Authentication and Authorization

Authentication

The eMedication service follows the same principle as the EPR for authentication. This means that for all patient-related transactions (XDS, MHD and ATC transactions), a Cross Enterprise User Assertion (XUA) must be provided with the request. Obtaining an XUA assertion from the EPR platform will both authenticate and authorize the claim from the EPR platform perspective. This allows the eMedication service to recognize that the client system’s user is recognized by the EPR platform as being who he/she is and in the specified quality (e.g. a healthcare professional). In the rest of this page, authorization will be discussed as regarding the access rights of this EPR-authorized user to the patient’s eMedication record. See the EPR by example pages for mor information on EPR authentication and authorization tokens.

eMedication Record Authorization

Access to the eMedication records is done in an all-or-nothing approach: a person is either allowed to access all the documents in a patient’s eMedication record, and contribute to it - that is, to provide new documents -, or said person has no access at all.

Patients specify the access rules to their eMedication record. These are stored by the eMedication service in an Advanced Patient Privacy Consents (APPC) document as specified by the eMedication service here. Every patient in the eMedication service has a valid registered APPC document specifying the access rules. These access rules can be modified by a patient at any time by replacing the APPC document in the eMedication service with a new version by means of an ITI-41 transaction.

This APPC document is registered in the eMedication service as any other eMedication document, and hence can be also queried for via ITI-18 and retrieved via ITI-43 transactions. The APPC document is visible to patients only and can only be provided by patients themselves.

Rules

The following sub-sections detail how these access rules are used by the eMedication service.

Patient

Patients have always full access to their own eMedication record and this access cannot be affected by the rules in the APPC document.

Representatives

Representatives can be granted a read-write access to all documents, through their representative identifier (which is community-specific).

Healthcare Professionals

Healthcare professionals (HCPs) can be granted or denied a read-write access to all eMedication documents, through their GLN or their HPD groups. For more information on how to specify these rules, see the eMedication service APPC document page.

HCP Assistants

Healthcare professional assistants cannot be directly targeted by APPC access rules. Access rights of HCP assistants is determined by evaluating the assistant’s responsible person’s GLN and HPD groups.

Technical Users

Technical users can publish documents, and may search and retrieve medication card documents if and only if the following two conditions are true:

1. the TCU belongs to an organization that is whitelisted by the eMedication service.
2. the patient has granted access to an organization that is part of the whitelisted organization.

This behavior cannot be modified.

Document Administrators

Document administrators have a read-write access to all eMedication documents of all patient records. They can’t read or write policy documents. This behavior cannot be modified by APPC rules.

Policy Administrators

Policy administrators have a read-write access to all policy documents of all patient records. They can’t read or write eMedication documents. This behavior cannot be modified by APPC rules.

Emergency Access

Emergency access (break-the-glass) is only possible for healthcare professionals and assistants. It can be either globally allowed or forbidden by a specific rule in the APPC document. In absence of a explicit rule in the APPC document, the eMedication service assumes emergency access to the patient’s eMedication record is allowed.

Emergency access, if enabled, allows an HCP or assistant with an emergency-access-authorized XUA token by the EPR platform access to the patient’s eMedication record even if the HCP would not be normally authorized by application of the policies contained in the patient’s APPC document.

ATNA

The eMedication service generates audit event logs for all its internal activity as well as all the transactions with the client systems, as specified by the Audit Trail and Node Authentication (ATNA) profile and as per the Swiss EPR regulations, and stored in its own Audit Record Repository. Additionally, all audit events that are related to a patient - and, therefore, all the transaction-related events - generated by the eMedication service are compliant with the CH ATC profile, as required by the EPR regulations. These patient audit events can be retrieved by client systems by means of a CH ATC transaction, supported by the eMedication service.

All client systems are also obliged to generate audit events for all the transactions with the eMedication service and send them to the eMedication service Audit Record Repository by means of a Record Audit Event (ITI-20) transaction. All patient-related events should be CH ATC compliant.

Enrollment and Opt-out

Enrollment Requirements

In order to be enrolled, a patient must fulfill the following requirements:

• The patient must have an active EPR and the system enrolling the patient must know the associated EPR-SPID.
• The system must be in a position to immediately provide a valid APPC document for the enrolling patient.

Enrollment Process

In order to register a patient in the eMedication service, a client system must perform the following steps:

1. Perform a PIX feed to register the patient id in the eMedication service.
2. Provide the APPC document for the patient.

Opt-out

Patients can opt out of the eMedication service at any time. This is simply done by deleting their current APPC document via an ITI-57 transaction. Completion of this transaction will permanently delete the enterity of the patient’s eMedication record.