Add GDPR FHIR Operation Support - $erase #850
Comments
|
HAPI FHIR Server implements a similar operation called |
|
need to consider storing compartment relationships outside of parameter tables |
|
Compartment relationships are now computed during ingestion and stored as internal token parameters. This information could be leveraged to drive a hard-delete for a patient. To do this properly we need to consider the volume of data likely to be associated with a patient and whether or not it would be possible to delete all that data in a single transaction (taking into account the constraints of log space and transaction time). An asynchronous batch process may be needed so that the deletes can be spread over multiple transactions. |
|
The really tricky thing here is that we only store parameters for the latest version of a given resource. Problem scenarios:Soft-deleted resources
Now we have a request to delete all resources for Patient/abc ...good luck finding the historical version of this resource Changing ownership
Now we have a request to delete all resources for Patient/123oops; should this resource which now belongs to Patinet/123fixed be hard deleted? Lee's proposalIts scenarios like this that can be very tricky. Unless we want to start storing compartment membership for each version of each resource, I think it might be better to 'punt' on the "erase everything about patient XYZ" and instead implement a single-resource hard-delete; then let the client decide which resources to purge. How this might play out in a real solution: Then, when it comes time to delete all resources associated with that patient, this component does a simple lookup in its map to decide which resources should get blown away and drives the erasure of those resources. Note: the "Changing ownership" scenario makes this especially tricky and so it might make sense to either disable that via a PersistenceInterceptor or otherwise have policy in place for either mitigating or managing this scenario. |
|
I've started working on this at a design level and considered Lee and Robin's comments. I'll have a Dev Team meeting on Wednesday to discuss more on the design and implementation. |
Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
- Issues resolved are: - Add GDPR FHIR Operation Support - $erase #850 - FHIROperationContext inconsistently available to Batch.java #2297 - Support $erase (hard delete) for a specific historical version of a resources #2304 - Remove the timeout and count parameters in lieu of the version-specific erase - Update the README with clarity on the parameters - logicalId, version, patient, reason - clarified the HTTP Method, Api Paths, Response Codes, and Responses - Add Acceptance Criteria to explain VERSION delete - Update the test harnesses for Db2 and Postgres to use the simple Erase approach - Clean up the DAO, JdbcEraseTest to move away from Timeout - Removed patient/reason so we don't reflect illegal content. - Change function/stored proc to use resource_type, logical_id only - Refactor erase.json to support only specific values. - Revert test.properties to logging false - Improve IT/UT test coverage Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
|
Ran through the Postman collection that @prb112 provided to verify the feature. |
Background
As part of GDPR support, HL7 FHIR is discussing the
$erase. The IBM FHIR Server should implement$erase.Description
$eraseoperationReference
FHIR R5 Roadmap
$erase
The text was updated successfully, but these errors were encountered: