Provenance
Introduction
Scope and Usage
The Provenance resource tracks information about the activity that created, revised, deleted, or signed a version of a resource, describing the entities and agents involved. This information can be used to form assessments about its quality, reliability, trustworthiness, or to provide pointers for where to go to further investigate the origins of the resource and the information in it.
Provenance resources are a record-keeping assertion that gathers information about the context in which the information in a resource was obtained. Provenance resources are prepared by the application that initiates the create/update etc. of the resource. An AuditEvent resource contains overlapping information, but is created as events occur, to track and audit the events. AuditEvent resources are often (though not exclusively) created by the application responding to the read/query/create/update/etc. event.
Boundaries and Relationships
Many other FHIR resources contain some elements that represent information about how the resource was obtained, and therefore they overlap with the functionality of the Provenance resource. These properties in other resources SHOULD always be used in preference to the Provenance resource, and the Provenance resource SHOULD be used where additional information is required, or explicit record or provenance is desired. Details on this overlap can be found on the FiveWs, including a mapping at the Resource Element level.
The relationship between a resource and its provenance is established by a reference from the provenance resource to its target. In this way, provenance MAY be provided about any resource or version, including past versions. There MAY be multiple provenance records for a given resource or version of a resource.
Background and Context
The Provenance resource is based on the W3C Provenance specification, and mappings are provided. The Provenance resource is tailored to fit the FHIR use-cases for provenance more directly. In terms of W3C Provenance the FHIR Provenance resource covers "Generation" of "Entity" with respect to FHIR defined resources for creation or updating; whereas AuditEvent covers "Usage" of "Entity" and all other "Activity" as defined in W3C Provenance.
The W3C Provenance Specification has the following fundamental model:
Where:
- Entity - An entity is a physical, digital, conceptual or other kind of thing with some fixed aspects; entities MAY be real or imaginary. One or more entities can be the input (.entity) of an activity, and one or more entities can be the output (.target).
- Agent - An agent is something that bears the responsibility identified by the type of participation in the activity taking place, for the existence of an entity, or for another agent's activity. An Agent MAY be a person, device, system, organization, group, care-team, or identifiable thing.
- Activity - An activity is something that occurs over a time period and acts upon or with entities. It MAY include consuming, processing, transforming, modifying, relocating, using, or generating entities.
The Provenance resource corresponds to a single activity that identifies a set of resources (target) generated by the activity. The activity also references other entities (entity) that were used and the agents (agent) that were associated with the activity. To record multiple activities that resulted in one (target), record each (activity) in independent Provenance records all pointing at that (target).
The Provenance resource depends upon having References to all the resources, entities, and agents involved in the activity. These References need not be resolvable. The references must provide a unique and unambiguous identification. If a resource, entity, or agent can have different versions that must be identified, then the Reference must have versioning information included.
Versioning and unique identification are not mandated for all systems that provide Resources, entities, and agents. But, inclusion of Provenance requirements MAY introduce requirements for versioning and unique identification on those systems
The Provenance resource is based on leveraging the W3C Provenance specification to represent HL7 support of provenance throughout its standards and explicitly modeled as functional capabilities in ISO/HL7 10781 EHR System Functional Model Release 2 and ISO 21089 Trusted End-to-End Information Flows. Mappings are provided. The Provenance resource is tailored to fit the FHIR use-cases for provenance more directly. In terms of W3C Provenance the FHIR Provenance resources covers "Generation" of "Entity" with respect to FHIR defined resources for creation or updating; whereas AuditEvent covers "Usage" of "Entity" and all other "Activity" as defined in W3C Provenance.
Notes
Using the Provenance Resource
The Provenance resource identifies information about another resource (the target element). The Provenance resource MAY be used in several different ways:
- As part of a Bundle where it identifies the provenance of part or all of the resources in the Bundle (e.g. Documents)
- On a RESTful system where it keeps track of provenance information relating to resources
The resources found in a Bundle are often the latest version and don't have a version identified, yet Provenance resources in the Bundle MAY have references (e.g. .target) to version specific resources. When de-referencing resource references that MAY have a version identified one SHOULD look for the non-version resource found in the Bundle.
