type: codesystemcodesystem: safety-entries

FHIR Safety CheckList Entries

Official URL: http://hl7.org/fhir/safety-entries
Status: draft
Name: FHIRSafetyCheckListEntries
Title: FHIR Safety CheckList Entries
Publisher: HL7 International / FHIR Infrastructure
Description: The checklist items defined as part of the FHIR specification.
Case Sensitive: true
Content: complete

Concepts

Code	Display	Definition
life-cycle		For each resource that my system handles, my system handles the full Life cycle (status codes, currency issues, and erroneous entry status)
modifiers		For each resource that my system handles, I've reviewed the Modifier elements
modifier-extensions		My system checks for modifierExtension elements
must-support		My system supports elements labeled as 'MustSupport' in the profiles that apply to my system
identity		My system has documented how distributed resource identification works in its relevant contexts of use, and where (and why) contained resources are used
current		My system manages lists of current resources correctly
error-checks		When other systems return http errors from the RESTful API and Operations (perhaps using Operation Outcome), my system checks for them and handles them appropriately
link-merge		My system ensures checks for patient links (and/or merges) and handles data that is linked to patients accordingly
cs-declare		My system publishes a Capability Statement with StructureDefinitions, ValueSets, and OperationDefinitions, etc., so other implementers know how the system functions
valid-checked		All resources in use are valid against the base specification and the profiles that apply to my system (see note about the correct run-time use of validation)
obs-focus		I've reviewed the Observation resource, and understand how `focus` is a mechanism for observations to be about someone or something other than the patient or subject of record.
time-zone		My system checks for timezones and adjusts times appropriately. (note: timezones are extremely difficult to get correct - see W3C Timezone Advice, and note that some fields should be timezone corrected, and others should not be)
date-rendering		My system renders dates safely for changes in culture and language (the date formats D-M-Y and M-D-Y are not differentiated for many dates, and this is a well-known source of confusion. Systems should use the month name, or otherwise be specific for each date when rendering, unless there is solid confidence that such confusion cannot arise, even in the future when information/narrative from resources will be shared much more widely)
cross-resource		My system takes care to ensure that clients can (for servers) or will (for clients) find the information they need when content that might reasonably be exposed using more than one FHIR resource. Possible patterns: Support a single search across the applicable resources, or expose data through each applicable resource. See discussion on Wiki Page for further information
display-warnings		My system will display warnings returned by the server to the user
search-parameters		My system checks whether the server processed all the requested search parameter, and is safe if servers ignore parameters (typically, either filters locally or warns the user)
missing-values		My system caters for parameters that have missing values when doing search operations, and responds correctly to the client with regard to erroneous search parameters
default-filters		My system includes appropriate default filters when searching based on patient context - e.g. filtering out entered-in-error records, filtering to only include active, living patients if appropriate, and clearly documents these (preferably including them in the self link for a search
deletion-check		For each resource, I have checked whether resources can be deleted, and/or how records are marked as incorrect/no longer relevant
deletion-replication		Deletion of records (or equivalent updates in status) flow through the system so any replicated copies are deleted/updated
deletion-support		(If a server) my documentation about deleted resources is clear, and my test sandbox (if exists) has deleted/error record cases in the test data
check-consent		My system checks that the right Patient consent has been granted (where applicable)
distribute-aod		My system sends an Accounting of Disclosure to the consenter as requested when permitted actions on resources are performed using an AuditEvent Resource
check-clocks		My system ensures that system clocks are synchronized using a protocol like NTP or SNTP, or my server is robust against clients that have the wrong clock set
check-dns-responses		My system uses security methods for an API to authenticate where Domain Name System (DNS) responses are coming from and ensure that they are valid
use-encryption		Production exchange of patient or other sensitive data will always use some form of encryption on the wire
use-tls		Where resources are exchanged using HTTP, TLS should be utilized to protect the communications channel
use-smime		Where resources are exchanged using email, S/MIME should be used to protect the end-to-end communication
use-tls-per-bcp195		Production exchange should utilize recommendations for Best-Current-Practice on TLS in BCP 195
use-ouath		My system utilizes a risk and use case appropriate OAuth profile (preferably Smart App Launch), with a clear policy on authentication strength
use-openidconnect		My system uses OpenID Connect (or other suitable authentication protocol) to verify identity of end user, where it is necessary that end-users be identified to the client application, and has a clear policy on identity proofing
use-rbac		My system applies appropriate access control to every request, using a combination of requester’s clearance (ABAC) and/or roles (RBAC)
use-labels		My system considers security labels on the affected resources when making access control decisions
render-narratives		My system can render narratives properly and securely(where they are used)
check=validation		My system validates all input received (whether in resource format or other) from other actors so that it data is well-formed and does not contain content that would cause unwanted system behavior
use-provenance		My system makes the right Provenance statements and AuditEvent logs, and uses the right security labels where appropriate
enable-cors		Server: CORS (cross-origin resource sharing) is appropriately enabled (many clients are Javascript apps running in a browser)
use-json		JSON is supported (many clients are Javascript apps running in a browser; XML is inconvenient at best)
json-for-errors		JSON is returned correctly when errors happen (clients often don't handle HTML errors well)
use-format-header		The _format header is supported correctly
use-operation-outcome		Errors are trapped and an OperationOutcome returned

