September 1, 2020 – Advisory: Consent API allows for the creation of consent policies for non-existing MPI IDs

InterSystems has corrected a defect when using the Consent API, where it is possible to associate a consent policy with an MPI ID that does not yet exist. If that MPI ID is later created and assigned to a patient, the previously associated consent policy will be applied to that patient.

This problem exists for:

  • All HealthShare Unified Care Record/Information Exchange versions

Two Consent API methods are affected by this issue:

  • AddEditMPIConsentPolicy
  • AddEditPatientPolicy

The input parameters for these methods identify a patient via an MPI ID and optionally an MRN and MRN Assigning Authority. Prior to this fix, it is possible to associate a consent policy with an MPI ID that does not yet exist. If that MPI ID is later assigned to a patient, the consent policy will be applied to that patient. This is identified as a patient privacy concern as an erroneous consent policy may result in inappropriate access to the patient demographic information or clinical data. This issue does not cause an increased risk of disclosure outside of HealthShare.

A fix is available for this issue. The fix validates whether the MPI ID exists before associating a consent policy with it. If the MPI ID does not exist, the API transaction will not succeed, and the consent policy will not be associated with that MPI ID.

This fix now validates the MPI ID exists, but it cannot validate that an existing MPI ID passed in is the correct ID for the intended target patient. MRN and MRN Assigning Authority were validated prior to this fix and continue to be validated. However, there is no validation that the MRN and MRN Assigning Authority are valid for the specified MPI ID. Applications and users of the Consent API should continue to exercise caution when inputting patient identifiers as arguments to the API methods.

Additionally, the Consent API methods do not validate the following. A fix is not yet available to validate these input parameters. Customers are strongly encouraged to test their usage of the consent API to ensure that input parameters are specified appropriately.

  • Decision: this is a required field, but it is possible to omit it. The methods will return an error if the input value is invalid.
  • ClinicialInformationType: this is a required field for the AddEditPatientPolicy method. The method will return an error if the input value is omitted but will not return an error if an invalid value is entered.
  • EffectiveDate, EventEffective, EventExpiration, ExpirationDate: these are optional fields. The methods require these dates to be in $h format and do not return an error for any invalid date formats.
  • GroupList: this is an optional field. The methods will not return an error if an invalid group is entered.
  • RelationshipList: this is an optional field. The methods will not return an error if an invalid relationship is entered. Additionally, the methods will silently ignore this parameter if AppliesTo is not set to “R”.

The correction for this defect is identified as dev key HSIEC-3190 and will be included in all future product releases. It is also available via Adhoc change file (patch) or full kit distribution from the Worldwide Response Center (WRC).

If you have any questions regarding this advisory, please contact the WRC.