On a RESTful system, the target resource reference SHOULD be version specific, but this requires special care: For new resources that need to have a corresponding Provenance resource, the version-specific reference is often not knowable until after the target resource has been updated. This can create an integrity problem for the system - what if the Provenance resource cannot be created after the target resource has been updated? To avoid any such integrity problems, the target resource and the Provenance resources SHOULD be submitted as a pair using a transaction (see the Transaction Example). Alternatively, the Provenance http header MAY be used if supported.
Element Level Provenance
The Provenance.target MAY point at a specific element within the targeted resource using the target element extension or target path extension. For example when updating a Patient resource with a new official name, such as shown in example 1, where the Provenance is indicating that the official name was provided by the Patient themselves.
HTTP Header
The custom header X-Provenance to provide a provenance resource when performing PUT or POST operations using the RESTful interface:
POST [base]/Observation Content-Type: application/fhir+? X-Provenance: { "resourceType": "Provenance", "location": { "reference": "Location/1" }," agent" ... }
[body]
The intent is that the server picks up the provenance, fills out the target, and then stores the provenance information as it normally would. Notes:
- Irrespective of the Content-Type or Accept headers, the Provenance resource is in the JSON format
- The provenance SHALL NOT have a specified
Provenance.target. The server will fill thetargetin as it processes the contents of the POST/PUT and determines the ids of the resource(s) to which the interaction applies - Servers MAY ignore the header, but SHOULD process it if they support provenance
- Some server frameworks impose a length limit on individual HTTP headers, or on the the headers as a whole. Servers MAY reject a request if the X-Provenance header is too long
- The use of the header is not documented for other HTTP methods (GET etc.)
- When recording an AuditEvent, one AuditEvent MAY be used to record the create of the resource and provenance
Signatures
The Provenance resource includes a signature element (digital signature) which can be used for standards based integrity verification and non-repudiation purposes. The Signature datatype provides details on use of the signature element. The Signature.type coded value of "Source" SHOULD be used when the signature is for simply proving that the resource content is the same as it was when the resource was updated or created.
Provenance of Removal
A Provenance record can be recorded to indicate who deleted a Resource. If versioning is supported, the version that was deleted is referenced in Provenance.target; if versioning is not supported then Provenance.target contains the non-version reference. Provenance.entity is not used unless there is a business requirement to do so.
Use of Provenance to record Import and Transform
Provenance can be used to record activities of an automaton that transforms input. Such as middleware that extracts information from a HL7 V2 message and creates FHIR resources, or middleware that extracts information from an HL7 CDA document and creates FHIR resources, etc. The Provenance in these cases is recording the activity of the middleware.
The middleware in this case would, in addition to creating the target resources, create a Provenance resource that indicates all the target resources (using Provenance.target). The middleware is identified as one of the Provenance.agent elements, with the Provenance.agent.type of assembler.
The middleware MAY record the source as another Provenance.agent element.
The original content is optionally saved. This might be as a DocumentReference, or Binary. The Provenance.entity would then point at this original content.
The original source might include some form of 'provenance' to cover the history of the original content prior to the import transformation. This original source 'provenance' SHOULD be converted into FHIR Provenance records as appropriate.
Examples of this activity with Provenance profile can be found in the IHE Implementation Guides for
- Query for Existing Data for Mobile - QEDm
- Reconciliation of Clinical Content and Care Providers - RECON
Multiple Patients Affected
Where a provenance activity impacts more than one Patient/Subject; multiple Provenance resources SHOULD be recorded, one for each Patient/Subject. This best enables segmentation of the Provenance details so as to limit the Privacy impact. The use of multiple Provenance is a best-practice and SHOULD be driven by a Policy. There will be cases where the use of multiple Provenance resources is not necessary, such as public health reporting.
