Concept of Operations: Relating to the introduction of a Personally Controlled Electronic Health Record System

6.4.2 Participation and Authorisation Service

Purpose

The Participation and Authorisation Service has three major functions:
  • Managing the participation process for registration of individuals and their representatives.
  • Capturing administrative information, settings and preferences about individuals and their representatives.
  • Controlling access to an individual’s PCEHR based on their access control settings.

The participation process and authorisation process are discussed in more detail in Sections 3 and 5 respectively.

Functionality

The Participation and Authorisation Service supports the following functions for an individual:
  • Manage participation, including:
      • Register to have a PCEHR created.
      • Request to de-activate a PCEHR.
      • Request to re-activate a de-activated PCEHR.
      • Associate/disassociate representatives with an individual (note that this may require additional proof to be provided to the PCEHR System operator).
      • Update contact details, details of the person to contact in an emergency and notification details.
  • Manage access controls (see Section 5.5), including:
      • Update access control settings.
      • Set/Reset PACC and PACCX.
      • Manage access lists.
      • TAK generation.

In order to support these functions the Participation and Authorisation Service will need to record the following information:
  • Details (name, date of birth, sex and IHI).
  • PCEHR status (active, de-activated).
  • Contact details (phone number, mailing address, email address).
  • Person to contact in an emergency details (name and contact details).
  • Custodian information for advance care directive (name and contact details).
  • Notification details (email address or mobile number for SMS).
  • Authentication details (e.g. user name, password).
  • Date(s) of sign up and exit.
  • Details about representatives, including for authorised representatives, the basis for authorisation (e.g. parent, guardian, power of attorney), evidence of authorisation, effective date and expiry date.
  • Access control settings, including:
      • Access control mode (basic or advanced)
      • Is a PACC required to be added to the access list (Y/N)
      • The PACC (PIN/passphrase)
      • Can access without a PACC be undertaken if individual forgets PACC (Y/N)
      • Is notification required when access without PACC undertaken (Y/N)?
      • Is notification required when new organisations are added to the access list (Y/N)
      • The access list (list of organisations and level of access (‘general’, ‘limited access’, ‘revoked’)
      • The PACCX (optional)

Related standards and specifications

  • XACML 2.0 [XACML] (recommended)
  • Security Assertion Markup Language 2.0 (SAML 2.0) [SAML] (recommended)
  • ISO/TS 22600 Parts 1-3 Privilege management & access control (PMAC) [ISO22600-1, ISO22600-2, ISO22600-3] (informative).
Top of page

prev pageContents |next page

Table of contents

prev pageContents |next page

Page last updated 26 August, 2011