Establishing the Authenticity, Reliability, and Trustworthiness of Content Between Trading Partners

Type	Standard / Implementation Specification	Standards Process Maturity	Implementation Maturity	Adoption Level	Federally required	Cost	Test Tool Availability
Standard	HL7® FHIR® Provenance Resource	Balloted Draft	Production		No	Free	No
Implementation Specification	IHE IT Infrastructure Technical Framework	Final	Production		No		Yes – Open
Implementation Specification	HL7 FHIR US Core IG Provenance Profile	Final	Production	Feedback Requested	Yes	Free	Yes
Implementation Specification	HL7 C-CDA Companion Guide: Provenance Author Participation Template	Final	Production	Feedback Requested	Yes	Free
Implementation Specification	HL7 CDA® Release 2 Implementation Guide Data Provenance, Release 1 - US Realm	Balloted Draft	Pilot		No	Free	Yes – Open
Emerging Implementation Specification	Basic Provenance Implementation Guide	Balloted Draft	Pilot	Feedback Requested	No	Free	No
Emerging Implementation Specification	C2PA Technical Specification	In Development	Production		No	Free

Limitations, Dependencies, and Preconditions for Consideration	Applicable Security Patterns for Consideration
The first implementation specification listed is focused on data provenance representation for CDA R2 implementations and the use of CDA templates. Note that the maturity level of FHIR resources may vary. The FHIR Maturity Model and each of the levels is described on the HL7 wiki. The FHIR implementation specification listed leverages the W3C Provenance specification to represent HL7 support of provenance throughout its standards. It is explicitly modeled as functional capabilities in ISO/HL7 10781 EHR System Functional Model Release 2 and ISO 21089 Trusted End-to-End Information Flows. Mappings are available within the resource. The Basic Provenance IG "provides the functional and technical guidance for communicating ‘Minimum Viable Provenance’ in CDA and FHIR when information is moved from the source to downstream systems." It includes a design for representing the ‘last hop’ only and doesn't address the potential need to share and display full provenance (full chain of custody). The Object Management Group (OMG) Data Governance Working Group is developing an RFP on Data Provenance & Pedigree. ONC will consider inclusion of the standard in a future version of the ISA when it is available. More information can be found at: https://www.omgwiki.org/datagovernance/doku.php. The IHE IT Infrastructure (ITI) Technical Framework defines a number of profiles for health information exchange. The document sharing profiles (e.g., XDS, XCA, XDR, XDM, MHD) define metadata elements for documents, including the full provenance of the document. The Document Digital Signature (DSG) Profile defines general purpose methods of digitally signing documents for communication and persistence. For additional information, please see the Enabling Document Sharing Health Information Exchange Using IHE Profiles whitepaper.	Feedback requested. Information about security patterns can be found in Appendix I.

Limitations, Dependencies, and Preconditions for Consideration

Applicable Security Patterns for Consideration

The first implementation specification listed is focused on data provenance representation for CDA R2 implementations and the use of CDA templates.
Note that the maturity level of FHIR resources may vary. The FHIR Maturity Model and each of the levels is described on the HL7 wiki.
The FHIR implementation specification listed leverages the W3C Provenance specification to represent HL7 support of provenance throughout its standards. It is explicitly modeled as functional capabilities in ISO/HL7 10781 EHR System Functional Model Release 2 and ISO 21089 Trusted End-to-End Information Flows. Mappings are available within the resource.
The Basic Provenance IG "provides the functional and technical guidance for communicating ‘Minimum Viable Provenance’ in CDA and FHIR when information is moved from the source to downstream systems." It includes a design for representing the ‘last hop’ only and doesn't address the potential need to share and display full provenance (full chain of custody).
The Object Management Group (OMG) Data Governance Working Group is developing an RFP on Data Provenance & Pedigree. ONC will consider inclusion of the standard in a future version of the ISA when it is available. More information can be found at: https://www.omgwiki.org/datagovernance/doku.php.
The IHE IT Infrastructure (ITI) Technical Framework defines a number of profiles for health information exchange. The document sharing profiles (e.g., XDS, XCA, XDR, XDM, MHD) define metadata elements for documents, including the full provenance of the document. The Document Digital Signature (DSG) Profile defines general purpose methods of digitally signing documents for communication and persistence. For additional information, please see the Enabling Document Sharing Health Information Exchange Using IHE Profiles whitepaper.

Feedback requested.

Information about security patterns can be found in Appendix I.

Comment

Submitted by John Moehrke on 2021-09-08

Document Digital Signature

IHE Document Digital Signature (DSG) profile Implementation Guide provides digital signature capability across any kind of document. This includes CDA and FHIR-Documents with the same solution.

Find the normative specification from IHE -- https://profiles.ihe.net/ITI/TF/Volume1/ch-37.html

37 Document Digital Signature (DSG)

The Document Digital Signature (DSG) Profile defines general purpose methods of digitally signing of documents for communication and persistence. Among other uses, these methods can be used within an IHE Document Sharing infrastructure (e.g., XDS, XCA, XDM, XDR, and MHD). There are three methods of digital signature defined here: Enveloping, Detached (manifest), and SubmissionSet.

An Enveloping Signature is a Digital Signature Document that contains both the signature block and the content that is signed. Access to the contained content is through removing the Enveloping - Digital Signature. Among other uses, this method should not be used with Document Sharing infrastructure.
A Detached Signature is a Digital Signature Document that contains a manifest that points at independently managed content. Detached signatures leave the signed document or documents in the original form. Among other uses, this method is recommended for use with a Document Sharing infrastructure to support Digital Signatures, as this method does not modify the original Document Content. This method uses the Document Sharing “SIGNS” relationship provides linkage.
A SubmissionSet Signature is a Detached Signature Document that attests to the content in a SubmissionSet by: containing a manifest of all the other Documents included in the SubmissionSet, and a reference to the SubmissionSet. The Document Sharing “SIGNS” relationship may be used but is not required.

Ink-on-paper signatures have been a part of the documentation process in health care and have traditionally been indicators of accountability. Reliable exchange and storage of electronic data between disparate systems requires a standard that implements equivalent non-repudiation to prevent document creators from denying authorship and rejecting responsibility.

Submitted by John Moehrke on 2021-09-08

Document Metadata

The Document Metadata defined and used by IHE XDS/XDR/XCA/XDM provides complete Provenance for the document, in addition to other functionality.

see IHE publication -- https://profiles.ihe.net/ITI/HIE-Whitepaper/index.html#26-value-of-metadata

The IHE metadata is described -- https://profiles.ihe.net/ITI/TF/Volume3/ch-4.1.html#4.1.3

Where each element contributing to Provenance is highlighted.

Submitted by gdixon on 2018-09-12

CDA IG needs work

Document last updated with ballot comments Release1 - Sep 30, 2015. This document has seen little use and needs further definition. As kwboone stated the FHIR definition is better suited. For the sake of implementation there needs to be a better operational definition of provenance and at what level is this expected. Document, section, data? From the ONC 2nd Annual Forum it was clear that the industry has not engaged with the concept of data level provenance in a way that can be shared.

Submitted by kwboone on 2017-11-20

Consider HL7 FHIR Provenance…

Consider HL7 FHIR Provenance resources, which are much better suited.