Relevant History Provenance
Some Event pattern or Request pattern resources will have a relevantHistory element. These elements would point to a subset of all Provenance about that resource that are considered relevant. For further guidance on relevantHistory see Event history pattern or Request history pattern.
StructureDefinition
Elements (Simplified)
- Provenance [0..*]: - Who, What, When for a set of resources
- Provenance.target [1..*]: Reference(Resource) Target Reference(s) (usually version specific)
- Provenance.occurred[x] [0..1]: Period, dateTime When the activity occurred
- Provenance.recorded [0..1]: instant When the activity was recorded / updated
- Provenance.policy [0..*]: uri Policy or plan the activity was defined by
- Provenance.location [0..1]: Reference(Location) Where the activity occurred
- Provenance.authorization [0..*]: CodeableReference example:v3-PurposeOfUse Authorization (purposeOfUse) related to the event
- Provenance.why [0..1]: markdown Why was the event performed?
- Provenance.activity [0..1]: CodeableConcept example:provenance-activity-type Activity that occurred
- Provenance.basedOn [0..*]: Reference(Resource) Workflow authorization within which this event occurred
- Provenance.patient [0..1]: Reference(Patient) The patient is the subject of the data created/updated (.target) by the activity
- Provenance.encounter [0..1]: Reference(Encounter) Encounter within which this event occurred or which the event is tightly associated
- Provenance.agent [1..*]: BackboneElement Actor involved
- Provenance.agent.type [0..1]: CodeableConcept example:participation-role-type How the agent participated
- Provenance.agent.role [0..*]: CodeableConcept example:security-role-type-example What the agents role was
- Provenance.agent.who [1..1]: [Reference(Practitioner](/Reference(Practitioner), PractitionerRole, Organization, CareTeam, Patient, Device, RelatedPerson, Group, HealthcareService)) The agent that participated in the event
- Provenance.agent.onBehalfOf [0..1]: [Reference(Practitioner](/Reference(Practitioner), PractitionerRole, Organization, CareTeam, Patient, Group, HealthcareService)) The agent that delegated
- Provenance.entity [0..*]: BackboneElement An entity used in this activity
- Provenance.entity.role [1..1]: code required:provenance-entity-role revision | quotation | source | instantiates | removal
- Provenance.entity.what [1..1]: Reference(Resource) Identity of entity
- Provenance.entity.agent [0..*]: - Entity is attributed to this agent
- Provenance.signature [0..*]: Signature Signature on target
Mappings
- Provenance Mappings — 74 mapping entries
Implementation Guide
implementationguide-Provenance-core.xml
<?xml version="1.0" encoding="UTF-8"?>
<ImplementationGuide xmlns="http://hl7.org/fhir">
<id value="Provenance-core"/>
<extension url="http://hl7.org/fhir/build/StructureDefinition/introduction">
<valueString value="provenance-relevant-history-introduction.xml"/>
</extension>
<extension url="http://hl7.org/fhir/build/StructureDefinition/notes">
<valueString value="provenance-relevant-history-notes.xml"/>
</extension>
<version value="2025-11-01"/>
<name value="ProvenanceRelevantHistory"/>
<title value="Provenance Relevant History"/>
<status value="active"/>
<date value="2025-11-01"/>
<publisher value="Health Level Seven International"/>
<description value="Guidance on using Provenance for related history elements"/>
<definition>
<resource>
<reference>
<reference value="StructureDefinition/provenance-relevant-history"/>
</reference>
</resource>
</definition>
</ImplementationGuide>
Resource Packs
list-Provenance-packs.xml
<?xml version="1.0" encoding="UTF-8"?>
<List xmlns="http://hl7.org/fhir">
<id value="Provenance-packs"/>
<status value="current"/>
<mode value="working"/>
<entry>
<item>
<reference value="ImplementationGuide/Provenance-core"/>
</item>
</entry>
</List>
Search Parameters
- activity — token — Activity that occurred —
Provenance.activity - agent — reference — Who participated —
Provenance.agent.who - agent-role — token — What the agents role was —
Provenance.agent.role - agent-type — token — How the agent participated —
Provenance.agent.type - based-on — reference — Reference to the service request. —
Provenance.basedOn - encounter — reference — Encounter related to the Provenance —
Provenance.encounter - entity — reference — Identity of entity —
Provenance.entity.what - location — reference — Where the activity occurred, if relevant —
