Skip to main content

Regulatory Compliance

HIPAA (United States)โ€‹

ยง 164.508 โ€” Authorisation for non-routine uses and disclosuresโ€‹

The ConsentRecord satisfies the elements required for a valid HIPAA authorisation:

HIPAA elementConsent Manager field
What information will be used/disclosedresourceClasses + scopeValues
Who may use or discloseactorReference
PurposeregulatoryBasis + purpose_of_use JWT claim
Expiry dateperiodEnd
Patient authorisationRecorded at portal revoke / REST API create time in ConsentAuditEvent

ยง 164.312(b) โ€” Audit controlsโ€‹

The ConsentAuditEvent table and FHIR AuditEvent resources satisfy the requirement for mechanisms to record and examine activity in systems containing PHI.

Every permit and deny decision is logged with patient ID, actor, resource type, operation, purpose of use, and outcome.

ยง 164.512(f) โ€” Emergency treatment (break-glass)โ€‹

Enterprise Edition

Break-glass emergency access (HIPAA ยง 164.512(f)) is available in the Enterprise Edition. It requires the BreakGlassAuditService, the append-only break_glass_event table, and the admin compliance review workflow โ€” none of which are present in the Community Edition.

HTI-1 / TEFCA (United States)โ€‹

The ONC Health Data, Technology, and Interoperability Final Rule (HTI-1) mandates SMART App Launch v2.2 from July 2026. The Consent Manager integrates with any SMART v2.2-compliant auth server.

The TEFCA requirement that data sharing requires patient consent and that consent must be recorded with the date, purpose, and scope is satisfied by the ConsentRecord lifecycle and the IHE ATNA audit trail.

Enterprise Edition

The OAuth2 consent screen (SmartConsentCustomizer) that automatically creates ConsentRecord entries from SMART app approvals is part of the Enterprise Edition.

GDPR Art. 9 (European Union / EEA)โ€‹

Health data is a special category under GDPR Article 9. Processing requires explicit consent.

GDPR requirementHow it is met
Explicit consentPatient must actively create a consent record โ€” no opt-in by default
Specific purposeregulatoryBasis and purpose_of_use fields document the purpose
Revocable at any timePatients can revoke via the portal; effective immediately
AuditableEvery processing action is logged with the consent record ID
PortableConsent history is queryable via the FHIR API (GET /fhir/Consent)

Data Protection by Designโ€‹

Consent is enforced by default. default-policy: deny is the only valid production configuration โ€” the startup check prevents the application from running without a JWT key source, and HTTPS must be enforced at the load balancer. A patient's data is inaccessible to any application until explicit consent exists.

GDPR Art. 17 โ€” Right to erasure and right to withdraw consentโ€‹

Patients can revoke consent at any time via the patient portal. Revocation is effective immediately on the next FHIR request.

Consent records themselves are retained for regulatory compliance. The balance between Art.17 erasure rights and audit retention obligations should be addressed in your Data Processing Agreement and your organisation's DPA.

DISHA (India)โ€‹

The Digital Information Security in Healthcare Act requires:

  • Electronic health data may not be shared without informed consent โ€” satisfied by deny-by-default enforcement
  • Consent must be specific to the recipient and purpose โ€” satisfied by actorReference + resourceClasses + regulatoryBasis
  • Consent can be revoked at any time โ€” satisfied by the portal revocation flow
  • An audit log of all data access must be maintained โ€” satisfied by the IHE ATNA audit trail

My Health Record Act 2012 (Australia)โ€‹

RequirementHow it is met
Patient-controlled accessDefault deny โ€” patients must actively create consents
Patient self-servicePortal at /consent/portal (view, history, revoke)
Audit visibilityPatients see every access decision in their history
Explicit opt-outprovisionType = deny records support explicit blocking

Compliance deployment checklistโ€‹

Before going live in a regulated environment:

  • default-policy: deny is set (never change to permit in production)
  • JWT_EXPECTED_ISSUER and JWT_EXPECTED_AUDIENCE are set โ€” validates every token
  • A JWT key source is configured (CONSENT_JWKS_URI recommended)
  • HTTPS is enforced on all endpoints at the load balancer or reverse proxy
  • DB_PASS is set to a strong random password
  • FHIR_SERVICE_TOKEN has minimum required permissions on HAPI FHIR
  • FLYWAY_EXCLUDE_MIGRATIONS is set to exclude V3 sandbox data in production
  • Database backups include consent_record and consent_audit_event tables
  • regulatory-basis default string is updated to match your jurisdiction
  • default-consent-period-days is reviewed against your jurisdiction's guidance
  • /actuator/info is not publicly accessible (not exposed by default)

โ† API Reference ยท Home