CodeSystem XML

<?xml version="1.0" encoding="UTF-8"?><CodeSystem xmlns="http://hl7.org/fhir">
  <id value="safety-entries"/>
  <extension url="http://hl7.org/fhir/StructureDefinition/codesystem-use-markdown">
    <valueBoolean value="true"/>
  </extension>
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg">
    <valueCode value="fhir"/>
  </extension>
  <url value="http://hl7.org/fhir/safety-entries"/>
  <identifier>
    <system value="urn:ietf:rfc:3986"/>
    <value value="urn:oid:2.16.840.1.113883.4.642.4.1819"/>
  </identifier>
  <name value="FHIRSafetyCheckListEntries"/>
  <title value="FHIR Safety CheckList Entries"/>
  <status value="draft"/>
  <experimental value="false"/>
  <publisher value="HL7 International / FHIR Infrastructure"/>
  <contact>
    <telecom>
      <system value="url"/>
      <value value="http://hl7.org/fhir"/>
    </telecom>
  </contact>
  <contact>
    <telecom>
      <system value="url"/>
      <value value="http://www.hl7.org/Special/committees/fiwg/index.cfm"/>
    </telecom>
  </contact>
  <description value="The [checklist items](http://hl7.org/fhir/safety.html) defined as part of the FHIR specification."/>
  <valueSet value="http://hl7.org/fhir/ValueSet/safety-entries"/>
  <hierarchyMeaning value="is-a"/>
  <caseSensitive value="true"/>
  <content value="complete"/>