Provenance.location - patient — reference — Where the activity involved patient data —
Provenance.patient - recorded — date — When the activity was recorded / updated —
Provenance.recorded - signature-type — token — Indication of the reason the entity signed the object(s) —
Provenance.signature.type - target — reference — Target Reference(s) (usually version specific) —
Provenance.target - when — date — When the activity occurred —
(Provenance.occurred.ofType(dateTime))
Examples
- consent-signature — provenance-consent-signature — Provenance with signature for a Consent
- example — provenance-example — General Provenance Example - data extracted from CDA document from XDS
- example-advanced — provenance-example-advanced — Advanced Provenance of a create with all elements filled including patient, encounter, authorization, baseOn, and jpeg signature
- example-anon0 — provenance-example-anon0 — Example of using Provenance as De-Identifiation linkage with security tag protection, enabling Re-Identification with authorization.
- example-bundle-allergyintolerance — provenance-example-bundle-allergyintolerance — Example of using Provenance in a SearchSet Bundle to indicate the source of the entries, where Provenance is targeting version specific resources.
- example-create-consent — provenance-example-create-consent — Creation of a Consent from a Questionnaire
- example-delete — provenance-example-delete — Provenance of a delete of a codeSystem.
- example-diagnosticreport-sig — provenance-example-diagnosticreport-sig — Provenance of a signature activity against a DiagnosticReport using an electronic signature (no evidence of signature, neither image or digital-signature)
- example-import — provenance-example-import — Provenance of import of resources from a document (DocumentReference) to show provenance from resources back to the source document.
- example1 — provenance-example1 — Targeted Provenance Example - got the patients name from the patient directly
- example2 — provenance-example2 — Targeted Provenance Example - got the patient nickname from his partner
- example3 — provenance-example3 — Targeted Provenance Example - followUp note came from specified practitioner
- example4 — provenance-example4 — Targeted Provenance Example for an extension - race came from admission paperwork
- example5 — provenance-example5 — Provenance indicating authorizing AuditEvent which indicates authorizing Consent
- example6 — provenance-example6 — Provenance indicating authorizing Consent
- provenance-example — provenance-example
- provenance-example-advanced — provenance-example-advanced
- provenance-example-anon0 — provenance-example-anon0
- provenance-example-bundle-allergyintolerance — provenance-example-bundle-allergyintolerance
- provenance-example-create-consent — provenance-example-create-consent
- provenance-example-delete — provenance-example-delete
- provenance-example-diagnosticreport-sig — provenance-example-diagnosticreport-sig
- provenance-example-import — provenance-example-import
- provenance-example-sig — provenance-example-sig
- provenance-example1 — provenance-example1
- provenance-example2 — provenance-example2
- provenance-example3 — provenance-example3
- provenance-example4 — provenance-example4
- provenance-example5 — provenance-example5
- provenance-example6 — provenance-example6
- provenance-examples-header — provenance-examples-header
- signature — provenance-example-sig — Provenance holding a signature
Mapping Exceptions
provenance-event-mapping-exceptions.xml
Divergent Elements
- Event.basedOn → Provenance.basedOn
- missingTypes | reason=More specific to the use-case | pattern=Reference(Request)
- extraTypes | reason=More specific to the use-case
- summary | reason=Not needed | pattern=true
- shortUnmatched | reason=More specific to the use-case | pattern=Fulfills plan, proposal or order | resource=Workflow authorization within which this event occurred
- Event.code → Provenance.activity
- shortUnmatched | reason=More specific to the use-case | pattern=What service was done | resource=Activity that occurred
- definitionUnmatched | reason=Unknown | pattern=A code that identifies the specific service or action that was or is being performed. | resource=An activity is something that occurs over a period of time and acts upon or with entities; it MAY include consuming, processing, transforming, modifying, relocating, using, or generating entities.
