Population: "2.a) a body of persons or individuals having a quality or characteristic in common. 3) a group of individual persons, objects, or items from which samples are taken for statistical measurement" - Merriam-Webster's Medical Dictionary This class specifies that the target of a policy may be an entire population. This class may be used to specify a privacy policy that applies to a specific group or population. [HL7 DAM]

Contains a set of rules that are intended to be enforced by security systems and are used as the basis for client privacy consent directives. This class encapsulates the location of a human-readable version of the Electronic Privacy Policy. The human-readable version is accessible to any authorized system and user via the supplied Uniform Resource Identifier (URI). [HL7 DAM]. Privacy Policies are a named kind of Composite Policy in that Privacy Policies are a defined set of other policies that together enforce the intent of the Privacy Policy.

A privacy or consent rule specifies the permission allowed to a user type by the consenter for a specific type of information. The person consenting may be either the subject of the record or a designated Substitute Decision Maker. One or more consent rules comprise a consent directive or privacy policy.

"An exception to the base policy of this consent. An exception can be an addition or removal of access permissions." - HL7 FHIR, Consent.provision

"Who or what is controlled by this rule. Use group to identify a set of actors by some property they share (e.g. Admitting officers)." - HL7 FHIR, Consent.provision.actor

"The resources controlled by this rule if specific resources are referenced." - HL7 FHIR, Consent.provision.data

"The context of the activities a user is taking - why the user is accessing the data - that are controlled by this consent." - HL7 FHIR, Consent.purpose

A Refrain Policy is used to constrain an existing policy by indicating that a specific action is prohibited based on specific access control attributes (e.g., purpose of use, information type, user role). For example, a Refrain Policy instance may be used to represent a privacy consent directive that sets specific limitations on a default organizational policy regarding substance abuse data (e.g., [42 CFR Part 2]). Refrain Policy is a specialization of the Atomic Policy class. It does not have any additional attributes but implies different behavior. [HL7 DAM] ISO 22600-2 defines a refrain as actions subjects must refrain from performing. This class is derived from ISO 22600-2 and HL7 DAM.

Relationship Policy defines a group of policies pertaining to the interactions between a set of roles. [ISO 22600-2]

Two categories of security policy, rule-based and identity-based, are identified in CCITT Rec. X.800 | ISO 7498-2. [ISO 10181-3]. Resource-based access control policies are intended to apply to all access requests by any initiator on any resource in a security domain. [ISO 10181-3]

Role Policy is used to specify the attributes identifying the user of a system used to access Protected Information. A role is a specialization of Composite Policy that defines a group of policies (authorization, obligation, delegation and refrain policies). [HL7 DAM] ISO 22600 more specifically defines a role as a "set of competences and/or performances which is associated with a task." If one considers a set of (target identity, operation type) pairs as initiator-bound ACI, and target identities as target-bound ACI, under an appropriate access control policy, one obtains what is essentially a capability scheme [ISO 10181-3]. Accordingly, the Role Policy class equates to the ISO 10181-3 capability scheme. This class is derived from ISO 22600-2, HL7 DAM, and ISO 10181-3.

Initiator-bound ACI that specifies contextual information such as geographic location. [ISO 10181-3]

*** Don't confuse Security Groups with Security Roles The Security Group replaces "Compartment" in the old FHIM model (see FhimSecurityAndPrivacyDiagrams_2014-10-17.docx) Security Groups can be functional or Hierarchical

Resource-bound Access Control Information (ACI) called security labels that control disclosure of Protected Information. That is, a classification that specifies the degree of protection against access the data or information requires, together with a designation of that degree of protection. [HL7 PASS SLS] "A set of security labels that define which resources are controlled by this consent. If more than one label is specified, all resources must have all the specified labels." - FHIR, Consent.securityLabel

*(added 11/2014 as part of high-level refactoring)

ISO 22600 specifies a Role as a "set of competencies and/or performances which is associated with a task". A Security Role defines a named group of policies (authorization, obligation, delegation and refrain policies) that can be managed, assigned, and revoked together for convenience of use rather than managing these policies individually. For example, at a given organization, all nurses (functional role) may have the same privileges and responsibilities conveyed through six policies. A nurse acting as the charge nurse (a structural role) may then have additional privileges based on two other policies. This class is used to enumerate the policies associated to the nurse role and the charge nurse role.

Structural roles reflect the structural aspects of relationships between entities. Structural roles describe prerequisites, feasibilities, or competences for acts. [ISO 22600-2] Structural Role is used to illustrate the type of roles that may be used in a privacy policy or Role Based Access Control (RBAC) permission. Structural codes are currently provided by ASTM E1986-09. [HL7 DAM] Note that this role is called a "Session Role" in American National Standards Institute (ANSI) / InterNational Committee for Information Technology Standards (INCITS).

This class represents the type of subject of the clinical record, which could be either a patient or a population. Note that originally it was contemplated that the subject of the record could even be a provider or a non-human, but for the time being, the FHIM only allows a patient or a population.

Trust contracts are predicated on the establishment of a Legal Framework that requires members to agree on a legally binding set of criteria to manage the risk of participating in a contractual trust framework. This includes, but is not limited to terms for participation and termination, conformance to applicable laws and mandates such as Federal Information Security Management Act (FISMA), HIPAA, and the Privacy Act; permitted uses of information exchanged between members, and waivers/exceptions if any. In this model, a trust contract makes the business and technical operational rules of a domain legally binding upon its members. Trust contracts are subject to jurisdictional, organizational and privacy policies that apply equally to all members. Trust contracts can have a time limit, whereupon the complete contract must be renegotiated.

Specifies the attributes identifying the user of a system used to access Protected Information. Note that the user here is typically a Provider. [HL7 DAM]

"Whether a treatment instruction (e.g. artificial respiration yes or no) was verified with the patient, his/her family or another authorized person." - HL7 FHIR, Consent.verification