 <concept>
  <code value="life-cycle"/>
  <definition value="For each resource that my system handles, my system handles the full [Life cycle](lifecycle.html) (status codes, currency issues, and erroneous entry status)"/>
 </concept>
 <concept>
  <code value="modifiers"/>
  <definition value="For each resource that my system handles, I've reviewed the [Modifier elements](conformance-rules.html#isModifier)"/>
 </concept>
 <concept>
  <code value="modifier-extensions"/>
  <definition value="My system checks for [modifierExtension](extensibility.html#modifierExtension) elements"/>
 </concept>
 <concept>
  <code value="must-support"/>
  <definition value="My system supports [elements labeled as 'MustSupport'](conformance-rules.html#mustSupport) in the [profiles](profiling.html) that apply to my system"/>
 </concept>
 <concept>
  <code value="identity"/>
  <definition value="My system has documented how [distributed resource identification](managing.html#distributed) works in its relevant contexts of use, and where (and why) [contained](references.html#contained) resources are used"/>
 </concept>
 <concept>
  <code value="current"/>
  <definition value="My system manages lists of [current resources](lifecycle.html#current) correctly"/>
 </concept>
 <concept>
  <code value="error-checks"/>
  <definition value="When other systems [return http errors from the RESTful API](http.html#summary) and [Operations](operations.html) (perhaps using [Operation Outcome](operationoutcome.html)), my system checks for them and handles them appropriately"/>
 </concept>
 <concept>
  <code value="link-merge"/>
  <definition value="My system ensures checks for patient links (and/or merges) and handles data that is linked to patients accordingly"/>
 </concept>
 <concept>
  <code value="cs-declare"/>
  <definition value="My system publishes a [Capability Statement](capabilitystatement.html) with [StructureDefinitions](structuredefinition.html), [ValueSets](valueset.html), and [OperationDefinitions](operationdefinition.html), etc., so other implementers know how the system functions"/>
 </concept>
 <concept>
  <code value="valid-checked"/>
  <definition value="All resources in use are [valid](validation.html) against the base specification and the [profiles](profiling.html) that apply to my system (see note about the [correct run-time use of validation](validation.html#correct-use))"/>
 </concept>
 <concept>
  <code value="obs-focus"/>
  <definition value="I've reviewed the [Observation](observation.html) resource, and understand how ```focus``` is a mechanism for observations to be about someone or something other than the patient or subject of record."/>
 </concept>
 <concept>
  <code value="time-zone"/>
  <definition value="My system checks for timezones and adjusts times appropriately. (note: timezones are extremely difficult to get correct - see [W3C Timezone Advice](https://www.w3.org/TR/timezone/), and note that some fields should be timezone corrected, and others should not be)"/>
 </concept>
 <concept>
  <code value="date-rendering"/>
  <definition value="My system renders dates safely for changes in culture and language (the date formats D-M-Y and M-D-Y are not differentiated for many dates, and this is a well-known source of confusion. Systems should use the month name, or otherwise be specific for each date when rendering, unless there is solid confidence that such confusion cannot arise, even in the future when information/narrative from resources will be shared much more widely)"/>
 </concept>
 <concept>
  <code value="cross-resource"/>
  <definition value="My system takes care to ensure that clients can (for servers) or will (for clients) find the information they need when content that might reasonably be exposed using more than one FHIR resource. Possible patterns: Support a single search across the applicable resources, or expose data through each applicable resource. See discussion on [Wiki Page](https://confluence.hl7.org/display/FHIR/Managing+Overlap+Between+Resources) for further information"/>
 </concept>
 <concept>
  <code value="display-warnings"/>
  <definition value="My system will display warnings returned by the server to the user"/>
 </concept>
 <concept>
  <code value="search-parameters"/>
  <definition value="My system checks whether the server processed all the requested search parameter, and is safe if servers ignore parameters (typically, either filters locally or warns the user)"/>
 </concept>
 <concept>
  <code value="missing-values"/>
  <definition value="My system caters for [parameters that have missing values](search.html#missing) when doing search operations, and responds correctly to the client with regard to [erroneous search parameters](search.html#errors)"/>
 </concept>
 <concept>
  <code value="default-filters"/>
  <definition value="My system includes appropriate default filters when searching based on patient context - e.g. filtering out entered-in-error records, filtering to only include active, living patients if appropriate, and clearly documents these (preferably including them in the self link for a search"/>
 </concept>
 <concept>
