationSection:

<section xsi:type="AmiConfigurationSection">
    <welcomeMessage>Welcome to SanteMPI</welcomeMessage>
    <publicSettings>    
      <add key="allow.patient.maritalStatus" value="true" />

This can also be set using the Configuration Tool by navigating to Messaging > Administrative Management Interface

In Configuration Tool

To configure these settings in the configuration tool, navigate to the Settings Editor tab and select ApplicationServiceContextConfigurationSection and expand App Settings.

Then, enter each setting as a new entry and set the value to true or false as illustrated.

Configuration File

The information can be updated in the configuration file in the <section xsi:type="ApplicationServiceContextConfigurationSeciton"> element:

<section xsi:type="ApplicationServiceContextConfigurationSection" 
    allowUnsignedAssemblies="true" threadPoolSize="4">
  <serviceProviders>
    <!-- Service Provider Lines -->
  </serviceProviders>
  <appSettings>
    <add key="allow.patient.martialStatus" value="true" />
    <add key="allow.patient.ethnicity" value="false" />
    <add key="allow.patient.educationLevel" value="true" />
    <add key="allow.patient.livingArrangement" value="true" />
    <add key="allow.patient.religion" value="true" />
  </appSettings>
</section>

Limiting Concept Sets

Field
Concept Set

Patient Marital Status

MaritalStatus

Patient Religious Affiliation

Religion

Patient Living Arrangement

LivingArrangement

Patient Education Level

EducationLevel

Patient Ethnicity

Ethnicity

Person Occupation

OccupationType

Person Administrative Gender

AdministrativeGenderCode

Person VIP Status

VeryImportantPersonStatus

Limiting Data Disclosure

    • Tag SubstanceAdministrations with HIV Care Only policy when the Product administered is an ARV

    • Tag Patients with VIP Care Only policy when the Occupation indicates the patient is a Government Official

Auditing Data Disclosure

Administrators are encouraged to ensure that the Audit and Accountability subsystem of their iCDR and dCDR are appropriate configured for their use case. This is done via the Configuration Tool in the Audit and Accountability section.

Administrators should ensure that the appropriate data actions are being persisted and/or (if required) shipped to a central audit repository for review by privacy officers.

Once configured, privacy officers can use the SanteDB administration panel to review these audits.

Limiting Data Retention

  • Determine the appropriate retention parameters which are required such as cutoff dates for archiving or purging the data, lookups, etc.

  • Determine the types of data to which the retention policies apply (Patients, Observations, etc.) and configuring the appropriate retention strategies.

  • Enabling the retention job and setting the schedule for retention.

These settings are documented in the configuration tool's Data Retention Service Configuration.

Safeguarding Personal Information

SanteDB provides a variety of methods for securing personal information while it is being transmitted to third parties, and while it is stored on the file system. There are several articles which explain the configuration of these options:

These safeguards should be enabled prior to the deployment and operationalization of your SanteDB deployment to ensure that your local legislative requirements are adhered to.

Ensuring Data Accuracy

Decisions and information which are made on out of date, or inaccurate data can adversely impact patient safety, as well as the protection of their data. It is therefore important that appropriate procedures are put in place to ensure that data is accurate and conflicting/old data is not actioned upon.

The following non-technical procedures should be considered when operationalizing your SanteDB software:

  • Ensure that staff members and providers are trained to regularly update Patient profile information at the start of each visit.

  • Ensure that patient's are authenticated using some of reliable method (government issued photo ID, storing a photograph of the patient, biometric extensions, etc.)

SanteDB provides a limited function for tagging and/or rejecting data which is incomplete or does not adhere to certain data quality markers.

Individual Access

It is important that individuals (Patients, Providers, etc.) can challenge a data custodian to enumerate the data which the CDR holds about them, and to understand who has observed and/or interacted with this information. In SanteDB this is addressed via:

SanteDB does not provide a direct method of purging data from within the user interface directly. Administrators can configure data retention rules which archive and subsequently purge data based on tags they configure in their own deployment applets.

Implementing a limitation on the collection of data in SanteDB begins with reviewing the data requirements of your project and reviewing the . After determining the necessary fields, you should decide:

For information in the conceptual information model which will not be used, the SanteDB configuration needs to be updated to restrict the use of the fields in question. This is done by editing the santedb.config.xml file on the iCDR server using either the , or editing the file directly.

Another method of limiting the data collection is the restriction of individual codified fields. For example, a deployment may wish to allow the collection of a person's occupation (the default setting, or forbid.person.occupation=false) but restrict the collection to two categories used for eligibility determination. To do this, the can be used to edit the members of the concept set to only those required in the deployment. The concept set bindings for the data fields above are as follows:

As documented in the article, SanteDB can limit the disclosure of data from the CDR to clients who lack the appropriate policies. Configuring this privacy guard involves the following steps:

Create policies using the editor or the which represent the disclosure policies.

Create a business rule with your applet which tags data matching the desired conditions under which the policy should be applied. Examples are:

Configure the iCDR with the appropriate data policy actions using the option.

Ensure that the service is enabled.

Limitation of the retention of data (including audits, and any CDR clinical data) is handled by the and ensuring that the is enabled and scheduled. Generally, this process involves:

Ensure that staff, and business rules are configured to review the data quality/detected issues prior to making decisions (see: Services)

Exporting the Patient's CDR data in discrete RIM format, which can be performed using the HDSI query APIs (see: ) and/or developing and providing a summary report for end-users (see: )

Enabling SanteGuard and reviewing the tab on the patient's profile.

The Canadian Personal Information Protection and Electronic Documents Act
General Data Protection Regulation
Privacy Impact Assessment
SanteDB Conceptual Information Architecture
Configuration Tool
Concept Set Editor
SanteDB Privacy Architecture
Administration Console's Policy
Administration Panel's Policy Manager
which tags relevant data
Configuration Tool Data Privacy Filtering
Data Privacy Filter
Reviewing Audits
Data Archiving Service
Data Retention Job
Securing SanteDB Configuration
Securing SanteDB Databases
Securing SanteDB APIs
Data Quality
Data Quality Services
Data Quality Tab
Data Quality Rules
Health Data Service Interface
Business Intelligence Services - Report
Audit & Access Trail