Bridging FHIR Consent and XACML: A Robust Approach to Healthcare Data Access Control

The healthcare industry is increasingly focused on balancing data accessibility with stringent privacy regulations. Organizations are seeking robust solutions to manage who can access what information, and when. A growing trend involves leveraging existing, powerful access control standards like XACML (eXtensible Access Control Markup Language) while incorporating newer frameworks like FHIR (Fast Healthcare Interoperability Resources) Consent. This article explores how one organization is strategically integrating these technologies to create a comprehensive and adaptable data governance system.

The Challenge: Comprehensive Access Control Across Silos

Many healthcare organizations have complex IT landscapes, with data scattered across various systems – Electronic Health Records (EHRs), imaging archives, Health Information Exchanges (HIEs), and even Human Resources databases. Implementing consistent access control policies across these disparate systems can be a significant undertaking. “We needed a single, unified system to manage access to all our data,” stated a senior official, “from HR records to sensitive patient imaging.” XACML emerged as a strong candidate due to its flexibility and ability to define granular, attribute-based access control rules.

XACML policies are defined using XML, allowing organizations to specify precisely who can access which resources based on a variety of factors, including user roles, data types, and environmental conditions. However, the emergence of FHIR Consent presented a new consideration.

FHIR Consent: Representing Patient Preferences

FHIR Consent provides a standardized way to represent a patient’s wishes regarding the use and disclosure of their healthcare information. While powerful, simply replicating consent details within FHIR wasn’t the ideal solution for this organization. Instead, they opted for a hybrid approach: using FHIR Consent as a lightweight reference point to a more robust, centrally managed XACML policy.

Essentially, the FHIR Consent resource acts as a bridge, linking a patient (as identified within the FHIR system) to a corresponding “subject ID” within the XACML system. The FHIR Consent does not contain the detailed access control rules themselves; those remain firmly within the XACML framework.

Consider a patient who consents to standard clinical activities involving “Normal” sensitivity data but explicitly prohibits external access to “Restricted” data. In FHIR Consent, this would be represented through a set of Consent.provisions. However, the actual enforcement of these restrictions is handled entirely by the underlying XACML policies.

XACML: The Engine of Access Control

The organization utilizes two key types of XACML policies: an XACML Overriding Policy and XACML Patient Consent Policies.

The XACML Overriding Policy establishes overarching rules that apply across all patient consents. This ensures consistent enforcement of organizational and regulatory requirements. An example of this is demonstrated in the provided policy snippet:

xml
<Policy PolicyId=”Org_Policy_7890_Workflow_Governance”
RuleCombiningAlgId=”urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides”
xmlns=”urn:oasis:names:tc:xacml:3.0:core:schema:wd-17″>

Organizational Governance: Enforces workflow roles and clinical status.
This policy overrides subject-level permits.


Allows doctors to access data regardless of tags during a life-safety event.


EmergencyAttributeValue





Strictly forbids access if the record is in ‘Archived’ status, overriding user permits.




ArchivedAttributeValue







Forbids administrative staff from seeing any data tagged as ‘Restricted’ (R).



AdministrativeAttributeValue



RAttributeValue

This policy, for example, permits access during emergencies and denies access to archived data, regardless of individual patient consents.

The XACML Patient Consent Policy, as illustrated in the provided example for patient ID 12345, defines the specific rules for an individual.

xml
<PolicySet xmlns=”urn:oasis:names:tc:xacml:3.0:core:schema:wd-17″
PolicySetId=”consent-policy-set-12345″
Version=”1.0″
PolicyCombiningAlgId=”urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides”>

Consent Policy Set for Patient ID 12345

Policy to permit sharing of Normal (N) data

Permit access to Normal data



Policy to deny sharing of Restricted (R) data

Deny access to Restricted data

These patient-specific policies are combined with the overarching XACML Overriding Policy, ensuring a layered and adaptable security model. “This approach allows us to honor individual patient preferences while maintaining a consistent security posture across the organization,” explained one analyst involved in the implementation.

A Future-Proofed Approach to Data Governance

By strategically combining FHIR Consent with the power of XACML, this organization has created a flexible and scalable data access control system. This hybrid model allows them to leverage the benefits of both standards – the patient-centric approach of FHIR and the granular control offered by XACML – resulting in a robust and future-proofed solution for managing sensitive healthcare information. The organization’s success highlights a growing trend towards interoperability and the intelligent integration of existing standards to address the evolving challenges of healthcare data security and privacy.