- Event.subject → Provenance.patient
- missingTypes | reason=Specific to Patient only | pattern=Reference(Group)
- shortUnmatched | reason=More specific description | pattern=Individual service was done for/to | resource=The patient is the subject of the data created/updated (.target) by the activity
- definitionUnmatched | reason=More specific description | pattern=The individual or set of individuals the action is being or was performed on. | resource=The patient element is available to enable deterministic tracking of activities that involve the patient as the subject of the data used in an activity.
- requirementsUnmatched | reason=More specific description | pattern=Links the provenance to the Patient context. May also affect access control. | resource=When the .patient is populated it SHALL be accurate to the subject of the target data. The .patient SHALL NOT be populated when the target data created/updated (.target) by the activity does not involve a subject. Note that when the patient is an agent, they will be recorded as an agent. When the Patient resource is Created, Updated, or Deleted it will be recorded as an entity. May also affect access control.
- Event.encounter → Provenance.encounter
- summary | reason=Not needed | pattern=true
- shortUnmatched | reason=More specific description | pattern=Encounter the provenance is part of | resource=Encounter within which this event occurred or which the event is tightly associated
- definitionUnmatched | reason=Unknown | pattern=The Encounter during which this provenance was created or to which the creation of this record is tightly associated. | resource=This will typically be the encounter the event occurred, but some events MAY be initiated prior to or after the official completion of an encounter but still be tied to the context of the encounter (e.g. pre-admission lab tests).
- commentsUnmatched | reason=Unknown | pattern=This will typically be the encounter the provenance was created during, but some provenances may be initiated prior to or after the official completion of an encounter but still be tied to the context of the encounter (e.g. pre-admission lab tests). | resource=This will typically be the encounter the provenance was created during, but some provenances MAY be initiated prior to or after the official completion of an encounter but still be tied to the context of the encounter (e.g. pre-admission lab tests).
- Event.occurrence[x] → Provenance.occurred[x]
- missingTypes | reason=not applicable | pattern=Timing
- shortUnmatched | reason=More specific description | pattern=When provenance occurred/is occurring | resource=When the activity occurred
- definitionUnmatched | reason=More specific description | pattern=The date, period or timing when the provenance did occur or is occurring. | resource=The period during which the activity occurred.
- commentsUnmatched | reason=Unknown | pattern=This indicates when the activity actually occurred or is occurring, not when it was asked/requested/ordered to occur. For the latter, look at the occurence element of the Request this {{event}} is "basedOn". The status code allows differentiation of whether the timing reflects a historic event or an ongoing event. Ongoing events should not include an upper bound in the Period or Timing.bounds. . | resource=The period can be a little arbitrary; where possible, the time SHOULD correspond to human assessment of the activity time.
- Event.performer → Provenance.agent
- extraTypes | reason=Needed by use-case
- shortUnmatched | reason=More specific description | pattern=Who performed provenance and what they did | resource=Actor involved
- definitionUnmatched | reason=More specific description | pattern=Indicates who or what performed the provenance and how they were involved. | resource=An actor taking a role in an activity for which it can be assigned some degree of responsibility for the activity taking place.
- Event.performer.function → Provenance.agent.type
- shortUnmatched | reason=More specific description | pattern=Type of performance | resource=How the agent participated
- definitionUnmatched | reason=More specific description | pattern=Distinguishes the type of involvement of the performer in the provenance.. | resource=The Functional Role of the agent with respect to the activity.