  <code value="deletion-check"/>
  <definition value="For each resource, I have checked whether resources can be deleted, and/or how records are marked as incorrect/no longer relevant"/>
 </concept>
 <concept>
  <code value="deletion-replication"/>
  <definition value="Deletion of records (or equivalent updates in status) flow through the system so any replicated copies are deleted/updated"/>
 </concept>
 <concept>
  <code value="deletion-support"/>
  <definition value="(If a server) my documentation about deleted resources is clear, and my test sandbox (if exists) has deleted/error record cases in the test data"/>
 </concept>
 <concept>
  <code value="check-consent"/>
  <definition value="My system checks that the right [Patient consent](consent.html) has been granted (where applicable)"/>
 </concept>
 <concept>
  <code value="distribute-aod"/>
  <definition value="My system sends an [Accounting of Disclosure](secpriv-module.html#AoD) to the consenter as requested when permitted actions on resources are performed using an [AuditEvent](auditevent.html) Resource"/>
 </concept>
 <concept>
  <code value="check-clocks"/>
  <definition value="My system ensures that system clocks are synchronized using a protocol like NTP or SNTP, or my server is robust against clients that have the wrong clock set"/>
 </concept>
 <concept>
  <code value="check-dns-responses"/>
  <definition value="My system uses security methods for an API to authenticate where Domain Name System (DNS) responses are coming from and ensure that they are valid"/>
 </concept>
 <concept>
  <code value="use-encryption"/>
  <definition value="Production exchange of patient or other sensitive data will always use some form of [encryption on the wire](security.html#http)"/>
 </concept>
 <concept>
  <code value="use-tls"/>
  <definition value="Where resources are exchanged using [HTTP](security.html#http), [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) should be utilized to protect the communications channel"/>
 </concept>
 <concept>
  <code value="use-smime"/>
  <definition value="Where resources are exchanged using email, [S/MIME](https://en.wikipedia.org/wiki/S/MIME) should be used to protect the end-to-end communication"/>
 </concept>
 <concept>
  <code value="use-tls-per-bcp195"/>
  <definition value="Production exchange should utilize recommendations for [Best-Current-Practice on TLS in BCP 195](https://tools.ietf.org/html/bcp195)"/>
 </concept>
 <concept>
  <code value="use-ouath"/>
  <definition value="My system utilizes a risk and use case [appropriate OAuth profile](security.html#oauth) (preferably [Smart App Launch](http://hl7.org/fhir/smart-app-launch)), with a [clear policy on authentication strength](security.html#authentication)"/>
 </concept>
 <concept>
  <code value="use-openidconnect"/>
  <definition value="My system uses [OpenID Connect](https://openid.net/connect/) (or other suitable authentication protocol) to verify identity of end user, where it is necessary that end-users be identified to the client application, and has a clear policy on [identity proofing](secpriv-module.html#user)"/>
 </concept>
 <concept>
  <code value="use-rbac"/>
  <definition value="My system applies appropriate access control to every request, using a combination of requester’s clearance (ABAC) and/or roles (RBAC)"/>
 </concept>
 <concept>
  <code value="use-labels"/>
  <definition value="My system considers [security labels](security-labels.html) on the affected resources when making access control decisions"/>
 </concept>
 <concept>
  <code value="render-narratives"/>
  <definition value="My system can [render narratives properly](narrative.html#css) and [securely](security.html#narrative)(where they are used)"/>
 </concept>
 <concept>
  <code value="check=validation"/>
  <definition value="My system [validates all input received](validation.html) (whether in resource format or other) from other actors so that it data is well-formed and does not contain content that would cause unwanted system behavior"/>
 </concept>
 <concept>
  <code value="use-provenance"/>
  <definition value="My system makes the right [Provenance](provenance.html) statements and [AuditEvent](auditevent.html) logs, and uses the right [security labels](security-labels.html#core) where appropriate"/>
 </concept>
 <concept>
  <code value="enable-cors"/>
  <definition value="Server: CORS ([cross-origin resource sharing](http://enable-cors.org/)) is appropriately enabled (many clients are Javascript apps running in a browser)"/>
 </concept>
 <concept>
  <code value="use-json"/>
  <definition value="JSON is supported (many clients are Javascript apps running in a browser; XML is inconvenient at best)"/>
 </concept>
 <concept>
  <code value="json-for-errors"/>
  <definition value="JSON is returned correctly when errors happen (clients often don't handle HTML errors well)"/>
 </concept>
 <concept>
  <code value="use-format-header"/>
  <definition value="The _format header is supported correctly"/>
 </concept>
 <concept>
  <code value="use-operation-outcome"/>
  <definition value="Errors are trapped and an OperationOutcome returned"/>
 </concept>
</CodeSystem>