- requirementsUnmatched | reason=More specific description | pattern=Allows disambiguation of the types of involvement of different performers. | resource=Functional roles reflect functional aspects of relationships between entities. Functional roles are bound to the realization/performance of acts, where actions might be concatenated to an activity or even to a process. This element will hold the functional role that the agent played in the activity that is the focus of this Provenance. Where an agent played multiple functional roles, they will be listed as multiple .agent elements representing each functional participation. See ISO 21298:2018 - Health Informatics - Functional and structural roles, and ISO 22600-2:2014 - Health Informatics - Privilege Management and Access Control - Part 2: formal models.
- Event.performer.actor → Provenance.agent.who
- extraTypes | reason=Unknown
- shortUnmatched | reason=More specific description | pattern=Who performed provenance | resource=The agent that participated in the event
- definitionUnmatched | reason=More specific description | pattern=Indicates who or what performed the provenance. | resource=Indicates who or what performed in the event.
- Event.location → Provenance.location
- summary | reason=Not needed | pattern=true
- shortUnmatched | reason=More specific description | pattern=Where provenance occurred | resource=Where the activity occurred
- definitionUnmatched | reason=More specific description | pattern=The principal physical location where the provenance was performed. | resource=Where the activity occurred.
- requirementsUnmatched | reason=Not applicable | pattern=Ties the event to where the records are likely kept and provides context around the event occurrence (e.g. if it occurred inside or outside a dedicated healthcare setting).
- Event.reason → Provenance.authorization
- summary | reason=Not needed | pattern=true
- shortUnmatched | reason=More specific description | pattern=Why was provenance performed? | resource=Authorization (purposeOfUse) related to the event
- definitionUnmatched | reason=More specific description | pattern=Describes why the provenance occurred in coded or textual form or Indicates another resource whose existence justifies this provenance. | resource=The authorization (e.g., PurposeOfUse) that was used during the event being recorded.
- commentsUnmatched | reason=Not applicable | pattern=Textual reasons can be captured using reasonCode.text.
- Event.reason → Provenance.why
- missingTypes | reason=Unknown | pattern=CodeableReference(Condition, Observation, DiagnosticReport, DocumentReference)
- extraTypes | reason=Use-Case need
- summary | reason=Not needed | pattern=true
- shortUnmatched | reason=More specific description | pattern=Why was provenance performed? | resource=Why was the event performed?
- definitionUnmatched | reason=More specific description | pattern=Describes why the provenance occurred in coded or textual form or Indicates another resource whose existence justifies this provenance. | resource=Describes why the event recorded in this provenenace occurred in textual form.
- commentsUnmatched | reason=More specific description | pattern=Textual reasons can be captured using reasonCode.text.
Unmapped Elements
- Event.partOf — Not relevant for this resource
- Event.reported — Not relevant for this resource
- Event.relevantHistory — Not relevant for this resource
- Event.status — Not relevant for this resource
- Event.statusReason — Not relevant for this resource
- Event.note — Not relevant for this resource
- Event.category — Not relevant for this resource
- Event.recorded — Not relevant for this resource
- Event.product — Not relevant for this resource
- Event.identifier — Not relevant for this resource
- Event.researchStudy — Not relevant for this resource
provenance-fivews-mapping-exceptions.xml
Divergent Elements
- FiveWs.what[x] → Provenance.target
Unmapped Elements
- FiveWs.author — Unknown
- FiveWs.actor — Unknown
- FiveWs.cause — Unknown
- FiveWs.version — Not relevant for this resource
- FiveWs.witness — Unknown
- FiveWs.class — Not relevant for this resource
- FiveWs.init — Not relevant for this resource
- FiveWs.identifier — Not relevant for this resource
- FiveWs.source — Unknown
- FiveWs.grade — Not relevant for this resource
- FiveWs.status — Not relevant for this resource
- FiveWs.planned — Not relevant for this resource